ISO 27001:2022 is the internationally recognized standard for Information Security Management Systems (ISMS).
This standard covers the requirements for applying appropriate controls to ensure the protection of information assets.
As a family of standards, the ISMS courses are intended to assist organizations of all types and sizes to implement and operate an ISMS.
The ISMS family of standards consists of the following:
The two standards in the ‘Requirements’ swimlane specify requirements; the others offer guidance. However, among the latter, the more important are ISO 27005 and ISO 27002.
ISO 27001:2022 is the latest version of ISO 27001, the Information Security Standard. It replaced the previous version, ISO 27001:2013.
How does ISO 27001:2022 Compare with ISO 27001:2013?
Many commentators in recent months have characterized the changes to ISO 27001 as ‘minor’, suggesting that little time will need to be devoted to implementing the necessary changes. We do not agree.
For the vast majority of organizations, a formal Migration Project will be needed if they are to get it right at the first attempt. When auditing your organization for the first time against the new Standard it is the changes that the CB Auditors will naturally focus on. So, you’d better be prepared.
Notable Changes in ISO 27001:2022
1. Changes to the Standard’s Text
To begin with, the Standard has a new title to emphasize that IT security alone is not the issue. It is now called ISO/IEC 27001:2022, Information Security, cybersecurity and privacy protection — Information security management systems – Requirements.
Since the last version of the standard was published in 2013, information and communication technology (ICT) and the way we do business has changed enormously. Today we all expect instant access to information, and we have expectations of higher individual and corporate performance while we deal with more complex supply chains and operate in a global economy.
ISO 27001:2022 has been revised to take these changes into account and to address two areas of vulnerability that were often overlooked previously, especially by ICT-focused businesses. These are People Controls and Physical Controls.
Overall. the main changes in ISO/IEC 27001:2022 are:
Annex A references to the Controls detailed in ISO/IEC 27002:2022, which includes the control title and the control;
The note in Clause 6.1.3 c) is revised editorially, including deleting the “control objectives” and replacing “information security control” with “control”;
The wording of Clause 6.1.3 d) is revised to provide clarity and eliminate ambiguity.
You may have read that the changes to the Standard text will be limited to Clause 6.1.3. Not so!
There are many small changes throughout the that will need to be carefully considered and acted upon. Let’s take two examples …
Clause 4.2 Understanding the needs and expectations of interested parties: Part c) has now been added and states – ‘c) which of these requirements will be addressed through the information security. Management system.’ Under the 2013 standard, many organizations provided a list of interested parties without further detail. This will no longer be enough as it will now be necessary under the 2022 standard to identify the needs, which will have to be specified, and then provide evidence of how the ISMS has addressed and satisfied these needs and expectations.
Clause 4.4 Information security management system: The following text has been added, ‘including the processes needed and their interactions.’ These are not the processes you may have in your ISO 9001 QMS which relate to operations and are often couched in very general terms. Here what will be required will be an analysis of the processes for the handling, storage, protection, etc., of all kinds of information used by the organization. It is doubtful if more than, say, 5% of organizations currently certified to ISO 27001 have done an adequate job here. Many will have documented IT processes but not the management of hardcopy data, premises, physical assets and the like.
2. Changes to Annex A – a radical restructuring?
The description of the changes above conceals the fact that Annex A has been completely restructured, and the companion standard, ISO 27002, has been massively expanded and can no longer be ignored (if for no other reason than your Certification Body Auditor will not be ignoring it).
The most significant change is, therefore, the organization of the 93 Controls into four domains (or Chapters), namely …
Chapter 5 – Organizational (if they do not fall under any other domain)
Chapter 6- People (if they concern individual people)
Chapter 7- Physical (if they concern physical objects)
Chapter 8 – Technological (if they concern technology)
The 2013 version had 114 Controls in 14 Domains, so organizations will require a complete restructuring of their Statement of Applicability with knock-on effects to their risk assessment, risk treatment documentation, etc. Additionally, new Controls regarding People and Physical domain requirements are likely and will require time, finances and other resources.
3. A 3-year Transition Period
No surprises here. The usual idle talk of a 2-year transition has proved false.
Certification Bodies must complete the transition to the new Standard within 36 months, that is, by the end of October 2025.
Certification Bodies must audit all new registrations against the new Standard within 12 months, that is, by the end of October 2023.
Currently, certified organizations can expect their Certification Body to switch to the new Standard at the end of the current 3-year certification cycle. And there’s nothing in the 2022 Standard to justify increased certification fees!
Why is ISO 27001:2022 Training important?
As every organization has information of value and is, therefore, a target for cyber-criminals, ISO 27001 is relevant and globally applicable to all kinds of organizations. Also, by implementing an Information Security Management System (ISMS) based on ISO 27001, it is easy to accommodate and demonstrate compliance with the requirements of GDPR, SOC 2 and other regulations and codes of practice, as applicable.
By going through ISO 27001 training, organizations can become more aware of the threat that weak defences to cyber-attack and other vulnerabilities pose to their business and learn of ways to address them.
Note:
There is as yet (31-Oct-22) no news as to when EN ISO/IEC 27001:2022, the EU Harmonized Standard, will be published. In recent times simultaneous publication with the international version has been the practice (thus avoiding similar if not identical standards having a different year of publication. We’ll have to wait and see but, in any case, a delay is going to have little consequence for most organizations.
