Abstract
The international standard ISO/IEC 27001 “Information security, cybersecurity andprivacy protection - Information security management systems – Requirements” [1]
describes how an information security management system (ISMS) can be implemented and operated. In 2022, an updated version of ISO/IEC 27001 was published, replacing the previous version from 2013.
The goal of this thesis is to identify and analyze the changes from
ISO/IEC 27001:2022 to ISO/IEC 27001:2013 and their practical implications. For
this purpose, the affected standards were analyzed, and a literature review was carried
out.
In addition to adapting the main chapters to the “Harmonized Structure” of ISO,
which has only little impact in practice, the information security controls in Annex A
were comprehensively revised. The most important change in practice is the definition
of 11 new information security controls, including “Threat intelligence”, “Information
security for use of cloud services” and “ICT readiness for business continuity”.
Organizations already certified to ISO/IEC 27001:2013 must implement these 11
new information security controls to comply with the new version of the standard.
This thesis describes the requirements and guidelines of ISO/IEC 27001:2022 and
ISO/IEC 27002:2022 for these 11 controls as well as how they can be implemented in
practice. In addition, this thesis describes what other changes already certified organizations need to make to their ISMS, such as adapting the Statement of Applicability to
the changed controls and the new structure of Annex A, adding a newly required
point to the management review, or adapting the internal audit to the changed requirements.
In addition to organizations already certified to ISO/IEC 27001:2013, the new
version of ISO/IEC 27001 also has an impact on auditors who check conformity with
ISO/IEC 27001:2022. This thesis describes which changes auditors need to make to
their audit documents, such as adapting the audit plan or developing audit questions
for the new Annex A controls.
Date of Award | 2024 |
---|---|
Original language | German (Austria) |
Supervisor | Robert Kolmhofer (Supervisor) |