As many of you are aware, an updated version of ISO 27001 was published in October 2022. While there is a 2-year grace period for transition, we would urge everyone to make a start on implementing the changes to ensure you are compliant with latest best practice standards. But where do you start? In the last episode, Mel and Steve gave an overview of the updated ISO 27001:2022, including a high-level look at some of the key changes. In addition to the control changes, there have been several changes made to specific clauses within the Standard. Mel is once again joined by Steve Mason, Managing Consultant here at Blackmores, to discuss the ISO 27001:2022 clause updates and their purpose. You’ll learn What clauses have been updated from the 2013 version of ISO 27001? Why have these clauses been updated?   Resources Isologyhub NIST Cyber Essentials ISO 9001   In this episode, we talk about: [01:06] The changes to these clauses appear to align your Management System with the business more so than in the previous iteration of ISO 27001 – a key focus is integration.  [01:20] First change: Clause 4.2 Understanding the needs and expectations of Interested parties – ‘c) which of these requirements will be addressed through the information security management system.’ - This seeks to align the Management System with interested parties and identify where it may or may not be able to meet their needs and expectations. [03:30] Clause 4.4 Information Security Management System – ‘The organization shall establish, implement, maintain and continually improve an information security management system, including the processes needed and their interactions, in accordance with the requirements of this document.’ – There will be more focus on process flows and not Policies and Procedures. This can be further used to align the Management System with your business, by clearly identifying where it fits in with your business activities.  [06:14] Clause 5.1. Leadership – ‘Reference to “business” in this document can be interpreted broadly to mean those activities that are core to the purposes of the organization’s existence.’ – This acts more as a reminder to top management to ensure they include the Management System as part of the business and not just a bolt-on. It should be a part of the strategy and part of the business (part of the ship, part of the crew) [07:42] Clause 6.1.3  Information Security Risk Treatment –‘ Note 2 in sub-clause ‘c’ now states ‘Annex A contains a list of possible information security controls.’ (it had previously read Annex A contains a comprehensive list of control objectives and controls.) – This simply means that you can add references to other controls outside of the list provided within Annex A i.e. NIST or Cyber Essentials. Though, do be careful to avoid doing this at minutia level, as that just increases Management System maintenance. [09:15] Clause 6.2  Information security objectives and planning to achieve them –‘ A couple of extra points have been added to this clause: d) be monitored g) be available as documented information’  - The monitoring was previously a given, but not really specified. So now, you’ll have to demonstrate how you’re monitoring objective planning and achievements. [10:24] Clause 6.3 Planning of Changes – ‘When the organization determines the need for changes to the information security management system, the changes shall be carried out in a planned manner.’ – This has now been aligned more with ISO 9001’s approach to changes. All changes should be planned before implementation, and this now includes information security consideration. Fun fact – they forgot to include this clause in the Standard table of contents! (as of January 2023, this will probably be added later!) [11:55] Clause 9.3.2  Management Review Inputs –‘ c) changes in needs and expectations of interested parties that are relevant to the information security management system’ – This just ensures that the needs and exp