The updated ISO 27001:2022 has had several changes, including the addition of 11 completely new controls and the merging of 56 other controls into 24 newly titled controls.
These changes mean that anyone with a current ISO 27001:2013 certificate will be required to update and add certain elements in their existing Information Security Management System to ensure compliance to ISO 27001:2022 ahead of the October 2025 deadline.
Join Mel this week as she explains the changes that need to be made, including what key documentation requires updating to align with ISO 27001:2022.
- What changes need to be made to your existing Information Security Management System?
- What key documents need to be updated?
- How can you get a free copy of ISO 27001:2022?
In this episode, we talk about:
[00:44] In the last episode we covered the planning stages for your transition – catch up here
[01:02] We have a free ‘Guide to the ISO 27001 Changes’ available – simply fill out the form at the end of the Show Notes to download your copy
[01:29] You should have a copy of ISO 27001:2022 ahead of Implementing the changes (you can get a free copy if you sign up to our Transition Programme by April 1st 2023)
[01:35] Before you move onto Implementation, ensure that you have: planned back from your transition date, have an understanding of the new controls and had a Discovery session / Gap Analysis to see where the gaps in your current system are
[02:50] What needs updating? This will include:
- Your Statement of Applicability
- Risk Assessment
- Action Plans
- Monitoring and measurement (reviewing what you are monitoring / measuring and how it’s recorded)
- Internal Audit Schedule / Programme – To include the new controls
[03:45] At this stage you need to look at what controls you have in place – there may be some you can now merge together to reduce any paperwork involved.
[04:25] We have some tools available to tackle the new controls (i.e Threat Intelligence, data masking, physical security monitoring ect) if you need some extra help
[04:50] It’s not just about updating documentation, you will need to fully implement and communication these new controls to the wider business. You may find that you already have some controls covered, but not yet formalised.
[05:30] The main aspect of the Implementation phase is to address the gaps found during the Gap Analysis. For example, new controls such as data masking, threat intelligence and web filtering, which you may not have considered seriously before, now need to put formal documented measures in place to address it.
[06:26] Communication and evidence should be at the forefront of your mind when updating your Info Sec Management System.
[06:39] Don’t just implement controls for the sake of it – considering how they are going to reduce risk and how they’re going to make a difference to improve your Risk Register and Statement of Applicability.
[07:00] The Implementation phase of our Transition Programme is 1-3 days depending on your level of required support
[07:54] You should also consider creating a Communication Plan to share knowledge of these changes to the wider business. Make sure you also compile any evidence of training on new elements of your Management System too. We will have Coffee Break Training available on the isologyhub which could help with this.
Grab a copy of our ISO 27001:2022 Guideline to the changes here:
Keep an eye out for next weeks episode where we explain how to complete your ISO 27001:2022 transition.
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on Twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes: