The changes of ISO/IEC 27001:2022 from the 2013 standard.
ISO 27001:2022 is not significantly different from ISO 27001:2013, but there are some notable changes:
Context and scope You must now identify the “relevant” requirements of interested parties and determine which requirements will be addressed through the ISMS (Information Security Management System). The ISMS now explicitly includes the “processes needed and their interactions”.
Planning Information security objectives must now be monitored and made “available as documented information”. There is a new section on planning changes to the ISMS. This does not specify any processes that must be included, so you should determine how you can demonstrate that changes to the ISMS (Information Security Management System) have indeed been planned.
Support The requirements to define who will communicate, and the processes for effecting communication, have been replaced by a requirement to define “how to communicate”
Operation The requirement to plan how to achieve information security objectives has been replaced by a requirement to establish criteria for processes to implement actions identified in Clause 6, and to control those processes in line with the criteria. Organisations are now required to control “externally provided processes, products or services” relevant to the ISMS rather than just processes.
Performance and evaluation Methods of monitoring, measuring, analysing and evaluating the effectiveness of the ISMS now need to be comparable and reproducible. The management review must now also consider changes in the needs and expectations of interested parties.
Annex A Annex A has been revised to align it with ISO 27002:2022. The Annex A controls are discussed in the section below.
Comments