Main Changes:
ISO/IEC 27001:2022 is not a fully adapted version. Its main changes include:
- References in Annex A to the controls in ISO/IEC 27002:2022, which includes information on the control title and the control;
- Notes to Paragraph 6.1.3 c) have been revised, including deleting control objectives and using “information security control” to replace “control”;
- The wording of Paragraph 6.1.3 d) has been rearranged to remove any potential trade-offs.
Impact
The impact of the changes to ISO/IEC 27001:2022 is limited to the introduction of a new Annex A because:
- ISO/IEC 27001:2013/COR 2:2015 has already been published and implemented.
- Annex A is normative
The requirements in ISO/IEC 27001 using reference control in Annex A are the comparable process between organizations’ information people controls and those in Annex A (6.1.3 c)) and the production of a Declaration of Suitability (6.1.3 d)).
By comparing the required information security controls with those in Annex A, the organization can confirm that any required information security controls from the reference set in Annex A have not been inadvertently omitted. Such comparison may not lead to the discovery of any necessary information security controls that have been inadvertently omitted. However, if necessary information security controls are discovered that have been inadvertently omitted, the organization must update risk management plans to acknowledge the necessary additional information security controls and implement them. As mentioned above, the impact of ISO/IEC 27001:2022 on organizations that have implemented Information Security Management Systems should not be significant.
Referred to: IAF
#siguriainformacionit #iso27001:2022 #iso.org
