Understanding the new IS27001 requirements

ISO/IEC 27001:2022 is the third edition of the ISMS standard. The principal changes are:

Book cover for An introduction to ISO/IEC 27001:2022/Amd 1:2024 by David Brewer

David Brewer’s book “An introduction to ISO/IEC 27001:2022/Amd 1:2024”, gives a detailed explanation of the whole of ISO/IEC 27001:2022/Amd 1:2024 including these new requirements. It is available on Amazon in e-book (£36.00) and paperback formats (price £42.25).

The devil is in the detail

Annex A

In alignment with the controls in ISO/IEC 27002:2022, the revised Annex A now contains 93 information security controls, presented in four groups: organizational controls, people controls, physical controls, and technological controls; a categorisation referred to as themes. The previous edition contained 114 controls grouped under 14 headings, such as “Information security policies” and “Physical and environmental security”. None of these controls have been lost. They have either been transferred over to the new edition, not necessarily without modification, or merged. There are also 11 new controls, resulting in a reduced total of 93 controls.

Notwithstanding that 56 controls are carried over from Edition 2, there are subtle differences in the wording of the control text. This means that these controls are not identical to the previous edition. For example, whilst the new 5.1 is formed from merging the old A.5.1.1 and A.5.1.2, the new control text contains the phrase “and acknowledged”, which is entirely new.

The Annex A controls now refer to personnel, rather than employees, in recognition of the fact that an organisation need not be a legal entity, in which case the members of the organisation are not employees.

The notes notes in ISO/IEC 27001, Clause 6.1.3 c) that refer to Annex A have been modified to accord with the revised content and to stress that the Annex A controls are not requirements.

Harmonised structure (HS)

All management system standards must conform to the ISO directives. One of these, known as Annex SL presents the structure and requirements that is common to all management system standards. It was revised in 2020. Thus, the revised ISO/IEC 27001 conforms to the new structure, whereas other standards, such as ISO 9001 and ISO 14001 which were published some years ago, conform to the old structure. This explains some of the differences between these standards.

Climate change

An amendment was published on 24 February 2024 concerning climate change. It adds a new requirement to Clause 4.1, which is that organisations shall determine whether climate change is a relevant issue, and a note in Clause 4.2, which points out that relevant interested parties can have requirements related to climate change. The amendment is the same for all management system standards.

The amendment is a consequence of the (ISO) London declaration, which aims to foster active consideration of climate science and associated transitions in the development of all new and revised international standards and publications.

For conformance determine whether climate change has positive and/or a negative effect on the results of your ISMS. For example, does climate change present an unacceptable risk to information security to your ISMS?, can it have a positive effect on information security? Consider also your organisation’s activities that contribute to climate change. Do they contribute to the risks to your ISMS? Are they in keeping with the principles of Environment, Social and Governance (ESG), recently adopted by ISO?

Want to know more?

David Brewer’s book “An introduction to ISO/IEC 27001:2022/Amd 1:2024”, gives a detailed explanation of the whole of ISO/IEC 27001:2022/Amd 1:2024 including these new requirements. It is available on Amazon in e-book (£36.00) and paperback formats (price £42.25).

Guidance, written by Dr Brewer, is also given on the BSI website, but for a price — £75. His book is cheaper.

If you have any question about ISO/IEC 27001:2022/Amd 1:2024, just or use the find facility above. We will be pleased to assist.





		Apart from a completely new Annex A, other ISMS requirement changes are subtle
		HOME SERVICES Consultancy and training Productised IP-led IMS Service IMS-Smart On-Line Effective ISMS qualities Making the most of your ISMS BOOKS STANDARDS ISO/IEC 27001 ISMS Requirements Statement of Applicabiilty Risks and opportunities Risk treatment plans ISO/IEC 27002 Controls ISO/IEC 27004 Measurements ISO/IEC 27007 Auditing ISO/IEC 27014 Governance PHILOSOPHY Overview Architecture Time theory Opportunity exploitation Risk treatment Taxonomies Alternative ideas lists Effectiveness Continual improvement Auditing Implementation strategies CORPORATE About us Customers Papers Enquiries IMS-Smart Suzuki motorcycle ≡
		Already have an ISMS? perhaps we can help you create a better one!

