6 mins read

Preparing for ISO 27001:2022

ISO/IEC 27001:2022 is scheduled to be released later this year. Here are the steps you should take now to prepare for its arrival!

The internationally-recognised standard for information security management systems, ISO 27001, is being updated.

Last updated in 2013, the new edition is expected to be published in October 2022 to be more relevant and up-to-date with the latest security threats and technologies.

In this blog, we will uncover:

What’s Changed in the 2022 Edition of ISO 27001 Compared to the 2013 Edition?

The main change to the 2022 edition of ISO/IEC 27001 is the update of Annex A to reflect ISO/IEC 27002:2022.

Updated in February 2022, ISO/IEC 27002 is the Standard for Information Security Controls, and provides a reference set of generic information security controls including implementation guidance.

The changes include:

  • Category restructure
  • 11 new controls
  • 24 merged controls
  • 58 updated controls

The New Categories:

The new categories of controls have been consolidated from 14 to 4.

  • People (8 controls) – if they concern individual people, such as remote working, screening, confidentiality or non-disclosure agreements.
  • Organisational (37 controls) – if they concern the organisation, such as policies for information, return of assets, information security for use of cloud services.
  • Technological (34 controls) – if they concern technology, such as secure authentification, information deletion, data leakage prevention, or outsourced development.
  • Physical (14 controls) – if they concern physical objects, such as storage media, equipment maintenance, physical security monitoring, or securing offices, rooms and facilities.

The New Controls:

While the total number of controls have been cut down from 114 to 93, there are 11 new controls including:

  • Threat intelligence
  • Information security for use of cloud services
  • ICT readiness for business continuity
  • Physical security monitoring
  • Monitoring activities
  • Web filtering
  • Secure coding
  • Configuration management
  • Information deletion
  • Data masking
  • Data leakage prevention

When Do You Have To Transition to ISO/IEC 27001:2022?

There is a three year transition period from the publication date of ISO 27001:2022. The expected published date is October 2022, so organisations will have to be compliant with the updated Standard by October 2025.

 

Organisations Already Certified to ISO 27001:

  • Until October 2023, audits may be conducted to ISO/IEC 27001:2013 or ISO/IEC 27001:2022 at the organisations request.
  • Non-compliances with the additional requirements in the 2022 edition will be raised as Areas of Concerns, and will need to be closed before the transition period.
  • From October 2023, all audits shall be to ISO/IEC 27001:2022.

Organisations Looking to Certify to ISO 27001:

  • Organisations applying for certification before the date of issue of the 2022 edition will be assessed against their compliance to ISO/IEC 27001:2013
  • Organisations applying for certification after the date of issue of the 2022 edition will be assessed against their compliance to ISO/IEC 27001:2022

 

Please Note: Additional time will be required to perform the upgrade component of the audit, should you go from ISO 27001:2013 to ISO 27001:2022.

How To Prepare For ISO/IEC 27001:2022

Whilst we’re waiting for the release of the new ISO/IEC 27001:2022 in October, organisations should start preparing now to ensure smooth transitions and minimise disruption. The following key activities should be considered for the transition:

  • Build out education program for those involved in the ISMS operation
  • Familiarise yourself with the 93 Controls in ISO 27002:2022
  • Identify which controls that have been implemented into your organisation are affected
  • Prepare your documentation for transition

Conduct a Gap Analysis

Organisations have the opportunity to visit their existing Information Security Management Systems and review their risk register, and risk assessments, to determine their suitability and applicability in the organisation. While no controls were deleted between the 2013 version and the 2022 version of the ISO 27001 standard, the merger, update and introduction of new controls will affect how you currently manage them.

Watch our Webinar On-Demand to learn how to prepare for the ISO 27001:2022 Standard release
Watch Now

Conducting a gap analysis between your current system and the ISO 27002:2022 controls will help you understand how your ISMS will be affected, and what will need to be adjusted to be compliant with the standard once it’s released.

This gap analysis will also help you determine if and how the new controls can help you manage risk.

Consider Attributes

With the introduction of Attributes in the ISO 27002:2022 standard, organisations can use the review process to implement attributes. The benefit of attributes, is being able to create different views or categorizations of controls as seen from different perspectives or themes.

For example, you can view your controls from the perspective of control types, (preventative, detective, or corrective controls), or you can do this based on different security properties, (confidentiality, integrity, availability), or based on different operational capabilities, (governance, identity, and access management, legal, and compliance), etc.

Optimise your Statement of Applicability

When conducting this review, organisations should consider creating a parallel Statement of Applicability based on the 2022 version of controls, including the renamed controls, as well as merged and new controls. This is due to the timeline for transition. Audits conducted prior to your transition audit will still need to be compliant to the 2013 version, and thus will need to reference those respective requirements.

Consider the Resources to Transition

While the requirements of ISO 27001:2022 haven’t changed, the update to the controls listed in Annex A, require organisations to consider how they will implement these updates.

Training your ISMS internal auditors is a must to ensure they understand what is required, and how to help the organisation bridge any gaps. The control owners also need to be included in the education program to determine the effect on the organisations risk assessments and treatments.

Having an education program also assists with change management, giving your staff time and opportunity to adjust to the changes.

Have Questions About the ISO 27001:2022 Transition? Contact Us Today!

Contact Us

Sales Enquiries

assurance@saiglobal.com

Not a sales enquiry? Click here to view our office locations and contact details.
Chat with us