ISO 27001:2022 Update – What You Need to Know

The revised version of ISO 27001 finally landed on 25 October 2022. It’s been almost 10 years since the last major update, and while the revisions may seem minor, they are in fact significant and serve to both solidify and clarify the standard. In this post, we’ll cover what changed, why the new version was much needed, and what you’ll need to do for the transition to meet the timeline for compliance.

What Exactly has Changed in the ISO 27001 Update 2022?

Let’s start with what did not change. The scope, context, Information security policy, risk management, resources, interested parties, training and awareness, communication, document control, monitoring and measurement, internal audit, management review and corrective actions – clauses 4-10 will remain the same.

What Changed in the ISO 27001:2022 Version

• The number of controls drops from 114 to 93
• There are 11 new controls
• Only the security controls in Annex A have been updated
• Controls are positioned in 4 ‘Themes’ instead of the previous 14 sections

The revised ISO 27001:20222 standard provides the updated framework for implementing an effective Information Security Management System (ISMS) in an organisation. The new version boils down the minimum required controls to 93 (which includes 11 newly added controls) and reorganises the framework into four distinct components. This may seem dramatic but in practical terms it’s not. In fact, it simplifies and refocuses the framework on two previously implied but unstated areas – refining the aim. The four components are:

• Organisational
• Technological
• Physical
• People

ISO 27001 Transition to ISO 27001:2022

The changes should be minimal and only have a moderate impact on the management system components of ISO 27001 itself. The major changes are that the standard’s Annex, controls and reference objectives are designed to allow for better integration with ISO 27002:2022.

However, the updated standard requires organisations to implement a process to identify, define and address the specific information security requirements of all interested parties. Once this has been clarified, the organisation then needs to determine which of these requirements will be included and addressed by their ISMS. The refreshed standard helpfully notes that the requirements of interested parties can include legal and regulatory requirements and contractual obligations. The emphasis is on accountability. Has the organisation thought through and addressed its information protection requirements?

There should be no need to delete or create new documentation but to add to your existing documents. For example, the SoA document should provide a link between the organisation’s risk assessment and the controls of ISO 27002 to provide an explanation for the exclusion of any controls from the organisation’s control environment.

As organisations change over to ISO 27001:2022, it is advisable to review the existing controls within the SoA and align these to a current risk assessment of their information security environment, threats and vulnerabilities.

The Timeline to Meet ISO 27001 Compliance

Good news! There will be plenty of time to comply. The IAF will allow organisations 36 months (after the publish date) to update their ISMS and transition certification from ISO 27001:2013 to ISO 27001:2022.

After 36 months, all ISO 27001:2013 certificates will become invalid. If your organisation is planning for the first certification now, and getting your ISMS certified for the first time in 2022 or early 2023, the 2013 Standard will also apply.

What You Should Consider, Before the Deadline

• Ensure your certification body is scheduled to conduct the transition assessment and the certificate can be issued within the 36 months
• Build in time to update documentation, processes and train employees, etc to adhere to the new requirements
• The transition can be made during the recertification audit, surveillance audit or a stand-alone assessment

If you are certifying for the first time, ensure you have secured your Certifying Body (CB) within plenty of time before the deadline. You can read more on how to find a qualified CB in our blog post: How to Choose an ISO 27001 Certification Body.

How Risk Crew ISO Experts Can Help

Writing and assembling the required documentation can be a gruelling task but it doesn’t have to be. Risk Crew consultants can support you with all your ISO 27001 certification requirements to help you transition to the 2022 standard.

Risk Crew has been delivering ISO consultancy services for over 30 combined years. Our experts are working practitioners that use their knowledge to accelerate your compliance with the standard.

Four services are available – providing flexible options to get ISO 27001 working for your organisation. You get the exact amount of expertise and assistance you need to help meet your compliance objectives. Nothing more, nothing less.