Search results

27001:2022 Query

Hi Dejan,

Regarding this article:

https://advisera.com/27001academy/blog/2022/01/30/main-changes-in-the-upcoming-new-version-of-iso-27002/

1 - What's the difference between a Section and an Annex? (Is the Annex just an Appendix?)

I assume you are asking about ISO 27001 sections and Annex A. Annex A lists all the 93 controls, and they are divided into 4 sections (Organizational, People, Physical, and Technological controls).

2 - ISO 27001 has 114 controls in Annex A - ISO 27002-2022 now has only 93, down from 114 - does/how does this affect the controls in 27001 Annex A - i.e. will they now be 93, not 114?

Your assumption is correct. Released  in October 2022, ISO 27001:2022 Annex A has now only 93 controls, aligning this standard with ISO 27002:2022.

3 - So will ISO 27001 become ISO 27002?

ISO 27001 will not become ISO 27002. They have different purposes.

Please note that ISO 27001 is the standard that provides requirements for the implementation of an Information Security Management System (ISMS), while ISO 27002 is a complementary standard, which provides guidance to implement controls defined in ISO 27001:2022 Annex A. Additionally, ISO 27002 is not mandatory to implement ISO 27001 requirements.

For further information, see:

• What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/

4 - Also, in reality, how would a small company deal with the following:A.5.7 Threat Intelligence - gather information and analyse them? (interpret)Could this be outsourcing to AV/MDR or something else?

To implement control A.5.7 Threat Intelligence, a company should consider gathering information internally (e.g., from logs of internal systems, incident reports, etc.), as well as from external sources (e.g., vendor reports, government agency announcements, etc.)

ISO 27001 does not prescribe that the organization needs to perform this information gathering by itself, so outsourcing this activity is an acceptable option.

For further information, see:

• Detailed explanation of 11 new security controls in ISO 27001:2022 https://advisera.com/27001academy/explanation-of-11-new-iso-27001-2022-controls/

• 8.5.1.5 Total productive maintenance

  Thank you.

• SoA update

  For this conversion you need a map identifying:

  • the new IDs for old controls that did not change. For these you only need to update the control ID from your current SoA, keeping all the remaining information the same. For example, control A.9.1.1 Access control policy, is now A.5.15 Access control.
  • the new IDs for old controls that change only the control name. For these, you need to update the control ID and control name from your current SoA. For example, control A.14.3.1 Protection of test data is now A.8.33 Test information
  • the new IDs for old controls that were merged. For these you need to create a new entry, merging the information from merged controls, and excluding the entries from the older version. For example, controls A.5.1.1 Policies for information security and A.5.1.2 Review of the policies for information security are now A.5.1 Policies for information security
  • the new IDs for the new controls. For these, you will need to update your risk assessment to verify if these new controls are applicable or not and include the proper information. For example, control A.5.7 Threat intelligence

  This paper can help you with the new IDs:

  • Overview of new security controls in ISO 27002:2022 https://info.advisera.com/27001academy/free-download/overview-of-new-security-controls-in-iso-27002/

  This tool can also help you:

  • ISO 27001:2013 to ISO 27001:2022 Conversion Tool https://advisera.com/insight/iso-27001-2013-to-iso-27001-2022-conversion-tool/

  • Controls in new ISO 27001

    I love how this blog celebrates diversity and inclusivity It's a reminder that we are all unique and should embrace our differences

  • ISO/IEC 27001 Implementation

    It’s not our policy to make recommendations about external tools.

    In terms of Advisera products for ISO 27001 implementation we can mention:
    - ISO 27001 documentation toolkit, a set of document templates you can use to implement the standard
    - Conformio, a cloud-based software solution that can help you implement and operate an Information Security Management System compliant with SIO 27001.

    For further information, see:

    • Toolkits vs. Conformio – Which is more applicable for my company? https://advisera.com/articles/toolkits-vs-conformio-which-is-more-applicable-for-my-company/
    • Conformio (online tool for ISO 27001) https://advisera.com/conformio/
    • ISO 27001 Documentation Toolkit https://advisera.com/27001academy/iso-27001-documentation-toolkit/

  • Change control document

    Please note that at beginning of section 3 Change management, you can adapt the following text:

    “Each change to operational or production systems must be made in the following way:” replacing “change to operational or production systems” to the scope of change you want to cover, like:

    “Each change to software, virtual machines, and technological and development environments must be made in the following way:”

    In case you need to write a more detailed document, e.g., for including specific activities for each type of change, you can schedule a meeting with one of our experts so he can help you develop the document. To schedule a meeting please access this link: https://advisera.com/contact/

    For further information, see:

    • How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/

  • Merging ISO 9001 & ISO 17025

    Whether you apply for the laboratory’s accreditation with Option B depends on your organizational structure and whether ISO 9001 applies to just the laboratory, or to other departments in the organization. Have a look at the Q&A at https://community.advisera.com/topic/implemention-of-iso-17025/ for more information and links.

    If you choose option B,  ensure that the laboratory activities and ISO 17025 requirements covered in the ISO 9001 processes and procedures are met sufficiently. You should identify this through a gap audit.  

  • Is ISO 27001 certification relevant for us?

    Please note that ISO 27001 can be used to help protect the information in any media, either electronic or physical format.

    Since your business is related to physical records storage, many controls suggested in ISO 27001 Annex A can help you increase the confidence of your customer in your business.

    For further information, see:

    • Why is ISO 27001 applicable also for paper-based information? https://advisera.com/27001academy/blog/2019/01/21/why-is-iso-27001-applicable-also-for-paper-based-information/
    • 4 key benefits of the implementation https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/#benefits

  • Some question about certification ISO 27001

    1. On which documents do we have to write the information like “User, Version, Change History etc.”.  In the document “00_Verfahren_zur_Lenkung_von_Dokumenten” is written that this procedure encompasses all documents and records, stored in any possible form – paper, audio, video – if the documents are related to the ISMS. But which documents does it concern exactly?  

    The easiest way to figure out what documents you need to apply control document information is to check which documents you mention in the policies and procedures included in your toolkit.

    For example, in the Secure Development Policy, section 3.3 Secure engineering principles it is mentioned that procedures for secure information system engineering will be issued, so these procedures must contain document control information.

    Please note that user/version / change history is applicable only for documents.

    For further information, see:

    • How to manage documents according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2021/06/27/how-to-manage-documents-according-to-iso-27001-and-iso-22301/

    2. Similar question: Which documents have to include the master list and which the incoming mail book?

    First is important to note that ISO 27001 does not require a master list to be created.

    Considering that, in a master list you include information about all documents related to the ISMS scope (e.g., policies, procedures, reports, etc.), while in the incoming mail book you include information about documents from the external origin, like customer and supplier documents, standards, laws, etc.

    3. And then we need to know, which information could be confidential? The entire certification process of the ISMS isn’t confidential but completely public for us.

    First is important to know that you only need to classify information in case you have risks, or legal requirements, demanding the implementation of control 5.12 Classification of information.

    Considering that, based on relevant risks and applicable legal requirements you can define necessary classification levels (and you can even have a single classification level) and criteria to apply then.

    Considering your statement, in case all information in your ISMS is accessible to your employees, but not to external parties, examples of classification levels to be used would be “internal” and “public”.

    For further information, see:

    • Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

    • ISO 9001:2015 and the Accounting department

      No, ISO 9001:2015 doesn’t apply to accounting department. Please check clause 0.4: 0.4 Relationship with other management system standards.