Introduction
On Wednesday October 26th, 2022, International Organization for Standardization (ISO) released the long-awaited revised edition of the ISO 27001 standard. In general, the new version is a bit of a letdown, with few material changes other than those in Annex A, which we previewed in February’s release of ISO 27002: 2022, the new guide for the implementation of the ISO 27001 standard.
This article is intended for ISO 27001 practitioners familiar with, and actively using the ISO 27001 standard to build or operate an information security management system (ISMS). It has been written to help the audience quickly understand what changes are in the 2022 version of the standard, from its previous 2013 release, without having to do the line-by-line review that was done to prepare this article for you. It will make more sense to you if you have a copy of the standard on hand while reading through the detailed analysis provided below, but is not necessary. This article should not be considered a primer on the standard, as it only highlights changes. As Clauses 2 and 3 of the standard are administrative only, these areas are not addressed by this article.
If during your review of the article, you find any inaccuracies or erroneous information, kindly leave us a note and we will review and amend the article to ensure it remains an invaluable resource for others. Please note, comments to articles on the Information Security Leadership Forum are restricted to members of the Forum. This was implemented to avoid SPAM and the added overhead of moderating such content. If you are not a member of the Forum and wish to communicate an observation, please feel free to use the contact form here.
Clause 3 – Terms and Definitions
What’s the Same
Terminology reference document remains as ISO 27000. At the time of publication of this article ISO 27000’s current release is 2018.
What’s Different
Added links to online resources for ISO & IEC terminology database, where a visitor can do a search by word.
Clause 4 – Context of the Organization
4.1 Understanding the organization and its context
What’s the Same
The control heading remains the same and the control has not changed.
What’s Different
Replaced the referenced to ISO 31000 from the 2009 to the 2018 publication release.
4.2 Understanding the needs and expectations of interested parties
What’s the Same
The control heading remains the same. The wording of control 4.1 remain exactly the same.
What’s Different
The wording of the control 4.2 is reworded generalizing removing the specific focus “relevant to information security.” Essentially, they have taken this portion and created a new subsection “c”
The new 4.2 c) mandates identifying which of the requirements of the identified interested parties will be addressed in the organization’s Information Security Management System (ISMS).
4.3 Determining the Scope of the ISMS
What’s the Same
The complete text remains unchanged.
What’s Different
There are not changes to this subsection.
4.4 Information Security Management System
What’s the Same
The general context of the control remains the same.
What’s Different
The control has added a qualification or, called out that “processes needed and their interactions,” need for the ISMS must also be established, implemented, maintained, and continually improved upon.
Clause 5 – Leadership
5.1 Leadership & Commitment
What’s the Same
The control heading and content remains the same.
What’s Different
Added a qualifying note at the bottom of the control, giving reference to the interpretation of the word “business.”
5.2 Policy
What’s the Same
The control heading and content remains the same.
What’s Different
No changes were identified.
5.3 Organizational Roles, Responsibilities and Authorities
What’s the Same
The control heading remains the same.
What’s Different
The wording of the opening sentence of the control includes a new qualifier, “within the organization.”
In 5.3 a) an insignificant change that changed the reference to “this International Standard” to a more generic statement of “this document.”
In the control “NOTE” text, they have changed the statement from “may” to “can,” which presumably is to conform to revised terminology or more appropriately align with existing official terminology definitions. There does not appear to be any material impact result from this change.
Clause 6 – Planning
6.1 Actions to Address Risks and Opportunities
What’s the Same
The control heading and content for subsection 6.1.1, and 6.1.2 remains the same. The general contents of subsection 6.1.3 also remain materially consistent, with the exceptions noted below.
What’s Different
The “NOTE”s in subsection 6.1.3 have had some revision, as follows:
- Formerly the first note under 6.1.3 b) was not numbered, however in the new version it has been assigned “NOTE 1,” however its contents remain the same.
- Notes 1 and 2 under 6.1.3 c) have been renumbered to “NOTE 2” and “NOTE 3,” respectively.
- NOTE 3 in the new version has been revised with the qualification that:
- The focus is not on “control objectives” but rather “controls” from Annex A of the standard.
- The reference to control objectives being implicitly included in controls chosen from Annex A, has been removed. This change does not appear to have any material impact.
Subsection 6.1.3 d) has restructured the content of the control’s wording into bullet points, however no material change has resulted from this.
The final note (“NOTE 4”) in the new version, again changes the language “in this International Standard” to “in this document.” No material impact has resulted from this change.
