Changes to ISO 27001

ISO 27001 is an international standard that outlines the requirements for an information security management system (ISMS). It provides a framework for organisations to follow in order to securely manage their information and protect it from unauthorised access, use, disclosure, disruption, modification, or destruction.

The previous version of ISO 27001 was ISO/IEC 27001:2013. However, a new version, ISO/IEC 27001:2022, was released in October 2022. Some of the key changes in the updated standard include:

1. A stronger emphasis on risk management – The updated standard places a greater emphasis on risk assessment and the treatment of risk. It also requires organisations to establish a formal risk management process – we’d recommend organisations follow the ISO 31000 risk management process.
2. New requirements for supply chain security – The updated standard includes new requirements for managing and protecting information throughout the supply chain. Globally, we’ve seen regulators focussing on this. Many regulators have introduced guidelines/regulation around the outsourcing of critical business activities.
3. A focus on data privacy – The updated standard includes additional requirements related to the protection of personal data and the handling of data breaches. This ties in with the introduction of many pieces of data protection regulations, including GDPR.
4. Changes to the structure and organization of the standard – The updated standard has a new structure, with a more logical flow and clearer language.

It is important for organizations that are currently certified to ISO 27001:2013 to be aware of these changes and to prepare for the transition to the updated standard. This may involve updating their ISMS to meet the new requirements and undergoing a recertification process.

To learn more about how the CalQRisk solution can assist with cybersecurity risk management, ISO 27001 compliance and more, request a free tailored demo.