Changes in the ISO 27001:2022 management system
The text of the mandatory clauses 4 through 10 has changed only slightly, mainly to align with ISO 9001, ISO 14001, and other ISO management standards, and with Annex SL.
Here’s a brief overview of the changes in ISO 27001:2022:
- In clause 4.2 (Understanding the needs and expectations of interested parties), item (c) was added requiring an analysis of which of the interested party requirements must be addressed through the ISMS.
- In clause 4.4 (Information security management system), a phrase was added requiring planning for processes and their interactions as part of the ISMS.
- In clause 5.3 (Organizational roles, responsibilities and authorities), a phrase was added to clarify that communication of roles is done internally within the organization.
- In clause 6.2 (Information security objectives and planning to achieve them), item (d) was added that requires objectives to be monitored.
- Clause 6.3 (Planning of changes) was added, requiring that any change in the ISMS needs to be done in a planned manner.
- In clause 7.4 (Communication), item (e) was deleted, which required setting up processes for communication.
- In clause 8.1 (Operational planning and control), new requirements were added for establishing criteria for security processes, and for implementing processes according to those criteria. In the same clause, the requirement to implement plans for achieving objectives was deleted.
- In clause 9.3 (Management review), the new item 9.3.2 c) was added that clarifies that inputs from interested parties need to be about their needs and expectations, and relevant to the ISMS.
- In clause 10 (Improvement), the subclauses have changed places, so the first one is Continual improvement (10.1), and the second one is Nonconformity and corrective action (10.2), while the text of those clauses has not changed.