Introduction
Data breaches and cyber threats are becoming increasingly prevalent, it is of no doubt that this makes information security frameworks the need of the hour. ISO/IEC 27001:2022 stands as the international benchmark for Information Security Management Systems – ISMS, offering organizations an inclusive way of protecting their information assets. This standard not only provides a method for managing sensitive data but also bring into line the global best practices to ensure resilience against sprouting security challenges.
It helps organizations protect their information assets by providing an outline for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System.
Keeping in mind the sustainability goals and the degrading condition of the environment, the recent amendment, brought in 2024 brought notable changes to several management system standards, including ISO 9001, ISO 45001, ISO 14001, and ISO 27001. The amendments affected Clauses 4.1 and 4.2 of these standards. Under Clause 4.1, organizations were now required to consider changes in external and internal issues that may impact their management system, with particular emphasis on the effects of climate change. Clause 4.2 brought in a new requirement for organizations to identify the needs and expectations of interested parties relevant to their management system, including those pertaining to climate change.
What Are the Changes to ISO/IEC 27001:2022?
The latest version ISO/IEC 27001:2022 was released on October 25, 2022, under the title: Information Security, Cybersecurity and Privacy Protection. While ISO 27001 is the core certification standard, it’s often used alongside ISO 27002, which offers guidance on applying the Annex A security controls.
The latest iteration of the standard, ISO/IEC 27001:2022, titled “Information Security, Cybersecurity and Privacy Protection,” was published on October 25, 2022. While ISO 27001 serves as the foundational certification standard, it is commonly utilized in conjunction with ISO 27002, which provides guidance on the implementation of the Annex A security controls. The 2022 revision introduces several noteworthy yet minor updates to the core clauses, specifically clauses 4 through 10.
Within these core clauses, several refinements have been made. Clauses 9.2 (Internal audit) and 9.3 (Management review) have been further delineated into sub-clauses for enhanced clarity. Specifically, Clause 9.2 is now divided into 9.2.1 (General) and 9.2.2 (Audit Programme), maintaining the original requirements. Similarly, Clause 9.3 is split into 9.3.1 (General), 9.3.2 (Management review inputs), and 9.3.3 (Management review results). A new requirement has been added under management review inputs (9.3.2(c)), mandating that organizations review changes in stakeholder expectations. Furthermore, Clause 4.2 now explicitly requires organizations to determine which stakeholder expectations will be addressed through their information security management system (ISMS). In Clause 6.2, two new conditions have been introduced specifying that objectives must be monitored and documented. A completely new addition is Clause 6.3, which focuses on the planning of changes to the ISMS. Finally, Clause 8.1 now provides more specific guidance on how to meet operational planning and control requirements.
The most significant changes are found within Annex A, which has been updated to align with ISO/IEC 27002:2022. The previous total of 114 controls has been streamlined to 93. This was achieved through the merging of 57 controls into 24, while 58 controls remained largely unchanged. The controls are now organized into four distinct themes: A.5 Organizational Controls, comprising 37 controls; A.6 People Controls, with 8 controls; A.7 Physical Controls, encompassing 14 controls; and A.8 Technological Controls, listing 34 controls. Additionally, eleven new controls have been introduced to Annex A. These include A.5.7 Threat intelligence, A.5.23 Information security for the use of cloud services, A.5.30 ICT readiness for business continuity, A.7.4 Physical security monitoring, A.8.9 Configuration management, 1 A.8.10 Information deletion, A.8.11 Data masking, A.8.12 Data leakage prevention, A.8.16 Monitoring activities, A.8.23 Web filtering, and A.8.28 Secure coding.
Organizations currently certified under ISO 27001:2013 have until October 31, 2025 to transition. Certification to the 2013 version will no longer be valid after this date. New certifications after November 1, 2023 must follow the 2022 version. Transition can occur during regular surveillance or recertification audits. To adopt the updated Annex A, organizations can either compare current risk assessments with the new controls or start fresh with a new assessment. In both approaches, updates to the Statement of Applicability and risk treatment plans are required.
