New Podcast: ISO 27001:2022 – Here’s What to Look For…
In this episode, Howard and Jim review the changes in ISO 27001:2022, Information Security Management Systems Requirements
Items discussed include:
- ISO 27001 – Information Security Management System was the pioneer in what was first known as the High Level Structure, is now called the Harmonized Structure, as it was developed for all the other standards to be built on.
- The breadth of changes in the Clauses:
- 4.2 – Interested Parties (minor tweak);
- 4.4 – Description of the Entire System (additional information added);
- 6.1 – Risk Management (additional information and clarification);
- 6.2 – Information Security Objectives (additional information and clarification);
- 6.3 – Change Management (new clause);
- 7.4 – Communication (minor tweak);
- 8.1 – Operation Planning (rewritten);
- 9.1 – Monitoring (additional information);
- 9.2 – Internal Auditing (expanded with new information);
- 9.3 – Management Review – (expanded)
- Annex A – Controls. They have been reorganized from 14 categories to 4 categories and have been reduced from 114 controls to 93:
- Clause 5 – Organization Controls (37)
- Clause 6 – People Controls (8)
- Clause 7 – Physical Controls (14)
- Clause 8 – Technological Controls (34)
- ISO 27002, the guidance document for Annex A (more in the next episode!)
- The benefit of beginning recertification sooner rather than later