6.2 Information Security Objectives and Planning to Achieve Them
What’s the Same
The control heading and content for 6.2 remains generally consistent with the exception of those noted below.
What’s Different
Two new qualifying requirements have been added in the 2022 version (“Edition 3”) in subsection 6.2, and has been inserted at 6.2 d) and 6.2 g). All other requirements under 6.2 have remained intact, and simply reordered.
The new 6.2 d) mandates information security objectives must be “monitored.”
The new 6.2 g) mandates the objectives must be available as documented information. It is unclear if this was an oversight or why they added this, as the immediately following sentence states, “the organization shall retain documented information on the information security objectives,” which sounds the same.
6.3 Planning Changes
What’s the Same
Nothing … this subsection is new.
What’s Different
Subsection 6.3 is brand new to clause 6. In the new one sentence control, it mandates changes required of the ISMS must be done in a planned approach. The inference here is that in addition to proper planning when implementing an ISMS, it requires an organization when making changes to an established ISMS, the changes must similarly be planned. One of the keys to ISO controls is to document and retained the planning documentation as an ISMS record (audit artifact or evidence of having performed it). It is unclear based on the writing in the new version of the standard, why the committee did not perceive this to have already been covered under clause 8.1
Clause 7 – Support
7.1 Resources
What’s the Same
The control heading and content for subsection 7.1 remains the same.
What’s Different
There have been no changes in this subsection.
7.2 Competence
What’s the Same
The control heading and content for subsection 7.2 remains the same.
What’s Different
There have been no changes in this subsection.
7.3 Awareness
What’s the Same
The control heading and content for subsection 7.3 remains the same.
What’s Different
There have been no changes in this subsection.
7.4 Communication
What’s the Same
The opening sentence and sub-subsections 7.4 a), and b), and C) are consistent, reflecting no changes.
What’s Different
In 7.4 d) and e) which previously offered “who shall communicate” and “the process by which communication shall be effected,” has been consolidated into one new 7.4 d) mandating the organization must also determine “how to communicate.”
7.5 Documented Information
What’s the Same
The control heading and content for 7.5 remains generally consistent with the exception of those noted below.
What’s Different
The subsection opens with a general housekeeping change in 7.5 a) with the wording “… by this International Standard,” which is generalized in the new version worded, “… by this document.” Subsection 7.5.3 makes a similar amendment in the opening sentence.
Clause 8 – Operation
8.1 Operational Planning and Control
What’s the Same
The control heading and content for 8.1 remains generally consistent with the exception of those noted below.
What’s Different
Paragraph One
Changes in this clause begin in the opening sentence of 8.1 where it removes the qualifying text “… to meet information security requirements, …” and leaves it with only “… to meet requirements …, suggestive that it may have broadened expectations outside of solely information security requirements. As this sentence continues, ISO has also generalized in the new version “… requirements, and to implement the actions determined in Clause 6 ...,” which essentially summarized what it was saying the in previous version in less words.
This paragraph in the new version, now offers two new qualifying bullets mandating the requirement to establish criteria, and implement control of processes in accordance with the criteria.
Paragraph Two
The changes to this paragraph appears to be cosmetic as it is merely a rewording of the opening of the sentence from, “The organization shall keep documented information … “ to “Documented information shall be available …”
Paragraph Four
This is another one sentence area, which has had significant qualifying requirements added into the new version. Specifically, the 2013 version generally stated that “outsourced processes” be determined and controlled. It did not delineate one outsourced business process from another. Under the 2022 version it now offers “eternally provided processes, products or services that are relevant to the information security management system are controlled.” While I think these represent potentially needed qualifications rolled into this one sentence, I still see the possibility for the open interpretation or subjectiveness of what “relevant to the information security management system” means. Presumably this refers to, within the scope of the ISMS.
8.2 Information Security Risk Assessment
What’s the Same
The control heading and content for subsection 8.2 remains the same.
What’s Different
There have been no changes in this subsection.
8.3 Information Security Risk Treatment
What’s the Same
The control heading and content for subsection 8.3 remains the same.
What’s Different
There have been no changes in this subsection.
Clause 9 – Performance Evaluation
9.1 Monitoring, Measurement, Analysis and Evaluation
Paragraph One
What’s the Same
The control heading and content for 9.1 remains generally consistent with the exception of those noted below.
What’s Different
The opening, one sentence paragraph has been removed leaving no qualifying opening to the second paragraph, which reads, “the organization shall determine: ...” before going into a bulleted list of six specific requirements. Other than the heading, it does appear a bit odd not to have that qualifying requirements before going into the bulleted requirements. So, did they throw this out or do something else with it? If you look to the end of 9.1, you will find that they have moved it verbatim to the end.
