ISO 27001:2022- UPDATES

1. WHAT ARE THE VERSION DIFFERENCES BETWEEN ISO 27001:2013 AND ISO 27001:2022?

• Structure and Terminology Updates:

ISO 27001:2022 continues to follow the high-level structure used by other ISO management system standards, making it easier to integrate with other ISO standards. However, it updates some terminologies and definitions to align with current practices and understanding.

• Risk Management Enhancements:

The 2022 revision places a greater emphasis on risk management, not just for information security risks but also considering the broader context of organisational risks. This reflects a more holistic approach to risk management.

• Control Set Revision:

The Annex A controls in ISO 27001:2013 have been revised and reorganised in the 2022 version. The number of controls has been reduced from 114 to 93, with some controls being merged and others updated to reflect current technology trends and threats. This includes considerations for cloud computing, Internet of Things (IoT), and other modern technologies.

• Increased Flexibility:

ISO 27001:2022 offers organisations more flexibility in how they apply controls and manage their information security, recognising the diverse ways in which businesses operate and leverage technology today.

• Attention to Cybersecurity Trends:

The latest revision addresses contemporary cybersecurity trends and threats, providing a more up-to-date framework for organisations to protect against breaches and cyber-attacks.

• Threat Intelligence and Information Security Incidents:

Greater emphasis on the importance of threat intelligence and more detailed guidance on information security incident management.

• Consideration for Privacy Concerns:

While ISO 27001 focuses on information security, the 2022 revision includes more explicit considerations for privacy issues, reflecting the increasing global concern over personal data protection.

• Leadership and Commitment:

The new version places a stronger emphasis on the role of top management in leading and supporting the ISMS, highlighting the importance of leadership commitment to the success of information security initiatives.

Organisations seeking to certify or recertify to ISO 27001 should consider these updates to ensure their ISMS meets the current standard’s requirements. Transitioning to the updated standard will help organisations address modern security challenges and demonstrate their commitment to protecting information assets.

2.TIMING

In Australia some organisation are also certified to a customised version of the ISO 27001 Information Security Management Systems Standard that includes additional controls from the Australian Government Information Security Manual to protect the People, Processes and IT Infrastructure.

The Right Fit For Risk Cyber Security Accreditation from the Department of Employment and Workplace Relations has mandated that all providers of employment skills training and disability employment services must be compliant to ISO 27001:2022 by April 2024 or risk losing certification.

As of April 2024, any organisations wishing to certifiy to ISO 27001 will only be able to certify to version ISO 270001:2022.

3. 2024 Amendment

Organisations will also need to consider the latest amendment. The amendment to ISO/IEC 27001:2022, titled AMD 1:2024, focuses on “Climate action changes” in the realm of information security, cybersecurity, and privacy protection.

This reflects an increasing recognition of the intersection between environmental sustainability and digital infrastructure, suggesting that organisations will need to consider their impact on climate within their information security practices.