2 minute read
Performance evaluation
ISO27001 was one of the first standards to adopt the Annex SL high level structure back in 2013 and since then the structure has been tweaked a little by ISO with the release of updates to ISO9001 and others from 2015 onwards. But the changes are small and are unlikely to give most certified organizations any sleepless nights.
Firstly, there are some wording changes in the following clauses:
• 4.2 Understanding the needs and expectations of interested parties o A third bullet is added to specify “which of these requirements will be addressed through the information security management system”. • 4.4 Information security management system o The phrase “including the processes needed and their interactions” is added, requiring more definition of the processes of the ISMS. • 5.3 Organizational roles, responsibilities and authorities o The phrase “within the organization” is added at the end of the first sentence. • 6.1.3 Information security risk treatment o The notes are replaced. • 6.2 Information security objectives and planning to achieve them o The need to monitor objectives is added to the list. • 7.4 Communication o The current wording about communication processes has been replaced with a simple “how to communicate”. • 8.1 Operational planning and control o The need to establish criteria for the processes of the ISMS has been added.
There’s a new sub-clause 6.3 Planning of changes which deals with changes to the management system and requires any changes to be considered from the point of view of their purpose and consequences, the integrity of the ISMS, the resources available, and whether any changes to responsibilities and authorities are involved. This will require a simple planning process to be in place, with evidence that these areas have been considered.
Within Clause 9 (Performance evaluation) sub-clauses 9.2 (Internal audit) and 9.3 (Management review) have been further subdivided into 9.2.1 General, 9.2.2 Internal audit program, 9.3.1 General, 9.3.2 Management review inputs and 9.3.3 Management review results respectively. The two sub-headings in Clause 10 have been swapped around. This is mainly to aid readability and to match the latest definition of Annex SL (also known as the “Harmonized Structure”).
But the main change in the 2022 version of ISO/IEC 27001 is the adoption of a new control set from the ISO/IEC 27002 guidance standard. This is included as Annex A of ISO/IEC 27001. Annex A in its new form consists of a total of ninety-three controls (there were previously 114), of which eleven are stated to be additions to the previous control set. Many controls