ISO 27001 is the international standard when it comes to information security.
And it just got an update: ISO 27001:2022.
Now you might be wondering how to get your ISMS up to scratch and ensure you remain compliant. Or how much time pressure you’re really under?
You’ve come to the right place.
We sat down with the expert — Kyle Tackley, Senior Principle at DataGuard’s UK Tech and Privacy Practice — to get the full lowdown on the ISO27001:2022 update: what has changed and how to get your certificate updated — in no time.
How did ISO 27001 originate, and why has it changed?
The origins of ISO 27001 go all the way back to 1995. It was known as the BS 7799-1 standard.
ISO 27001, the first edition, was published in 2005 and was last reviewed and updated in 2013. As of recently, the ISO 27001:13 standard has aged. Technology and the modern way of working have evolved immensely. And the standard has not been keeping up with the fast pace of change.
The 2022 revision is the 4th modern edition of the standard, which brings ISO 27001 into the present way of working, focusing on cloud-first organisations.
What are the main changes between ISO 27001:2013 and the ISO 27001:2022 standards?
A couple of things have changed; the annexe has probably seen the biggest changes. Its controls are grouped differently, and entirely new ones have been introduced.
In short:
- 11 new controls were added
- 57 controls combined
- 23 controls changed names
- and 3 controls removed
We’ve also seen changes in the following:
- Risk management: The new version emphasises the importance of risk management as the core of the ISMS. It introduces additional requirements related to the organisation's context, risk assessment, risk treatment and risk acceptance.
- Leadership involvement: ISO 27001:2022 places a stronger emphasis on the involvement of top management in the information security management system. It expects leaders to demonstrate commitment, define roles and responsibilities, and ensure the integration of the ISMS into the organisation's processes.
- Performance evaluation: The revised standard includes requirements for monitoring, measuring, analysing and evaluating the ISMS. This focuses on ensuring the ongoing effectiveness and continual improvement of information security practices.
- Documented information: ISO 27001:2022 replaces the term "documented information" with "information necessary for the effectiveness of the ISMS." This change reflects the broader range of information forms, including digital, oral and visual.
When it comes to clauses, the first three clauses have stayed the same, and clauses 4-10 have changed — they have additional content and points. We’ve also seen that some terms have become broader – e.g. in clause 8.1 ‘outsourced parties’ need to be controlled (any product/services related to your ISMS need to be controlled). This brings a more extensive scope.
What fundamental changes to Annex A controls are in ISO 27001: 2022?
As well as what we just mentioned above, the fundamental change to the annexe A controls in ISO 27001:2022 is that controls are now grouped into four simple themes, which are:
- People controls (8 controls)
- Organisational controls (37 controls)
- Technological controls (34 controls)
- Physical controls (14 controls)
How will the update affect your organisation if you are already certified to ISO 27001:2013?
In general, since October last year, all companies can certify against the 2022 revision.
Organisations that are already certified will have until the 31st of October 2025 as the deadline to transition. As of that date, all certifications for ISO 27001:2013 will expire and will no longer be considered valid.
In the meantime, organisations should continue to manage and improve their existing 27001:2013 ISMS in conjunction with planning a transition audit. If your company is not certified yet but still wants to certify against the 2013 revision, you can do so up to the 31st of October, 2024.
But generally speaking, the sooner you comply with ISO 27001:2022 — the better. It will save you time, money and frustration.
Do existing ISO 27001:2013 certificates need a separate audit for transitioning to the new ISO 27001:2022 revision?
No, not necessarily. Organisations will have three options here and should consider where they are in their 3-year ISO 27001 certification lifecycle before selecting which option works best:
- Standalone transition audit
- Transition audit at the time of an annual surveillance audit
- Transition audit at the time of a re-certification audit
Tip: make sure your certification body has obtained accreditation to audit the new ISO 27001:2022 revision.
How to transition to ISO 27001: 2022 step-by-step?
If you already have an ISO 27001:2013 certification, we recommend taking these steps to transition into the 2022 revision.
- Familiarise yourself with the changes: read and thoroughly understand the ISO 27001:2022 standard to identify the key changes compared to the 2013 version. Pay attention to new clauses, modified requirements and terminology.
- Conduct a gap analysis: compare your existing Information Security Management System (ISMS) against the new standard. Identify gaps and areas where your current ISMS needs to be updated to comply with the 27001:2022 requirements.
- Update your documentation: revise and update all relevant documents, including the ISMS manual, procedures, work instructions and forms, to reflect the changes required by the ISO 27001:2022 standard. Make sure that the documentation is accurate, up-to-date and easily accessible.
- Revise the risk assessment process: evaluate your current risk assessment methodology and update it to incorporate changes in the threat landscape, vulnerabilities, legal and regulatory requirements and business context. Make sure that the risk assessment is comprehensive and covers all relevant areas.
If you don’t want to go through those steps alone, we recommend getting a DataGuard expert on board, who can walk you through the process step-by-step. We’ve also got the documents, tools and expertise to get it done in the most efficient way possible.
Our company isn’t certified at all yet; what happens to me?
ISO 27001:2022 is a framework of policies and procedures to lower the risk of a security breach. Having it in place definitely makes sense.
If you can undergo an audit based on 2013, it will only be valid until April 30, 2024. So it doesn’t matter when you register; you must transition to the new 2022 version by October 31, 2025. This is why adhering to the new 2022 standard from the get-go makes sense.
Looking to the future: what is next for ISO 27001?
As is typical with ISO standards in general, they are all subject to updates over time, and ISO 27001:2022 will be no different.
As cybersecurity threats continue to grow — we can expect the standard to be reviewed more and more frequently. This is why we at DataGuard constantly advocate for staying on top of your ISMS.
On another note, with more focus on information security for the use of cloud services, we can expect top cloud providers such as AWS, GCP and Microsoft Azure to start cloud-offering out-of-the-box compliance solutions to support with the new ISO 27001:2022 through things like cloud configuration checks and data leakage prevention solutions.
Want to know more about what transitioning to ISO 27001:22 with an expert to bounce ideas off can look like? Schedule a no-strings meeting with us.