Context

ISO 27001 is the leading international standard on information security and has been published by the International Organization for Standardisation ('ISO') in partnership with the International Electrotechnical Commission ('IEC'). Both ISO and IEC are globally recognised organizations that develop international standards.


ISO 27001 compared with ISO 27002

There is often some degree of confusion between ISO 27001 and ISO 27002 - the former is the main standard against which one can certify their organization, while the latter is the supporting standard that provides guidelines on the implementation of security controls. The most important difference is that ISO 27002 is not mandatory for ISO 27001 certification and organizations cannot get certified against ISO 27002.


Evolution of ISO 27001 & ISO 27002

  • The introductory version of ISO 27001 titled, 'BS 7799-2' was published back in 1999 and has gone through several changes since.
  • ISO 27002 titled, 'BS 7799-1' was first published in 1995.
  • February 2022 saw the ISO 27002:2022 revision, published with the new structure of 93 controls and the same structure of controls was adopted by ISO 27001:2022.


Effective dates

The 'Transition requirements for ISO/IEC 27001:2022' from the International Accreditation Forum states that for companies that are already certified against ISO 27001:2013, the transition to ISO 27001:2022 needs to be completed by October 31, 2025. While accredetation bodies need to certify companies against ISO 27001:2022 latest by October 31, 2023, several of them have commenced doing so with the new revision already.

An overview of the recent changes

Set below are the main changes that we have seen in ISO 27001:2022, when compared with ISO 27001:2013.

  • Clause 4.4 relating to the information security management system | The new clause requires processes and “their interactions” to be identified, which is similar to ISO 9001. The design interactions can be presented through diagrams and flow charts.
  • Clause 6.2 relating to information security objectives | The new clause requires the information security objectives to be documented and available for all stakeholders. 
  • Clause 6.3 relating to planning of changes | The new clause requires all changes to have their plans documented.
  • Clause 8.1 relating to operational planning and control | The new clause requires organizations to define a criteria for operational processes. This criteria can be a broad term, which could address a security requirement and/or a business requirement and/or a customer request. 
  • Clause 9 relating to performance evaluation | The new clause requires methods to evaluate and monitor controls that produce comparable results for the organization to assess trends. 
  • Clause 9.2 relating to internal audits | The new clause requires internal assessments to cover all organizational requirements, which should go beyond ISO 27001. This seeks to ensure a broader attempt to have a comprehensive management system. 
  • Organizational and physical controls | While no existing controls were deleted, new controls have been introduced and several controls were merged, reducing the overall number of controls.
  • Security controls contained in Annexure A | These have decreased from 114 to 93. The security controls are now divided into 4 sections instead of the previous 14. Furthermore, this change represents a tangible attempt to make the standard more concise and simpler to implement. The overlaps and repetitions have been eliminated to create five major security attributes that make them easier to group.  

The ensuing chart provides an overview of the new sections and controls of ISO 27001:2022.

A summary of the changes

35 controls remain unchanged, 23 have been renamed and 57 controls have been merged to form 24 controls.


Depicted below is an overview are the 11 newly added controls.

Next steps

You could follow these steps to update your compliance processes in alignment with the new ISO 27001:2022 requirements and gain certification:


  1. Develop a sound foundation by defining the rules and methodology for your risk assessment.
  2. List all assets, with related threats, vulnerabilities and risks.
  3. Choose the right tool for risk assessment.
  4. Polarize the risks.
  5. Develop the treatment plan.
  6. Align your statement of applicability to align with the updated Annexure A of ISO 27001:2022.
  7. Review and update documentation, including policies and procedures, to meet the new control requirements.
  8. Get audited against the new ISO 27001:2022 standard revision.


We hope you found this thought leadership useful and look forward to your feedback. In case you require any further assistance, please do not hesitate to reach out to [email protected] or directly contact Kirti Kumar Salunke at [email protected].


Best regards

Markets team

MGC Global Risk Advisory

According to Kirti Kumar Salunke, IT Risk Advisory Leader, MGC Global Risk Advisory,


"The benefits of ISO 27001 extend beyond legal compliances (in countries where these are required) and contractual requirements. These enable organizations identify, assess and mitigate their information security risks, while proactively protecting their information assets, enhancing their cyber security controls and in the process also building trust with stakeholders. The costs of a cyber attack or an information security breach can be devastating, and consequently, whether one should assess his/her organizations information security posture & risks with reference to international standards, is not an option anymore".

About MGC Global Risk Advisory 

Recognized as one of the '10 most promising risk advisory services firms' in 2017, as the 'Company of the Year' in 2018 &, 2019' (both in the category of risk advisory services), one of the 'Top Exceptional Companies to Work For’ in 2020, amongst the ‘Top 25 Customer Centric Companies’ in 2020 and 'The Consultant of the year' in 2021 (in the category of risk advisory services); MGC Global is an independent member firm of the US$ 4.6 billion, Atlanta headquartered - Allinial Global.


MGC Global provides services in the areas of internal audits, enterprise wide risk management, control assessments (SOC, IFCR & SOX), process re-engineering, governance frameworks, IT risk advisory, GDPR, VAPT, ISO readiness, cyber security, CxO transformation and forensic services. Our Firm has the capabilities to service its clients through its offices in Bengaluru, Mumbai, NCR; and has service arrangements in all major cities in India.

About Allinial Global

Allinial Global (formerly PKF North America) is currently the world's second-largest member-based association (with collective revenues of approximately USD 4.6 billion) that has dedicated itself to the success of independent accounting and consulting firms since its founding in 1969. It currently has member firms in 99 countries, who have over 26,000 professional staff and over 4,000 partners operating from 688 offices across the globe.

 

Allinial Global provides its member firms with a broad array of resources and support that benefit both its member firms and their clients in the key impact areas of learning and development, human resources, international outreach, technical support, knowledge-sharing platforms through its specialized communities of practice, marketing resources, information technology and best practices in practice management. 
MGC Global Risk Advisory LLP | 323, 324 & 327, Square One Building, Saket District,
 New Delhi, 110 017 India
Unsubscribe [email protected]
Update Profile | Constant Contact Data Notice
Sent by [email protected] powered by
Trusted Email from Constant Contact - Try it FREE today.
Try email marketing for free today!