Revision of standard ISO/IEC 27001:2022 management system of information security

n October 2022 was new version of standard ISO/IEC 27001:2022 issued, which replaces standard ISO/IEC 27001:2013. 3-years transition period that ends 31.10.2025 was set up.  QSCert is in the accreditation process for auditing according to ISO/IEC 27001:2022 at present, with the aim to end this process by the end of 30.09.2023.

Main changes in new version of standard:

Annex A references to the controls in ISO/IEC 27002:2022, which includes the information of control title and control. Compared with the old edition, the number of controls in ISO/IEC 27002:2022 decreases from 114 controls in 14 clauses to 93 controls in 4 clauses. For the controls in ISO/IEC 27002:2022, 11 controls are new, 24 controls are merged from the existing controls, and 58 controls are updated. Moreover, the control structure is revised, which introduces “attribute” and “purpose” for each control and no longer uses “objective” for a group of controls.

Therefore certified organisations should do necessary following steps:

  • Ensure ISO/IEC 27001:2022 and ISO/IEC 27002:2022 standards in electronic/paper versions
  • Rework internal documentation (especially Statement of applicability) and implement into management system new and updated controls from ISO/IEC 27002: 2022
  • Ensure training of management, relevant workers and internal auditors on changed requirement
  • Verify the implementation of management system of information security in terms of new controls in Statement of applicability by internal audit

How QSCert can help?

