Category Archives: LATEST NEWS

ISO/IEC 27001:2022 Transition Notes – Part 4

ISO/IEC 27001:2022 contains 93 security controls in its Annex A. The 114 controls from the 2013 version of the standard have been amalgamated to form 82 of the 93 controls. 11 new security controls have been added.

The new security controls are as follows:

A.5.7 Threat intelligence

A.5.23 Information security for use of cloud services

A.5.30 ICT readiness for business continuity

A.7.4 Physical security monitoring

A.8.9 Configuration management

A.8.10 Information deletion

A.8.11 Data masking

A.8.12 Data leakage prevention

A.8.16 Monitoring activities

A.8.23 Web filtering

A.8.28 Secure coding

Detailed guidance in how to comply with all 93 security controls is available via ISO/IEC 27002:2022.

ISO/IEC 27001:2022 Transition Notes – Part 3

To comply with the requirements of ISO/IEC 27001:2022, there are a number of changes to Clauses 4-10 that need to be incorporated into your management system.

Clause 4.2: requires that the needs and expectations of interested parties which are met by the information security management system are determined.

Comment: This change reflects the increasing number of integrated management systems, covering multiple management standards, that have needs and expectations relating to those different standards.

Tip: Address this by including an extra column in your Interested Parties Register.

===========================================================

Clause 4.4: requires that an information security management system is established, implemented, maintained and continually improved, including the processes needed and their interactions.

Comment: This change now ensures that the management system is properly documented. Traditionally, an ISMS Manual has been used to document how the management system operates, including processes, reference to related policies etc.

Tip: Ensure the ISMS Manual is up to date and reflects the 2022 version of the management standard.

===========================================================

Clause 6.2: requires that information security objectives are monitored.

Comment: The need to “monitor” implies an ongoing oversight of the objectives, and whether these are being met or not, so that corrective action can be taken to get back on track when required.

Tip: Review progress towards achieving your objectives no less than monthly and review the findings with your management team.

===========================================================

Clause 6.3: requires that changes to the information security management system are carried out in a planned manner.

Comment: Given that the management of change is an established security control, it makes sense to use the agreed change management and approval process for any changes that can impact on the performance of the information security management system and put the organization at risk. Changes to policies, processes and procedures should already be covered by review and approval processes.

Tip: Ensure that all significant changes that will impact on the performance and effectiveness of the management system go through the organization’s formal change management process.

===========================================================

Clauses 10.1 and 10.2: these clauses have been swapped but still retain the same compliance requirements.

ISO/IEC 27001:2022 Transition Notes – Part 2

Timescales for transitioning from ISO/IEC 27001:2013 to ISO/IEC 27001:2022 are known to be as follows:

  • All existing certificates for ISO/IEC 27001:2013 will automatically expire on 31st October 2025.
  • All new certifications and any recertifications conducted from 1st May 2024 must be conducted against ISO/IEC 27001:2022.
  • If an organisation recertifies before 1st May 2024, their certificate expiry date will be no later than 31st October 2025.

More posts to follow…..

ISO/IEC 27001:2022 Transition Notes – Part 1

The new version of the ISO standard for information security management has now launched and there are a number of changes that need to be made to existing management systems in order to comply with the new version by the deadline of 31st October 2025.

For the Annex A controls, the previous 114 controls from the 2013 standard have been combined into 82 controls. There are 11 brand new controls to be considered for applicability, giving a new total of 93 controls to be considered for adoption in order to treat information risks faced by the organisation.

The 93 controls have been split across 4 separate categories covering Organisational, People, Physical and Technological.

Further notes to follow…..