ISO 27001:2022 - What's New? The Three Key Differences and Benefits Explained!

1. Reducing the number of controls

Regarding the number of controls, ISO 27001:2021 has reduced the number of controls from 114 in the previous version to 93. However, these controls are now structured into four categories, namely Organizational Controls, Human Controls, Technical Controls, and Physical Controls. The categorization provides a more streamlined approach to information security management, allowing for better organization and risk management. It is essential to note that the actual number of controls may vary depending on the organization's specific information security needs and risk assessment.

The first category, Organizational Controls, focuses on the management and governance of the Information Security Management System (ISMS). These controls include policies, procedures, and standards related to information security management. They also encompass the development and implementation of information security strategies, risk management frameworks, and other governance mechanisms to ensure that the organization's information assets are protected from unauthorized access or disclosure.

The second category, Human Controls, relates to the management of human resources related to information security. This includes the development and implementation of training programs, awareness campaigns, and other activities aimed at improving the information security culture within the organization. These controls also encompass the management of access to information systems and data, ensuring that employees and other stakeholders only access information on a need-to-know basis.

The third category, Technical Controls, refers to the management of technical aspects of information security. This includes the design, implementation, and maintenance of secure IT systems and networks, including access controls, encryption, and intrusion detection systems. Technical controls also encompass the development and implementation of security policies and procedures related to system maintenance, backup, and recovery.

Finally, the fourth category, Physical Controls, focuses on the management of physical aspects of information security. This includes the protection of the organization's physical assets and facilities, such as data centers, server rooms, and other critical infrastructure. Physical controls encompass the implementation of security measures such as surveillance, access controls, and environmental controls, to prevent unauthorized access, theft, or damage to the organization's physical assets.

2. Importance of risk-based thinking and a proactive approach

The ISO 27001:2022 standard also emphasises the importance of risk-based thinking and a proactive approach to information security management. Organisations are encouraged to identify and assess information security risks regularly, develop risk treatment plans, and implement controls that are proportionate to the identified risks.

The ISO 27001:2022 emphasizes the importance of risk-based thinking throughout the information security management process. Organisations are encouraged to regularly identify and assess information security risks, taking into account both internal and external factors that could impact the confidentiality, integrity, or availability of information assets.

Once risks have been identified and assessed, organisations are expected to develop risk treatment plans that outline how they will manage these risks. This includes implementing appropriate controls to mitigate risks and reduce the likelihood of security incidents occurring.

3. Emphasis on the involvement of top management 

The ISO 27001:2022 standard places a greater emphasis on the involvement of top management in information security management. Senior management is responsible for setting the information security policy, providing the necessary resources, and demonstrating leadership and commitment to information security throughout the organization. Top management is responsible for setting the information security policy and objectives, providing the necessary resources for the implementation of the ISMS, and ensuring that the ISMS is integrated into the organisation's overall business processes. They are also responsible for demonstrating leadership and commitment to information security throughout the organization, communicating the importance of information security to all stakeholders, and ensuring that information security is a key consideration in all business decisions.

To support this greater emphasis on the involvement of top management, the updated standard requires regular reporting to senior management on the effectiveness of the ISMS and the status of information security risks. This reporting helps to ensure that senior management has the necessary information to make informed decisions about information security and that they are aware of any emerging threats or issues that may impact the organization's information security posture.

In summary, the ISO 27001:2022 standard represents a significant evolution in information security management, providing organisations with a comprehensive framework for managing their information security risks effectively. By incorporating the latest best practices, technologies, and regulatory requirements, the standard enables organizations to ensure the confidentiality, integrity, and availability of their information assets, protecting their reputation, financial stability, and competitive advantage.

Who We Are

At core, LMS TRG is a compliance consulting and training organisation that builds and delivers powerful and practical products for people and businesses. Born and bred in Melbourne, Australia with an amazing team of expert auditors, consultants, and entrepreneurs.

Our area of expertise lies in providing training and guidance on compliance with the National Disability Insurance Scheme (NDIS) and the International Organisation for Standardisation (ISO). We also assist organisations in implementing effective management systems that are tailored to their specific needs and requirements. Our comprehensive approach to compliance training and management systems ensures our clients have the knowledge and tools necessary to meet regulatory requirements and industry standards. We are committed to helping our clients achieve success and maintain a culture of excellence in their operations.

We Care for each other, our members, and our society.

We Dare to discover and experiment, trying to be different and be fearless, and innovative.

We share our knowledge and experience, work together and continue to support our members.