ISO/IEC 27001:2022 Transition Notes – Part 3

To comply with the requirements of ISO/IEC 27001:2022, there are a number of changes to Clauses 4-10 that need to be incorporated into your management system.

Clause 4.2: requires that the needs and expectations of interested parties which are met by the information security management system are determined.

Comment: This change reflects the increasing number of integrated management systems, covering multiple management standards, that have needs and expectations relating to those different standards.

Tip: Address this by including an extra column in your Interested Parties Register.

===========================================================

Clause 4.4: requires that an information security management system is established, implemented, maintained and continually improved, including the processes needed and their interactions.

Comment: This change now ensures that the management system is properly documented. Traditionally, an ISMS Manual has been used to document how the management system operates, including processes, reference to related policies etc.

Tip: Ensure the ISMS Manual is up to date and reflects the 2022 version of the management standard.

===========================================================

Clause 6.2: requires that information security objectives are monitored.

Comment: The need to “monitor” implies an ongoing oversight of the objectives, and whether these are being met or not, so that corrective action can be taken to get back on track when required.

Tip: Review progress towards achieving your objectives no less than monthly and review the findings with your management team.

===========================================================

Clause 6.3: requires that changes to the information security management system are carried out in a planned manner.

Comment: Given that the management of change is an established security control, it makes sense to use the agreed change management and approval process for any changes that can impact on the performance of the information security management system and put the organization at risk. Changes to policies, processes and procedures should already be covered by review and approval processes.

Tip: Ensure that all significant changes that will impact on the performance and effectiveness of the management system go through the organization’s formal change management process.

===========================================================

Clauses 10.1 and 10.2: these clauses have been swapped but still retain the same compliance requirements.