.svg){kind=logo}
.svg){kind=logo}
.svg){kind=logo}
.svg){kind=logo}
.svg){kind=logo}
.svg){kind=logo}
Scrutinizing the revised ISO 27001:2022 standard
The recently revised ISO 27001:2022 standard emphasizes the importance of information security as an integral part of organizational governance. This revision causes changes not only in the guidelines, but also in the implementation and execution of risk management within organizations.
Instead of (continuing to) rely on static risk analysis (often based on an outdated risk register), the new standard emphasizes continuous risk awareness and the need for greater flexibility and adaptivity. This means that organizations must continually evaluate their risk management processes and make adjustments as and when needed.
How is risk analysis changing due to the new emphases in risk thinking?
Influenced by the latest ISO 27001 update (dated 2022 and implemented in 2025; the first update since the 2013 version of the norm), there is less emphasis on a static risk register and more on a dynamic and ongoing evaluation of risk. The current standard, ISO 27001:2022, encourages organizations not only to identify risks, but also to systematically evaluate and monitor them.
There is a stronger focus on the link between risks, measures, and the roles and departments involved. This means that risk management requires a joint effort by all stakeholders within the organization, and is no longer just the responsibility of the IT department.
Risk analysis as a cyclical process
ISO 27001:2022 requires risk analysis to be a ‘living’ process. This means that risks must be reviewed periodically to allow for adjustments, if necessary. It is no longer sufficient to perform a risk analysis once a year.
Visualization, prioritization, and monitoring of risks take on a greater role. By clearly identifying and continuously monitoring risks, organizations can respond more quickly and effectively to changes and potential threats.
In practice, what will be different for your organization?
One of the most important changes is the need for clear ‘ownership’ of risks. This means that it must be clear who within the organization is responsible for following up on identified risks. In addition, reporting and accountability are becoming more important, especially in the context of audits. There must be consistent documentation showing how policies, risks, and measures are related.
Tools and processes must make the connection between these elements visible and manageable so that organizations are not just compliant, but actually more resilient.
How Scienta supports structural risk analysis
WoodWing Scienta helps organizations link risks and controls to processes, documents, and responsibilities. This supports the so-called PDCA cycle of identifying, planning, executing, monitoring, and adjusting.
By using Scienta, it becomes easier to demonstrate that risk management is structurally secured within the organization. This is valuable not only in the context of compliance but also for strengthening your organization's information security overall.