Is ISO 27001 Training Mandatory?
The training of a Management Representative or others with day-to-day responsibility to maintain an ISMS is NOT mandatory. Training is implied as part of developing competence but not a specific stand-alone requirement.
ISO 27001 training is also not mandatory for internal auditors; however, it is recommended so they can perform more effective internal audits and help your organization avoid surprises during certification audits.
What is an Information Security Management System?
An ISMS (Information Security Management System) provides a model for establishing, implementing, and reviewing protection of information assets. It is also responsible for its maintenance and improvement.
It is designed to achieve business goals while managing risks based on risk assessment and the organization’s risk acceptance levels.
Need information about ISO 27001 Certification?
Get a copy of our answers to Frequently Asked Questions by clicking on the image below.
Questions Answered
What does ISO mean?
What does ISO 27001 mean?
What is the purpose of ISO 27001?
What is an Information Security Management System (ISMS)?
What is the Purpose of an ISMS?
Who Needs an ISMS?
What are the Benefits of an ISMS?
What does ISO 27001 Compliance mean?
Is ISO 27001 Compliance a Requirement for Organizations?
Who can benefit from ISO 27001 Compliance?
What are the Benefits of having an ISO 27001 Compliant Information Security Management System?
How much does an ISO 27001 Compliant Information Security Management System Cost?
Who decides whether an Organization’s Information Security Management System is compliant?
How do I get an ISO 27001 Certificate?
Are the Controls listed in Annex A enough to meet requirements?
Why are there so many Standards (47+) in the ISO 27000 Series of Standards?
What is the significance of ISO 27002?
Can I get Certified to ISO 27701, Personal Information?
Where do other established ISO Standards like PCI-DSS or the Payment Card Industry Data Security Standard fit in?
Can we get one site Certified to ISO 27001, or must it be the entire organization?
Is GDPR Compliance compatible with ISO 27001 Compliance
We’re an SME. Do we need cybersecurity?
How to Choose a Certification Body?
Are £1995 ISO 27001 Certificates You Can Get Within 30 days Legitimate?
Why is it Important to Get Certified by the Proper Certification Body?
How do you ensure your Information Security Management System complies with ISO 27001?
How do you verify if an organization is ISO 27001-compliant?
Do Management Representatives or others responsible for an ISMS need training?
Do Internal Auditors need training?
Here you'll find the ISO 27001 Training Course you want ...
Your current circumstances will dictate which is the best choice of Course for you.
If you are a Management Representative or something similar, and don’t feel confident about ISO 27001:2022, this 39-hour lead implementer course is for you. See what an efficient and effective ISMS looks like here.
Take this 42-hour Lead Auditor course if you need an in-depth knowledge of ISO 27001: 2022. This is the certification you need if you hope to audit for a Certification Body.
This 39-hour Lead Implementer Course is what you need. It includes a 31-step Path to Certification, a 100+ page ISO 27001:2022 Implementation Handbook, a Documentation Toolkit with loads of example SOPs, Forms, sample Statement of Applicability, as well as Auditor Certification for yourself.
Our ISO 21001 Educational Organization status is shown on all Certificates we issue.
Shareable Credentials
Instantly verify your qualification to a potential client or employer with our ISO auditor certificates that come with QR codes.
Self-paced and On-demand
Speed through to review the topics you understand well but take your time, and repeat as you wish, sections that are new or challenging.
Adult-Oriented Learning
Lesson delivered using methods suited to adult learning, including lessons, FAQs, and quizzes.
Satisfied Customers Say:
… it has been an excellent source of information and increased my experience of implementing the ISO 9001 and auditing.
There were a few minor issues with course content integration with course software, however, Customer Service through the Support Ticket was quick to respond and address issues. The ability to learn and gain qualifications through an online platform such as deGRANDSON’s offer is an extremely flexible option. I would commend this learning option and the use of Safari iOS which works consistently with the learning platform. The Support Team are very efficient and quickly resolves any issues that might be encountered, many thanks.
This is an excellent course. The content in the 3 modules was so beneficial and helped me to grasp details that I had previously struggled with. It was evident that the content was factual and from the real world in its tips for application. The answers and direction provided in the FAQ’s was excellent and very helpful. Any query I had was answered promptly. I honestly don’t know what you could do better. Thank you for all your help and guidance.
Course states 24 hours, I would say it took double that time to complete. Had some technical difficulties but Ultan King in support has been very helpful in resolving all issues.
Have only completed the first part of the course, enjoying it immensely, so far. the content is thorough and clearly explained. I only have one small observation – that it may be better using a real person, or even person(s) to present rather than a computer generated voice which can be a little wearing over time.
I’m extremely pleased with my ISO 45001 Lead Auditor course from deGrandson that I started in February 2021. I work for Amazon as a Construction Manager constructing fulfilment centers in the UK, EU and worldwide. The course material is excellent, the online learning system is very easy to use and the course is very well structured. I highly recommend this course by deGrandson. Dr John FitzGerald is an expert in this subject area and it shows. You will be pleased that you also chose to study with deGrandson.
On-line study at my own pace is most suitable learning media to me. The course is timely with the latest 2019 edition of the Standard coupled with value for money package.
All the way through this course I have been extremely impressed with the excellent support that has been in place for students, and this provides confidence that issues are resolved promptly with fair consideration.