ISO 27001:2022 Published! A summary of the changes to the Information Security Management Systems Standard
Every five years each ISO Standard goes through a review cycle in order to ensure they continue to reflect current industry best practices, or to determine if they require an update. For Information Security related standards, this has been especially important, so they’re kept up to date with the constantly evolving cyber threat landscape in the current digital world. Continual improvement of the standards is essential to outline the current best practices for protecting organisations’ data.
Information Security is rising in importance on almost every business agenda. With new cyber scenarios and data breaches occurring daily, urgency is changing. Between the increased adoption of cloud based systems, remote work, and automation of technologies, cybersecurity, and privacy, dealing with sensitive information in a structured and trusted way has never been so important. Businesses that implement a framework that protects their information assets and achieve Certification will benefit from gaining the trust of their stakeholders, as they will feel assured that their information is protected.
With the last version of ISO 27001 released in 2013, a new version of the Information Security Management System Standard was necessary to help organisations navigate new scenarios and threats, and make sure relevant and current security controls are in place. As a result, on 25 October 2022, ISO announced that the new version has been published: ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection – Information security management systems – Requirements.
What is ISO/IEC 27001?
What’s changed from the ISO 27001:2013 edition to the ISO 27001:2022 edition?
The first noticeable change of the updated standard is the name, now titled: ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection – Information security management systems – Requirements. This updated title more comprehensively reflects the standard’s purpose via the updated information security controls.
The most significant change in ISO 27001:2022 is the update of Annex A, to reflect the ISO 27002:2022 Guidelines update made earlier this year. Annex A outlines all Information Security Controls, which need to be applied to an organisation’s ISMS. The changes within Annex A include:
Let’s have a look at these changes in a bit more detail:
The previous version of Annex A contained 114 controls, which has now been reduced to 93. Technically, the new version contains fewer controls, but much of that decrease comes from redundant controls which have been removed or merged. In fact, there were actually 11 new controls added to Annex A, which include:
- Threat intelligence
- Information security for the use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
These additional controls add new layers of information security to the standard to reflect the current state of cyber security.
The new 2022 standard edition now organises the controls into 4 categories, in place of the 14 domains from the 2013 edition:
This change comes from an objective to make the control categories more modernised, simplified, and versatile. This allows the standard to be more ‘user-friendly’ and useful, as the previous control categories were found to be complex to navigate on a day-to-day basis, making it inefficient.
The updated version also provides a new organisational scheme for the controls. Attributes can be used to filter, sort or present controls in different views for different audiences. The security controls are now sorted by five attributes:
These new attributes help businesses prioritise the correct controls for their context. For example, if your primary concern is confidentiality, you can use these attributes to sort the controls by that one information security property.
Some other minor changes in the 2022 edition include:
These changes have been primarily made to align with other core ISO Management System Standards such as ISO 9001:2015 for Quality, ISO 45001:2018 for Occupational Health and Safety, and ISO 14001:2015 for Environmental. This allows for easier implementation of Integrated Management Systems.
How will these changes affect my current Certification to ISO 27001:2013?
There is a three-year transition period from the publication date of ISO 27001:2022. This means businesses will need to meet the requirements and get certified to the new version by October 2025.
If your business is already certified to ISO 27001:2013, you can continue to have your audits conducted against the 2013 standard requirements during the transition period, but you will need to update your ISMS, be audited against the new 2022 requirements and achieve Certification to ISO 27001:2022 before October 2025.
Keep in mind that by implementing the requirements of the ISO 27001:2022 Standard sooner rather than later, you’ll enjoy the benefits of the new Standard which should make your ISMS easier to manage. This is also a great opportunity to update your organisation’s controls to reflect the current demands for business Information Security.
History with other updates of Standards has shown us that waiting until the last minute to transition your Certification may result in your Certification lapsing, because the Certification Bodies become very heavily booked towards the end of the three-year transition period, meaning they may not have capacity to conduct your transition audit at the last minute. If your certification lapses, your business will have to go through stage 1 and stage 2 audits again, subsequently resulting in higher Certification costs. Don’t wait until it’s too late, start the transition process for the new version now to prepare.
The best time to arrange your transition audit is at one of your scheduled Surveillance or Re-Certification audits. However, if this timing doesn’t work out, it can be through a separate audit. The transition audit needs to include:
- An assessment against ISO 27001:2022, and the need for changes to your ISMS;
- The updating of the statement of applicability (SoA);
- If applicable, the updating of the risk treatment plan; and
- The implementation and effectiveness of the new or changed controls chosen.
As a minimum, the transition audit needs to include at least an additional 0.5 auditor day.
It’s important to note that all certifications based on ISO 27001:2013 will expire or be withdrawn at the end of the transition period (by 24 October 2025).
For businesses that are looking to get certified to the ISMS Standard for the first time, you can still achieve your initial certification to ISO 27001:2013, but you will also need to transition to ISO 27001:2022 before the end of the transition period. If you’re just starting out with developing your ISMS, we advise you start with ISO 27001:2022.
How should I prepare to make the transition to ISO 27001:2022
Before attending your next ISO audit (Re-certification, Surveillance or Transition audit), where you may choose to now be audited against the requirements of the 2022 edition of ISO 27001, you will need to ensure that your ISMS meets the updated requirements. You can make this transition by:
- Reviewing the new ISO 27001:2022 Management System Standard document, and familiarising yourself and your team with the changes.
- Conducting a gap analysis. This should include reviewing the security controls, as many of them have been merged, updated, and also new additions. This will help you determine what will be affected, and what needs to be adjusted. Ideally an expert consultant like ISO Certification Experts can conduct this to provide you with a report containing all the gaps and recommendations to best upgrade your system to the new changes.
- Updating your ISMS and implementing the changes. Many businesses will opt to use a Consultant to help them with this process. Consultants can assist businesses implement the new requirements in a way that suits their existing ISMS, and works for their current business practices. Engaging a consultant will also help minimise the risk of getting Non-Conformances during external audits, and losing your certification from not addressing the new requirements.
- Completing an Internal Audit to help identify if your Management System meets the updated ISO 27001:2022 requirements, or if it still requires further improvements. It is important to note that Internal Audits must be conducted by somebody who is trained and competent, to ensure your business gets the most out of this process.
- Conducting a Management Review to evaluate whether the ISMS is performing effectively after the changes have been implemented, and if its suitability and adequacy have remained. A consultant can also help you conduct and document Management Review meetings.
You will also need to update your Statement of Applicability (SoA) to reflect the 2022 edition. The SoA is a document which states the security controls and policies that are being applied by the organisation. Essentially, the SoA allows businesses to omit particular security controls when they are not relevant to the scope of their business.
Organisations must review their existing controls listed in their SoA, and align them with a current risk assessment of their information security environment, threats and vulnerabilities. As per clause 6.1.3 item (d) in the ISO 27001:2022 Standard document, the SoA must contain:
About the author
All information on this blog site is for informational purposes only. As this information is based on our professional experience, opinion, and knowledge, we make no representations as to the suitability of this information for your individual business circumstances. Especiality Pty Ltd trading as ISO Certification Experts and all related businesses and brands will not be liable for any errors, omissions, legal disputes or any damage arising from its display or use. All information is provided as is, with no warranties and confers no rights.
We will not be responsible for any material that is found at the end of links that we may post on this blog site. The advice, ideas, and strategies should never be used without first assessing your own personal business situation or seeking professional and/or legal advice. Information may also change from time to time to suit industry and business needs, requirements and trends.