The release of the updated version, ISO 27001:2022, brings with it significant changes that demand attention and understanding as the information security focus has expanded to include cybersecurity and privacy criteria within the standard compared to its last version issued in 2013. Here we will explore the changes to ISO 27001:2022 and highlight key considerations to achieve a successful transition.
1. Strengthened Risk Management
Information security risk management has always been the backbone to maintain and ensure the good health of the Information Security Management System (ISMS). While the previous standard already established its compliance through the identification of assets, associated risks and treatment plans, the new standard requires us to explicitly define the risks to both the assets, the processes, and specific stakeholders that are responsible for treatment.
2. Context and Leadership
In terms of context and leadership, during the implementation process it was previously sufficient to determine the relevant ISMS stakeholders and information security requirements (legal, regulatory and/or contractual), with the current changes the aim is to specify which requirements the stakeholders will specifically address within the ISMS. This level of depth will force companies to identify the explicit involvement of stakeholders throughout the ISMS and be accountable to the board responsible for information security governance.
3. Heightened Focus on Supply Chain Security
In previous versions, the standard did focus heavily on suppliers or the supply chain. In this new version, the standard requires organizations to assess and manage the risks associated with their suppliers and partners explicitly. Robust processes must be in place to assess the security posture of third-party entities and ensure compliance with appropriate security controls, such as: supplier classification, periodic evaluations and improvement of service agreements in order to enhance information security characteristics.
4. Streamlined Documentation and Communication
The new standard introduces more specific requirements for documentation and communication within the ISMS. Previously the standard only required information to be managed through the person in charge. However, the incorporation of objective tracking, ISMS change planning, communication and monitoring of the health status of the ISMS must be explicitly documented and made available to involved parties.
This new requirement is potentially a significant improvement over the previous version, as many organizations were losing traceability in the roles and internal compliance of the information security policies in place.
How MAKINSIGHTS can help
At MAKINSIGHTS, we have seasoned professionals that have helped several organizations leverage ISO 27001/27002 as a cornerstone of their information security strategy while identifying key areas for improvement, prioritizing distinct service improvement efforts, and developing a comprehensive plan.
Our team of certified experts can assist your organization in understanding the changes to ISO 27001/27002 and implement effective methods to embrace the new requirements. Please feel welcome to book a consultation with us via ideas@makinsights.com or through calendly <https://calendly.com/makinsights/30min>.
