As you heard, the release of the 2022 version of the ISO 27001:2022 standard in Q4 of this year. In this post, we’ll cover what is changing, why the new version is much needed, and what you’ll need to do for the transition to meet the timeline for compliance. The findings were based on the drafted version of the new standard. If there are any changes, once released, this blog post will be updated.
What Exactly is Changing in the ISO 27001 Update 2022?
Let’s start with what’s not changing. The scope, context, Information security policy, risk management, resources, interested parties, training and awareness, communication, document control, monitoring and measurement, internal audit, management review and corrective actions – clauses 4-10 will remain the same.
What Will Change for ISO 27001:2022
- The number of controls drops from 114 to 93
- There are 11 new controls
- Only the security controls in Annex A have been updated
- Controls are positioned in 4 ‘Themes’ instead of the previous 14 sections
None of the controls has been deleted but merged together to remove duplication. The controls have been grouped into themes to allow for a better structure for risk management. The four sections are:
Transitioning from ISO 27001:2013 to ISO 27001:2022
The changes should be minimal and only have a moderate impact on the management system components of ISO 27001 itself. The major changes are that the standard’s Annex, controls and reference objectives are designed to allow for better integration with ISO 27002:2022.
There should be no need to delete or create new documentation but to add to your existing documents. For example, the SoA document should provide a link between the organisation’s risk assessment and the controls of ISO 27002 to provide an explanation for the exclusion of any controls from the organisation’s control environment.
As organisations change over to ISO 27001:2022, it is advisable to review the existing controls within the SoA and align these to a current risk assessment of their information security environment, threats and vulnerabilities.
The Timeline to Meet ISO 27001 Compliance
Good news! There will be plenty of time to comply. The IAF will allow organisations 36 months (after the publish date) to update their ISMS and transition certification from ISO 27001:2013 to ISO 27001:2022.
After the 36 months, all ISO 27001:2013 certificates will become invalid. If your organisation is planning for the first certification now, and getting your ISMS certified for the first time in 2022 or early 2023, the 2013 Standard will also apply.
What You Should Consider, Before the Deadline
- Ensure your certification body is scheduled to conduct the transition assessment and the certificate can be issued within the 36 months
- Build in time to update documentation, processes and train employees, etc to adhere to the new requirements
- The transition can be made during the recertification audit, surveillance audit or a stand-alone assessment
If you are certifying for the first time, ensure you have secured your Certifying Body (CB) within plenty of time before the deadline. You can read more on how to find a qualified CB in our blog post: How to Choose an ISO 27001 Certification Body.
How Risk Crew ISO Experts Can Help
Writing and assembling the required documentation can be a gruelling task but it doesn’t have to be. Risk Crew consultants can support you with all your ISO 27001 certification requirements to help you transition to the 2022 standard.
Risk Crew has been delivering ISO consultancy services for over 30 combined years. Our experts are working practitioners that use their knowledge to accelerate your compliance with the standard.
Four services are available – providing you with flexible options to get ISO 27001 working for your organisation. You get the exact amount of expertise and assistance you need to help you meet your compliance objectives. Nothing more, nothing less.
Additional ISO 27001 Resources
ISO 27001 Documentation Guide & Checklist
Learn what documentation and policies are required to achieve certification to the standard.
ISO 27001 Service
Find out how Risk Crew can help you achieve compliance. Choose from 4 services to meet your needs.