We've heard a few people saying that the new version of ISO 27001, published in October 2022, isn't that much of a change from the current ISO27001:2013.

But we believe they are wrong.

In fact, I would say if you speak to someone who says this, they clearly haven't read the new standard and the associated ISO27002:2022 guidance.

Change is coming

Of course there is no need to panic, but be under no illusion, this is a significant update to the information security management standard. The new version includes a number of changes, including:

• A new clause on the planning of changes emphasises the importance of managing changes to the ISMS in a controlled manner.

• A new section on risk assessment provides more detailed guidance on identifying, assessing, and treating risks to information security.

• A new section on threat intelligence emphasises the importance of understanding an organisation's threats and vulnerabilities.

• A new section on information security for the use of cloud services, which provides guidance on how to secure cloud-based information assets.

• A new section on ICT readiness for business continuity emphasises the importance of ensuring that the ISMS can continue to operate in the event of a disruption.

• A new section on physical security monitoring emphasises the importance of monitoring physical security controls to detect and respond to incidents.

• A new section on configuration management provides guidance on how to manage the configuration of information assets.

• A new section on information deletion provides guidance on how to securely delete information assets when they are no longer needed.

• A new section on data masking provides guidance on how to protect sensitive data by masking it with non-sensitive data.

• A new section on data leakage prevention provides guidance on preventing sensitive data from being leaked.

• A new section on monitoring activities emphasises the importance of monitoring the ISMS to ensure that it is effective.

• A new section on web filtering provides guidance on how to filter web traffic to protect against malicious websites.

• A new section on secure coding provides guidance on how to write secure code.

The new version of ISO 27001 also includes a number of other changes, such as:

• A new introduction that provides an overview of the standard and its purpose.

• A new glossary of terms.

• A new annex on the relationship between ISO 27001 and other standards.

Conclusion

The new version of ISO 27001 is a significant update that includes a number of new requirements and guidance. Organisations that are certified to ISO 27001 will need to assess the impact of the new requirements and make any necessary changes to their ISMS.

The transition period for organisations to comply with the new requirements is three years. This means that organisations that are certified to ISO 27001:2013 will have until November 2025 to transition to the new version.

If you think 2025 is a long way off, note that we are already taking organisations through the new requirements, so your competitors are probably already on their way already.

GAP ANALYSIS

Why not start with a Gap Analysis if you need help with the new requirements? We can help you assess your current standard compared to the new requirements, in just 1/2 (half) day.

Get in touch if this is of interest.