DataGuard's expert insights on the ISO 27001:2022 update

ISO 27001 is the international standard when it comes to information security. 

And it just got an update: ISO 27001:2022.

Now you might be wondering how to get your ISMS up to scratch and ensure you remain compliant. Or how much time pressure you’re really under?

You’ve come to the right place.

We sat down with the expert — Kyle Tackley, Senior Principle at DataGuard’s UK Tech and Privacy Practice — to get the full lowdown on the ISO27001:2022 update: what has changed and how to get your certificate updated — in no time.

How did ISO 27001 originate, and why has it changed? 

The origins of ISO 27001 go all the way back to 1995. It was known as the BS 7799-1 standard. 

ISO 27001, the first edition, was published in 2005 and was last reviewed and updated in 2013. As of recently, the ISO 27001:13 standard has aged. Technology and the modern way of working have evolved immensely. And the standard has not been keeping up with the fast pace of change. 

The 2022 revision is the 4th modern edition of the standard, which brings ISO 27001 into the present way of working, focusing on cloud-first organisations. 

What are the main changes between ISO 27001:2013 and the ISO 27001:2022 standards? 

A couple of things have changed; the annexe has probably seen the biggest changes. Its controls are grouped differently, and entirely new ones have been introduced. 

In short:

  • 11 new controls were added
  • 57 controls combined
  • 23 controls changed names
  • and 3 controls removed 

We’ve also seen changes in the following: 

  • Risk management: The new version emphasises the importance of risk management as the core of the ISMS. It introduces additional requirements related to the organisation's context, risk assessment, risk treatment and risk acceptance. 
  • Leadership involvement: ISO 27001:2022 places a stronger emphasis on the involvement of top management in the information security management system. It expects leaders to demonstrate commitment, define roles and responsibilities, and ensure the integration of the ISMS into the organisation's processes. 
  • Performance evaluation: The revised standard includes requirements for monitoring, measuring, analysing and evaluating the ISMS. This focuses on ensuring the ongoing effectiveness and continual improvement of information security practices. 
  • Documented information: ISO 27001:2022 replaces the term "documented information" with "information necessary for the effectiveness of the ISMS." This change reflects the broader range of information forms, including digital, oral and visual. 

When it comes to clauses, the first three clauses have stayed the same, and clauses 4-10 have changed — they have additional content and points. We’ve also seen that some terms have become broader – e.g. in clause 8.1 ‘outsourced parties’ need to be controlled (any product/services related to your ISMS need to be controlled). This brings a more extensive scope.

 

What fundamental changes to Annex A controls are in ISO 27001: 2022?

As well as what we just mentioned above, the fundamental change to the annexe A controls in ISO 27001:2022 is that controls are now grouped into four simple themes, which are:

  1. People controls (8 controls)
  2. Organisational controls (37 controls)
  3. Technological controls (34 controls)
  4. Physical controls (14 controls)

 

How will the update affect your organisation if you are already certified to ISO 27001:2013?

In general, since October last year, all companies can certify against the 2022 revision. 

Organisations that are already certified will have until the 31st of October 2025 as the deadline to transition. As of that date, all certifications for ISO 27001:2013 will expire and will no longer be considered valid. 

In the meantime, organisations should continue to manage and improve their existing 27001:2013 ISMS in conjunction with planning a transition audit. If your company is not certified yet but still wants to certify against the 2013 revision, you can do so up to the 31st of October, 2024.

But generally speaking, the sooner you comply with ISO 27001:2022 — the better. It will save you time, money and frustration.

 

Do existing ISO 27001:2013 certificates need a separate audit for transitioning to the new ISO 27001:2022 revision?

No, not necessarily. Organisations will have three options here and should consider where they are in their 3-year ISO 27001 certification lifecycle before selecting which option works best: 

  • Standalone transition audit 
  • Transition audit at the time of an annual surveillance audit 
  • Transition audit at the time of a re-certification audit 

Tip: make sure your certification body has obtained accreditation to audit the new ISO 27001:2022 revision. 

DataGuard Newsletter

Secure your success.

Subscribe for actionable expert advice! 

Join 3,000+ business leaders who stay ahead of the curve with our monthly information security newsletter. 

Subscribe Now

 

How to transition to ISO 27001: 2022 step-by-step? 

If you already have an ISO 27001:2013 certification, we recommend taking these steps to transition into the 2022 revision. 

  1. Familiarise yourself with the changes: read and thoroughly understand the ISO 27001:2022 standard to identify the key changes compared to the 2013 version. Pay attention to new clauses, modified requirements and terminology. 
  2. Conduct a gap analysis: compare your existing Information Security Management System (ISMS) against the new standard. Identify gaps and areas where your current ISMS needs to be updated to comply with the 27001:2022 requirements. 
  3. Update your documentation: revise and update all relevant documents, including the ISMS manual, procedures, work instructions and forms, to reflect the changes required by the ISO 27001:2022 standard. Make sure that the documentation is accurate, up-to-date and easily accessible. 
  4. Revise the risk assessment process: evaluate your current risk assessment methodology and update it to incorporate changes in the threat landscape, vulnerabilities, legal and regulatory requirements and business context. Make sure that the risk assessment is comprehensive and covers all relevant areas.

If you don’t want to go through those steps alone, we recommend getting a DataGuard expert on board, who can walk you through the process step-by-step. We’ve also got the documents, tools and expertise to get it done in the most efficient way possible.

 

Our company isn’t certified at all yet; what happens to me?

ISO 27001:2022 is a framework of policies and procedures to lower the risk of a security breach. Having it in place definitely makes sense.

If you can undergo an audit based on 2013, it will only be valid until April 30, 2024. So it doesn’t matter when you register; you must transition to the new 2022 version by October 31, 2025. This is why adhering to the new 2022 standard from the get-go makes sense.

 

Looking to the future: what is next for ISO 27001?

As is typical with ISO standards in general, they are all subject to updates over time, and ISO 27001:2022 will be no different.

As cybersecurity threats continue to grow — we can expect the standard to be reviewed more and more frequently. This is why we at DataGuard constantly advocate for staying on top of your ISMS.

On another note, with more focus on information security for the use of cloud services, we can expect top cloud providers such as AWS, GCP and Microsoft Azure to start cloud-offering out-of-the-box compliance solutions to support with the new ISO 27001:2022 through things like cloud configuration checks and data leakage prevention solutions.

Want to know more about what transitioning to ISO 27001:22 with an expert to bounce ideas off can look like? Schedule a no-strings meeting with us.

About the author

Kyle Tackley Kyle Tackley
Kyle Tackley

Kyle is a Senior Principal at DataGuard and talks all things Information and Cybersecurity. With over 12 years experience in IT, Privacy and Information Security roles, he has implemented and operated a multitude of Security frameworks across enterprise businesses. Ensuring world-class service delivery of DataGuard’s Hybrid Information Security and Privacy as a service solutions to customers, and building a dynamic and successful teams are some of Kyle’s top priorities.

Explore more articles

How can we help?Contact us.

dg_seal_iso_2-0-3
dg_seal_tisax_2-0-3
dg_seal_gdpr_2-0-3

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by 4,000+ customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by 4,000+ customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies
Certified-Icon

100% success in ISO 27001 audits to date

 

 

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by 4,000+ customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by 4,000+ customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by 4,000+ customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk

0-25
26-250
251-500
501-2000
2001-10000
>10000
Privacy
InfoSec
Consent Management
General enquiry
Whistleblowing
Compliance