In October 2022, a new version of the ISO/IEC 27001:2022 information security standard was issued. The standard defines the requirements for the establishment, introduction, maintenance and continuous improvement of the information security management system. This international standard, as well as the earlier version, includes requirements for assessing and processing information security risks tailored to the needs of the organization. The requirements of the standard are general and are intended for application in all organizations regardless of type, size and nature. The exclusion of any requirement in points 4-10 shall not be permitted in cases where the organization claims to comply with this standard.
New changes in ISO/IEC 27001:2022 do not currently affect the current ISO/IEC 27001 certificate.
Companies have a transitional period of adjustment to the new standard – 3 years (October 2025). Readiness for certification in accordance with ISO/IEC 27001:2022 depends on the accreditation body. Certification and recertification according to version 27001:2013 is possible for another 18 months after the release of the new version.
The steps that need to be taken to implement the new version are:
- The organization should get acquainted with the new version of ISO/IEC 27001:2022 (primarily ISO management education)
- Revise Statement of Applicability (SOA)
- Revision of the Risk Management Plan (given the new structure and number of controls)
- Revision of ISO policies and procedures (which includes updating procedures for communication, communication plan, etc.)
- Audit of objectives (6.2) and monitoring (9.1)
- Audit of audit documentation (plan and program)
- Audit of input data of the administrative assessment
- Updating SW solutions and tools (if system records are kept through SW solutions/tools/applications)
- Awareness and education of all employees
There are number of significant changes in already existing clauses inside standard, but there are new ones – 11 new controls in Annex A:
- Threat intelligence (A.5 Organizational controls)
- Information security for the use of cloud services (A.5 Organizational controls)
- ICT readiness for business continuity (A.5 Organizational controls)
- Physical security monitoring (A.7 Physical controls)
- Configuration management (A.8 Technological controls)
- Information deletion (A.8 Technological controls)
- Data masking (A.8 Technological controls)
- Data leakage prevention (A.8 Technological controls)
- Monitoring activities (A.8 Technological controls)
- Web filtering (A.8 Technological controls)
- Secure coding (A.8 Technological controls)
For specific changes in every existing clause or explanation to new ones feel free to contact us on sales@boost.hr