The Inner Circle

 View Only

IAF Mandatory Document Transition Requirements for ISO /IEC 27001:2022

  • 1.  IAF Mandatory Document Transition Requirements for ISO /IEC 27001:2022

    Posted Aug 14, 2022 10:31:00 PM
      |   view attached
    Hi All,

    The IAF just published IAF Mandatory Document Transition Requirements for ISO /IEC 27001:2022

    This document is developed by an appointed Task Force of the IAF Technical Committee and in accordance with IAF PR 7:2022 Requirements for Producing IAF Mandatory Documents on Transitions. This document provides transition requirements for the following and is mandatory for the related IAF MLA AB signatories and accredited CABs:

    Normative Document: ISO/IEC 27001:2022
    Replacing: ISO/IEC 27001:2013
    Current Status (at time of MD publication):
    FDIS Transition Period: 3 Years (36 months)

    Key Changes
    ISO/IEC 27001:2022 is not a fully revised edition. Its main changes include:
    • Annex A references to the controls in ISO/IEC 27002:2022, which includes the information of control title and control;
    • The notes of Clause 6.1.3 c) are revised editorially, including deleting the control objectives and using "information security control" to replace "control";
    • The wording of Clause 6.1.3 d) is re-organized to remove the potential ambiguity.

    Note 1: The first two items come from ISO/IEC 27001:2013/AMD1:2022, the last item is from ISO/IEC 27001:2013/COR 2:2015.
    Note 2: Compared with the old edition, the number of controls in ISO/IEC 27002:2022 decreases from 114 controls in 14 clauses to 93 controls in 4 clauses. For the controls in                 ISO/IEC 27002:2022, 11 controls are new, 24 controls are merged from the existing controls, and 58 controls are updated. Moreover, the control structure is revised,                      which introduces "attribute" and "purpose" for each control and no longer uses "objective" for a group of controls.
    Note 3: ISO/IEC 27001:2013/COR 1:2014 is related to Annex A and overlapped by ISO/IEC 27001:2013/AMD1:2022.

    The Impact
    The impact of the changes in ISO/IEC 27001:2022 is limited to the introduction of a new Annex A because:

    1) ISO/IEC 27001:2013/COR 2:2015 has already been published and implemented;
    2) Annex A is normative.

    The requirements in ISO/IEC 27001 that use the reference control set in Annex A, are the comparison process between the information security controls determined by the organization and those in Annex A (6.1.3 c)) and the production of a Statement of Applicability (6.1.3 d)). By comparing the necessary information security controls to those in Annex A, the organization may confirm that any necessary information security control from the reference set in Annex A is not inadvertently omitted.

    Such comparison might not lead to the discovery of any necessary information security control that have been inadvertently omitted. However, if inadvertently omitted necessary information security controls are discovered, the organization shall update its risk treatment plans to accommodate the additional necessary information security controls and implement them.

    As, implied above, the impact of ISO/IEC 27001:2022 on the organizations that have implemented ISMS need not be significant.

    Michael Roza CPA, CISA, CIA, MBA, Exec MBA