Transition to the new 

​NEN-EN ISO/IEC ISO 27001-2022​ 

with the CyberManager ISMS 

 

How to implement this new version of ISO 27001 in CyberManager 

and what does that mean in practice for the ISMS? 

Introduction

This document is intended for IRM360 customers for the purpose of implementing the new ISO 27001 ANNEX A 2022 within CyberManager. After ISO 27002:2022, the new ISO 27001 ANNEX A 2022 is now also available. With the updated standard come changes to the standard. For all the new elements, controls and explanations, please refer to the blog on our website. The blog can be read at www.irm360.eu under the heading: News/Blogs. In fact, what is mentioned here about the ISO 27002:2022 also applies to the ISO 27001 ANNEX A 2022.

The new standard is available for IRM360 customers. You can contact support@irm360.nl to add this standard to your environment. We add standards on request only. If you have purchased ISO 27001:2017 through us, we will add the standard free of charge. It is important that you also purchase the standard yourself from iso.org.

What next?

Measures

The blog reports that several controls are merged and 11 new controls have been added. So new controls should be added to this set of measures if you have purchased ISO 27001 from us. 

The CyberManager has different implementations. Route A applies to environments where the measure setup consists of a Chapter 1, 2 and 3. Route B applies to environments where the CyberManager is set up with Chapter 1 + ISO27002:2017 measures. 

Route A – Customers with an H1,2,3 measures device

Once you have the H1,2,3 measures design in your area, you can choose between Route A1 or Route A2. 

Route A1: Retain current measures + add 11 new measures 

In route A1, you choose to continue with your existing setup. On the standards side, ISO27001 A:2022 will be added, taking the links created by IRM360 with the H2 and H3 measures. As the current H2 and H3 measure set does not completely cover ISO27001 A:2022, a new measure set of 11 measures will also be added. These are similar to the 11 new ISO27002 measures and it is important that you attribute them to your own organisation. 

If you have created or changed your own links between the H2 and H3 measures and ISO27001 A:2017, you will have to create your own links between the new measures and ISO27001 A:2022. 

The image below shows what is being added to your environment. 

Route A2: Replace current H2,3 measures with ISO27002:2022

You want to fully base your measure set on the new format that is in line with ISO 27001 A:2022.  

We can add this measure set to your environment if required.  

As ISO27001 A:2017 consisted of 114 measures, 5 years ago we felt this could be more efficient and in our standard measure set chapters 2 and 3, reduced this to 71 aggregated measures in total. So with the advent of ISO27001 A:2022, this would become 82 measures, as described in route A1. 

We can imagine that you want to "transfer" the existing measures to the new structure. So in that case, you will get 93 measures, and you will need to transfer the H2 and H3 measures. 

The image below shows what is being added to your environment. 

Route B – Customers with an ISO27002:2017 measures setup

Once you have the ISO27002:2017 measures design in place in your environment, you can choose between Route B1 or Route B2.

Route B1: Retain current measures + add 11 new ones

In route A1, you choose to continue with your existing setup. On the standards side, ISO27001 A:2022 will be added, taking the links described in ISO27002:2022 Annex B with the ISO27002:2017 measures. As the current ISO27002:2017 measure set does not completely cover ISO27001 A:2022, a new measure set of 11 measures will also be added. These are similar to the 11 new ISO27002:2022 measures and it is important that you attribute them to your own organisation. 

If you have created or changed your own links between the ISO27002:2022 measures and the ISO27001 A:2017, you will have to create your own links between the new measures and the ISO27001 A:2022. 

The image below shows what is being added to your environment.

Route B2: Replace current ISO27002:2017 measures with ISO27002:2022 

You want to fully base your measure set on the new format aligned with ISO 27001 A:2022. We can add this measure set to your environment if required.  

We can imagine that you want to "transfer" the existing measures to the new structure. In that case, you will therefore get 93 measures and need to transfer the 27002:2017 measures. 

The image below shows what is being added to your environment.

Need help? 

Need support in implementing the new ISO 27001 ANNEX A 2022 standard in your environment? If so, we can refer you to your implementation partner or you can contact us. 

This includes proper mappings to your measure set and advice on linking the new ISO 27001 ANNEX A 2022 measures to the new or any existing measures.

We are standing by to help you. Please contact sales@irm360.nl