In 9.1 b) they have moved the contents of the “NOTE” into the body of the bullet, so clearly only a cosmetic change.
Paragraph Two
In this single sentence 2nd paragraph, it is net new to the subsection, however mandating documented information be retained as evidence should not be a surprise to anyone who lives in an ISO standards world. I find it even more perplexing why ISO feels it relevant to only specifically mandate it here and there, where ISO audits are designed and appropriately so, as evidence-based audits. To be clearer, ISO should consider incorporating this into clause 7.5.3 as a general requirement.
9.2 Internal Audit
In the 2013 version of the standard, 9.2 was one consolidated topic with seven bulleted requirements (“a)” through “g)”), which has been broken into two area in the 2022 release. The bullets “a)” through “b)” inclusive are now in 9.2.1, whereas “c)” through “g)” are now in 9.2.2. Below are the changes noted in these new numbered areas.
9.2.1 General
What’s the Same
The control content for bullets “a)” through “b)” remains the same.
What’s Different
There have been no changes in this subsection.
9.2.2 Internal Audit Programme
What’s the Same
The control content for bullets “c)” through “g)” remains the same.
What’s Different
The contents of bullet “c)” has been restructured into an opening paragraph to 9.2.2.
The contents of bullet “g)” have been restructured as a closing paragraph with minor editorial changes that do not materially affect the control statement. This is another example where ISO could have been a little more efficient by centralizing the requirement under 7.5.3, as this is yet another statement that documented information must be retained.
9.3 Management Review
Similar to the previous control area, clause 9.3 had everything under one area, and has broken into three (3) sections as provided below, in its 2022 version.
9.3.1 General
What’s the Same
The opening sentence of the old version has been migrated into this area; however, the text has remained consistent.
What’s Different
As 9.3.1 is net new, there are no changes per se.
9.3.2 Management Review Inputs
What’s the Same
The control content for bullets “a)” through “b)” have been migrated into this area, but have remains the same.
What’s Different
Bullets “c)” through “f)” have been migrated to 9.3.2, with no change to the content of the text, however they have been bumped down the line to become bullets “d)” through “g)” in the 2022 version.
A new bullet has been introduced as the new “c)” mandating, “changes in the needs and expectations of interested parties …” relevant to the ISMS shall be reviewed. This one could be a material change, especially to organization’s that focused not on setting up a comprehensive ISMS, but rather focusing on meeting minimum necessary only. In the past, the minimum necessary might have been seen as only having to understand interested parties needs and expectations at the beginning, whereas this change suggests an ongoing need to solicit, and assess for changes in the needs and expectations of interested parties.
9.3.3 Management Review Results
What’s the Same
The last two paragraphs have been moved into this new sub area, with only cosmetic changes to the text. Specifically, in the second last paragraph it previously opened, with “the output of the management review …” and changed to “the results of the management review …”
What’s Different
As 9.3.3 is net new, there are no changes per se.
Clause 10 – Improvement
In the 2022 version they flipped the sub areas upside down, making 10.1 now 10.2, and 10.2 now 10.1 in 2022. This does appear to make sense, as this change now give clause 10 a qualified opening.
10.1 Continual Improvement
What’s the Same
The control content imported from 20.2 of the 2013 version and is now referenced as 10.1 remains the same.
What’s Different
Nothing.
10.2 Nonconformity and Corrective Action
What’s the Same
The control content imported from 20.1 of the 2013 version and is now referenced as 10.2 remains materially the same, with the exception noted below.
What’s Different
In the qualifying statement opening for bullets “f)” and “g)” the previous version opened with “the organization shall retain documented as evidence of: …” and has been reworded in the 2022 version to state, “documented information shall be available as evidence of: …”
Annex A
Annex A is really where there have been a number of material changes. That said, the majority of Annex A has remained the same.
For a high-level overview of the changes here, please read our article entitled, “ISO 27002: 2022 - What Has Changed,” published on our site in March 2022.
Closing
If you are planning to implement the standard, or are supporting an organization already ISO 27001 certified, and need to better understand the full requirements, consider taking the Forum’s 5-day ISO 27001 Lead Implementer or Lead Auditor courses. By training with the Forum, you’re not just taking training, your support an institution that we’re building together to make training accessible by keeping costs down, as well as promoting the development of new practice models and methodologies.