	What’s new in ISO/IEC 27001:2022/Amd 1:2024? ISO/IEC 27001:2022 is the third edition of the ISMS standard. The principal changes are: alignment of Annex A with the controls in ISO/IEC 27002:2022 alignment with the revised Harmonised Structure (HS) for management system standards an amendment, common to all management system standards, for climate change. David Brewer’s book “An introduction to ISO/IEC 27001:2022/Amd 1:2024”, gives a detailed explanation of the whole of ISO/IEC 27001:2022/Amd 1:2024 including these new requirements. It is available on Amazon in e-book (£36.00) and paperback formats (price £42.25). You are encouraged to start planning your transition now, if you already have an ISMS, or start using the new standard if not. Whilst there is very little change to the Information security requirements, one of the most challenging and perplexing aspects of ISO/IEC 27001, is still risk assessment and the SOA, but that can easily be mastered, as can measuring performance, optimising, showcasing and exploiting your ISMS. The devil is in the detail Annex A In alignment with the controls in ISO/IEC 27002:2022, the revised Annex A now contains 93 information security controls, presented in four groups: organizational controls, people controls, physical controls, and technological controls; a categorisation referred to as themes. The previous edition contained 114 controls grouped under 14 headings, such as “Information security policies” and “Physical and environmental security”. None of these controls have been lost. They have either been transferred over to the new edition, not necessarily without modification, or merged. There are also 11 new controls, resulting in a reduced total of 93 controls. Notwithstanding that 56 controls are carried over from Edition 2, there are subtle differences in the wording of the control text. This means that these controls are not identical to the previous edition. For example, whilst the new 5.1 is formed from merging the old A.5.1.1 and A.5.1.2, the new control text contains the phrase “and acknowledged”, which is entirely new. The Annex A controls now refer to personnel, rather than employees, in recognition of the fact that an organisation need not be a legal entity, in which case the members of the organisation are not employees. The notes notes in ISO/IEC 27001, Clause 6.1.3 c) that refer to Annex A have been modified to accord with the revised content and to stress that the Annex A controls are not requirements. Harmonised structure (HS) All management system standards must conform to the ISO directives. One of these, known as Annex SL presents the structure and requirements that is common to all management system standards. It was revised in 2020. Thus, the revised ISO/IEC 27001 conforms to the new structure, whereas other standards, such as ISO 9001 and ISO 14001 which were published some years ago, conform to the old structure. This explains some of the differences between these standards. The principal changes are: References to the ISO and IEC online terminology databases have been added to Clause 2, albeit that readers are still referred to ISO/IEC 27000 as the source for all terms and definitions. A new clause has been added to Clause 4.2 (Understanding the needs and expectations of interested parties) which requires organisations to determine which interested party requirements will be addressed through the ISMS. Clause 4.4 (Information security management system) now includes the phrase “including the processes needed and their interaction”. A note explaining the meaning of the term “business” has been added to Clause 5.1, although the term is still omitted in the reference to “processes” in Clause 5.1 b) (the HS says “…integrated into…business processes”). Clause 5.3 now includes the phrase “within the organisation”. The phrase refers to the roles, not the extent of the communications. Clause 6.2 now includes a requirement to monitor the [fulfilment] of security objectives, thereby providing a link between the requirement 6.2 b) (“…be measurable (if practicable)”) and Clause 9.1 (Measurement, monitoring, analysis and evaluation). Clause 6.3 (Planning of changes) is new. It requires organisations to carry out changes to the ISMS in a planned manner. The Edition 2 requirements in Clause 7.4 (Communication) to determine “who shall communicate”, and “the communication process” have been replaced by “how to communicate”. The scope of Clause 8.1 (Operational planning and control) now refers to the whole of Clause 6, rather than just 6.1, thus obviating the need for the Edition 2 requirement “The organization…objectives determined in 6.2”, which has been removed. Also in Clause 8.1, the HS requirements for process criteria have been restored. They were not included in Edition 2 as at the time they were considered unnecessary. It is now recognised that the ISO/IEC 27001 requirements for “… at planned intervals” provide built-in examples of process criteria and the control of those processes against those criteria. Moreover, organisations will have their own examples, e.g., concerning the on-boarding and off-boarding of personnel. The requirement in Clause 8.1 concerning the control of outsourced processes has been replaced with the more general requirement for the control of externally provided processes, products and services. The paragraph “The organization shall evaluate …” has been restored to its original position in the HS, which is at the end of Clause 9.1. In Edition 2, it was positioned at the head of the clause. Moreover, the note that was in Clause 9.1 b) (“The methods selected should … to be considered valid”) has been merged into the Clause 9.1 b) text. In Clause 9.2 (Internal audit) there are some wording changes and subheadings have been introduced. In Clause 9.3 (Management review), subheadings have been introduced and there is a new requirement to consider changes in the needs and expectations of interested parties. The order of Clauses 10.1 and 10.2 have been reversed, to focus more attention on the objective of improvement. The references in the bibliography have been updated. Climate change An amendment was published on 24 February 2024 concerning climate change. It adds a new requirement to Clause 4.1, which is that organisations shall determine whether climate change is a relevant issue, and a note in Clause 4.2, which points out that relevant interested parties can have requirements related to climate change. The amendment is the same for all management system standards. The amendment is a consequence of the (ISO) London declaration, which aims to foster active consideration of climate science and associated transitions in the development of all new and revised international standards and publications. For conformance determine whether climate change has positive and/or a negative effect on the results of your ISMS. For example, does climate change present an unacceptable risk to information security to your ISMS?, can it have a positive effect on information security? Consider also your organisation’s activities that contribute to climate change. Do they contribute to the risks to your ISMS? Are they in keeping with the principles of Environment, Social and Governance (ESG), recently adopted by ISO? Want to know more? David Brewer’s book “An introduction to ISO/IEC 27001:2022/Amd 1:2024”, gives a detailed explanation of the whole of ISO/IEC 27001:2022/Amd 1:2024 including these new requirements. It is available on Amazon in e-book (£36.00) and paperback formats (price £42.25). The book explains: the meaning of all the terms used in the standard what is an ISMS, its purpose and benefits, the structure of the standard, relationship with other standards and certification the core management system requirements (i.e., those that come from the HS) and are therefore common to other management system standards the information security specific requirements (risk assessment, risk treatment, the Statement of Applicability…) and gives: implementation advice (including strategies, preparation and project planning, risk assessment methodologies, determining controls in practice…) . Guidance, written by Dr Brewer, is also given on the BSI website, but for a price — £75. His book is cheaper. If you have any question about ISO/IEC 27001:2022/Amd 1:2024, just or use the find facility above. We will be pleased to assist.





This site does not use cookies, but if you logon to an IMS-Smart product you consent to that site setting authentication session cookies
© IMS-Smart Limited, 2022-24
Page last updated: June 3, 2024

Logon to your IMS-Smart product
USER NAME
PASSWORD
Don’t have an IMS-Smart product? Learn more, register an evaluation copy, read the books.

Search the ims-smart.com website
SEARCH TEXT

Apart from a completely new Annex A, other ISMS requirement changes are subtle

The devil is in the detail

Annex A

Harmonised structure (HS)

Climate change

Want to know more?