How Can ISO/IEC 27001:2013 be Associated with ISO/IEC 27001:2022, ISO/IEC 27002:2022, and 27019:2018 Using the Mapping Table?

After the amendment of ISO/IEC 27001:2022 as a normative standard for the declaration of requirements for an information security management system and ISO/IEC 27002:2022 as an informative reference and implementation guideline for the practical implementation of an ISMS, the challenge for the players in the energy industry is to combine and reference the newly defined and structured requirements and contents of ISO/IEC 27001:2022 and ISO/IEC 27002:2022 with the not yet updated industry-specific requirements of ISO/IEC 27019:2018. This ensures the state of the art in information security with reference to operational technology for power generation and distribution grid operations. The challenge here is to transfer the existing statement of applicability ISO/IEC 27001:2013 into the new ISO/IEC 27001:2022 structure and to subsequently link this with the industry specific requirements of ISO/IEC 27019:2018. In this paper, we show the changes in content and structure that amendment of ISO/IEC 27001 entails. Furthermore, the advantages and disadvantages of the amendment are listed. Subsequently, a mapping tool will be presented.

Keywords: ISO/IEC 27001:2022, Operational technology, Energy utility systems, Information security, ISMS.

Download PDF