Introduction to ISO 27001:2022 Changes

New innovations and networks of communication for exchanging data assets present new security risks. For the first time since 2013, the International Organization for Standardization (ISO) has issued a new edition of the ISO 27001 Information Security Management System standard.

Highlights of Changes Made To ISO 27001:2013

To better align with the integrated structure of management systems standards minor changes have been made within the body of the ISO 27001 standard. Notable changes have been made to the following requirements:

• 4.2 Understanding the needs and expectations of interested parties

• 4.4 Information security management system

• 6.2 Information security objectives and planning to achieve them

• 6.3 Planning of changes

• 9.1 Monitoring, measurement, analysis and evaluation

• 9.3.2 Management review inputs

Instead of the previous 14 controls for Annex A they have been regrouped into four broad themes which include: Organizational, People, Physical, and Technological Controls.

The overall number of controls, previously 114, now stands at 93 in ISO 27001:2022. Eleven new controls have been added and several previous controls have been consolidated including:

• Threat Intelligence

• Information Security for use of Cloud Services

• Physical Security Monitoring

• Configuration Management

• Information Deletion

• Data Masking

• Data Leakage Prevention

• Web Filtering

• Secure Coding

In addition, ISO 27002:2022 pinpoints 5 control attributes that include:

1. Control Type

2. Information Security Properties

3. Cybersecurity Concepts

4. Operational Capabilities

5. Security Domains

To better explain the intent of each control ISO 27002:2022 also defines a purpose for each individual control.

ISO 27001:2022 Transition Timeline

Organizations will have three years from October 31st, 2022 to transition their management system to ISO 27001:2022. Below are some key timeline milestones:

1. The Transition Period begins October 31, 2022

-Any existing ISO 27001:2013 certificates will expire, on the last day of the month, 36 months after October 31, 2022.

2. All new certifications should be transitioned to the ISO 27001:2022 edition after April 1, 2024, as well as all recertification audits.

3. Transition Audits should be conducted by August 31, 2025.

4. The transition period ends on October 31, 2025, and ISO/IEC 27001:2013 will no longer be valid. If desired, the transition can be made in combination with surveillance, recertification or special on-site audits.

Consulting for ISO 27001:2022 Transition

The ISO 9001 Group can make your transition seamless and smooth. We have a proven transitional process, which will ensure that your existing ISO 27001 information security management system is properly transitioned to ensure your organization is ready by October 31, 2025. Our proven 4 Step process includes:

Step 1. Documentation Review – Our consultant will review your organization’s existing documentation to understand the current structure and to assess gaps to conformance to ISO 27001:2022.

Step 2. Documentation Transition – Our technical writer will carefully realign your existing documentation to reflect the new structure of ISO 27001:2022 and incorporate any new ISO 27001:2022 requirements. The technical writer will also write any new required documentation. