

The requirements to define who will communicate, and the processes for effecting communication, have been replaced by a requirement to define “how to communicate”. This does not specify any processes that must be included, so you should determine how you can demonstrate that changes to the ISMS have indeed been planned. There is a new section on planning changes to the ISMS. Information security objectives must now be monitored and made “available as documented information”.

The ISMS now explicitly includes the “processes needed and their interactions”. You must now identify the “relevant” requirements of interested parties and determine which requirements will be addressed through the ISMS. ISO 27001:2022 is not significantly different from ISO 27001:2013, but there are some notable changes:
