The small (but significant) change in ISO 27001
November 2024
What exactly is the change?
The headline news in the 2022 update of the ISO 27001 Information security standard, was, of course, the Annex Controls. The whole concept of those was changed from 14 groups (or domains as they were referred) down to just 4. They are:
- Organizational controls
- People controls
- Physical controls
- Technological controls
A large number of the individual controls were also added, deleted, combined or changed in some way. It is just one of those changes that we refer to in this article.
Spot the difference...
ISO 27001:2013
A set of policies for information security shall be defined, approved by relevant management, published and communicated to employees and relevant external parties.
ISO 27001:2022
Information security policy and topic-specific policies shall be defined,
approved by management, published, communicated to and
acknowledged by relevant personnel and relevant interested parties...
Both of these are extracts from Annex A control 5.1 Policies for information security for the 2 editions of the standard. While there are some minor changes in wording, they are largely semantics - such as changing employees to personnel. The key difference that we are looking for here is the word acknowledged. It was completely absent in the 2013 edition but very much there in the 2022 edition.
So, what are the implications of this change in ISO 27001?
It is clear that ISO 27001:2022 requires policies to be acknowledged where applicable. It is also reasonable to expect that a certification auditor will look to see evidence of those acknowledgements having been made.
Note that the requirement in ISO 27001 is for policies to be acknowledged by relevant personnel and interested parties. That suggests that there is some definition made of what policies are relevant to whom. For example, we may consider that an acceptable use or clear desk policy is relevant to all knowledge workers. However, a secure development policy (if you have one at all) may only be relevant to those involved in ICT development work and not relevant to say, people in the HR or Accounts business units.
At this point, we should be clear about what is meant by acknowledgement. The guidance standard ISO 27002 helpfully explains that: "Recipients of the policies should be required to acknowledge they understand and agree to comply with the policies where applicable".
How to address the requirement in your ISMS
The first step is to define which policies must be acknowledged by which individuals or groups of people. To be useful in the longer-term, that definition should be documented somehow.
The second step would be to provide those people with the means of making that acknowledgement. ISO 27001 is rarely prescriptive in how its requirements are achieved, and that is also the case here. The method is left to your discretion.
The acknowledgement needs to be recorded as evidence for any regular monitoring, internal audits, and external certification audits.
One common solution that we see is for new starters to sign off on a checklist at their induction. That checklist might include a list of policies and a statement of the person's acknowledgement. While that method works for new starters, arrangements also need to be made for other circumstances, such as:
- Existing personnel - who may have been in place prior to the policy being published.
- People who have a change of role - and a policy may now become relevant to them.
- External parties - such as contractors - to whom the policy may also apply.
- Any relevant people - when there has been a significant change to a policy.
It can certainly be quite tricky to develop a process robust enough to cover all the possible circumstances.
Our solution for acknowledgement
The solution that we built into our Qudos3 IMS software is both simple to use and yet very effective. Every document has the option of being flagged as requiring acknowledgement. Once it has been flagged, the document owner can choose which groups of people and other individuals need to acknowledge it. They are all automatically alerted and can confirm their acknowledgement when they next log in. The user has the opportunity to read the document and then confirm that they have read the document, understood it, and agree to comply with it. The software takes care of record-keeping, reporting who has and has not acknowledged which documents, and sending reminders where necessary. It also allow revisions to policies to trigger a re-acknowledgement where the document owner considers it necessary.
If you have yet to implement a document acknowledgement solution, we would be pleased to arrange a demo for you.
Existing Qudos3 IMS software users may view the help system and detailed webinar recording on document acknowledgement or contact us for support.
Ready to start your journey to ISO 27001?
The first step to commencing a management system based on ISO 27001 is to conduct a Gap Analysis. We can provide a qualified, experience certification auditor to perform a professional Gap Analysis service for you.
Contact us today to discuss your needs!
'ISO 27001 Information Security in plain English'
This web site includes a series of blog articles where we work through all the clauses and controls in ISO 27001. A great starting point for developing your ISMS.
It began with an introductory webinar. A copy of the slide deck is available for you here:
Click the LinkedIn Follow button below to receive notification of further articles and webinars.
There's nothing like word of mouth to share creative content. So, if you found this blog informative, please share it with a colleague or business associate.