ISO’s Climate Change Amendments
Assessing Climate Relevance: Organizations are now required to determine whether climate change is a relevant issue affecting their ability to achieve set targets. This involves evaluating both internal and external factors, such as operational processes, supply chain vulnerabilities, and regulatory landscapes.
Considering Stakeholders’ Climate Concerns: The amendment to Clause 4.2 introduced a note stressing that interested parties may have requirements related to climate change. This prompts organizations to engage with stakeholders including customers, regulators, investors, and community groups to understand their climate-related expectations.
Encouraging ESG Alignment: By mandating the assessment of climate relevance and stakeholder expectations, the amendments encourage organizations to work on the same lines as their management systems with broader Environmental, Social, and Governance goals. Organizations are encouraged to consider factors such as energy efficiency, resource conservation, and social responsibility in their decision-making processes.
Affected Standards - ISO 9001, 14001, 45001, 22301, 50001
Climate change considerations were added to 31 existing management systems standards as an amendment to reflect ISO’s climate action commitments. Among those standards are ISO 9001, ISO 14001, ISO 22000, ISO 22301, ISO 27001, ISO 45001, and ISO 50001. One exception is ISO 13485.
The amendment is exactly the same for all of these standards, and surprisingly, the changes are presented in only two sentences. One was added at the end of subclause 4.1, stating that organizations must assess the relevance of climate change to their operations. The second is a note that was added at the end of subclause 4.2, stating that interested parties may possess climate change-related requirements.
These changes are intended to:
- Ensure that organizations consider climate change as an external factor impacting the effectiveness of their management system.
- Align with the spirit of the London Declaration, a commitment made by ISO in 2021 to combat climate change through the development of international standards, emphasizing the importance of climate considerations.
- Remind organizations of their responsibility toward climate-related issues, even if it doesn’t directly lead to environmental actions like reducing carbon footprint.
Impacts on certified organizations.
Certified organizations are now required to evaluate whether climate change is a relevant issue affecting their operations. This involves reviewing internal and external factors, including the needs and expectations of interested parties. If climate change is deemed relevant, organizations should update their documented context and any registers or logs that outline stakeholder requirements. If evaluations indicate necessary changes to the management system, updates should be implemented following the organization’s established change management processes. It’s important to note that these amendments are effective immediately and form part of the standard’s requirements; however, they do not necessitate a new certificate unless there are changes to the scope or details of the certified management system.
ISO 9001:2026 – Quality Management
The revision of ISO 9001, standard for quality management systems, is now expected to be postponed until 2026. Initially, the updated version was planned for release by the end of 2025. A first draft the Committee Draft ISO 9001, was published in April 2024 and submitted to the members of the ISO committee ISO TC 176 for discussion. At the most recent ISO meeting in Detroit in July 2024, it was decided that an additional draft, known as Committee Draft 2, must be created. This decision was taken because the current state of the document was not considered mature enough for the next step publication as a Draft International Standard. Consequently, TC176 SC2 WG 29 will prepare a Committee Draft 2 (CD2) and submit it for a further round of comments. This step is necessary to address issues that still require clarification, including harmonization of terms and principles of ISO 9000 with the requirements of ISO 9001, and ensuring the unambiguous and correct use of the ISO Annex SL Harmonized Structure specification.
Conclusion
The 2022 revision of ISO/IEC 27001 introduced amendments that reflect the growing need for stronger information security and improved risk management practices. The revision of clauses Annex A controls, including the reduction from 114 to 93 controls, makes the standard more practical and aligned with current technological and operational realities. The changes also bring clarity to definitions and reinforce the importance of a planned, systematic approach to managing information security risks across all sectors.
In addition to cybersecurity, ISO’s 2024 climate change amendments show a clear shift toward integrating sustainability into management systems. Organizations certified under ISO 9001, ISO 14001, ISO 45001, ISO 22301, and ISO 50001 are now required to assess how climate change may affect their operations and consider the expectations of stakeholders on this front. These changes underline ISO’s broader focus on aligning business practices with environmental responsibility and long-term resilience.
It is now essential for organizations to stay informed and make the necessary updates to their management systems. Doing so will not only ensure compliance with the revised standards but also strengthen the organization’s ability to meet future challenges in information security and sustainability.
