ISO IEC 27001 User Manual
Comparing ISO/IEC 27001:2022
to ISO/IEC 27001:2013.
What are the changes?
A Guidance Document
ISO/IEC 27001:2022 published
in October 2022.
This guidance document
outlines the changes in
ISO/IEC 27001:2022 as
compared to
ISO/IEC 27001:2013.
1 Title
The title of the new edition of ISO/IEC 27001 is changed to Information security,
cybersecurity and privacy protection – Information security management systems –
Requirements. It aligns with the title of ISO/IEC 27002:2022 (Information security,
cybersecurity and privacy protection – Information security controls).
2 Clauses numbering
2.1 NEW SUBCLAUSES ARE INTRODUCED IN ISO/IEC 27001:2022.
NEW SUBCLAUSES
6.3 Planning of changes
9.2.1 General
9.2.2 Internal audit programme
9.3.1 General
9.3.2 Management review inputs
9.3.3 Management review results
An introduction of the new subclauses further harmonized the document structure
with other management system standards, e.g., ISO 9001:2015, ISO 22301:2019.
2.2 THE ORDER OF TWO SUBCLAUSES IS INTERCHANGED.
ISO/IEC 27001:2022 ISO/IEC 27001:2013
SUBCLAUSE SUBCLAUSE
10.1 Continual improvement 10.1 Nonconformity and
10.2 Nonconformity and
corrective action
Nevertheless, there is no change in the requirements in the subclauses.
Comparing ISO/IEC 27001:2022 to ISO/IEC 27001:2013. What are the changes?
2
corrective action
10.2 Continual improvement
3 New texts
3.1 NEW TEXTS ARE INTRODUCED IN ISO/IEC 27001:2022.
CLAUSE NEW REQUIREMENT SGS’ REMARKS
4.2 Understanding
the needs and
expectations
of interested
parties
The organization shall determine:
a) ……
b) ……
c) which of these requirements will be addressed
through the information security management system.
In the note to 4.2 ‘may include legal and regulatory requirements’
becomes ‘can include legal and regulatory requirements’.
The word “may” has been replaced in
several areas of the standard with the
word “can”.
4.4 Information
security
management
system
5.1 Leadership
and
Commitment
5.3 Organizational
roles,
responsibilities
and authorities
6.2 Information
security
objectives and
planning to
achieve them
6.3 Planning of
changes
The organization shall establish, implement,
maintain and continually improve an information security
management system, including the processes needed and
their interactions, in accordance with ……
Requirements unchanged, new note added below
Note – Reference to business in this document can be
interpreted broadly to mean those activities that are core to the
purposes of the organization’s existence.
In the note ‘top management may also’ becomes
‘top management can also’.
The information security objectives shall:
a) ……;
b) ……;
c) ……;
d) be monitored;
e) ……;
f) ……;
g) be available as documented information.
This is a new subclause. It does not appear in the 2013 edition.
6.3 states ‘When the organization determines the need for
changes to the information security management system, the
changes shall be carried out in a planned manner'.
These texts are also included in other
management system standards, e.g.,
ISO 9001:2015, ISO 22301:2019.
For d), the new texts are also included in
other management system standards,
e.g., ISO 9001:2015, ISO 22301:2019.
This is actually a fairly big change.
7.4 Communication The organization shall determine the need for ……
communications ……including:
a) ……;
b) ……;
c) ……;
d) how to communicate.
8.1 Operational
planning
and control
Comparing ISO/IEC 27001:2022 to ISO/IEC 27001:2013. What are the changes?
3
The organization shall plan, implement and control the
processes …… by:
— establishing criteria for the processes;
— implementing control of the processes in accordance
with the criteria.
Meanwhile, the requirements of ISO/IEC
27001:2013 clause 7.4
d) who shall communication; and
e) the processes by which communication
shall be effected
are removed.
The new requirements are also included
in other management system standards,
e.g., ISO 9001:2015, ISO 22301:2019.
Loading...