The new edition of ISO 27002 in February 2022 brought a breath of fresh air to the already somewhat dusty 2700 series of standards. But it was only a harbinger, because the new version of ISO/IEC 27001, which is considered the leading international standard for information security management systems (ISMS), followed just a few months later in October 2022. Although certification is only possible in accordance with ISO/IEC 27001, ISO/IEC 27002 offers detailed descriptions to help implement the measures required in Annex A of ISO/IEC 27001. These measures are intended to help achieve the goals of the ISMS. It is therefore to be understood as a supplement to ISO 27001 and contains comprehensive information that can support the implementation of a functioning ISMS - the description of measures that go beyond the requirements of ISO 27001 are, however, merely recommendations. But what specific changes do the new editions of these two standards bring with them?

New structure, new controls

First of all, the changes that affect the requirements for the ISMS are manageable. However, one thing is immediately apparent when looking at ISO/IEC 27002: The editors have given it a new basic structure. Some definitions have also been revised and new terminology introduced. In addition, the evaluation method has been changed: Thus, in the future, measures will be categorized according to their properties. The most serious change, however, is to be found in the listed controls, which have been combined, deleted and added. An impressive 11 new controls were added, while only one control was replaced. The former fourteen main categories have been reduced to four. As was to be expected, this change is also reflected in Annex A of ISO 27001:2022 and is thus relevant for certification. Those who have established their ISMS according to ISO 27001 should now put their ISMS to the test and evaluate possible adaptation requirements. This applies in particular to risk management and the Statement of Applicability (SoA). Direct references in the internal documentation to the ISO standards must also be updated.

How to prepare employees for the changes?

The new editions of ISO/IEC 27001 and ISO/IEC 27002 are no reason to despair. However, existing structures and measures must be reviewed and adapted to the new requirements. There is an acute need for action, particularly for companies that are already certified or those that are seeking certification in accordance with ISO/IEC 27001. The latter must adapt to the new structure accordingly. For certified companies, there is a transition period of 36 months from the date of publication of the revised standard. This means that all existing certificates must be converted to the new ISO/IEC 27001:2022 by October 2025. However, in order to understand the innovations and to be able to implement necessary changes in a professional manner, professional training and awareness training is essential. We support you in this: Security-Island offers innovative training solutions on the topic of information security. In our e-learning channel of the same name, you will find courses for employees and managers that will help you actively strengthen your ISMS and drive the effective implementation of individual measures.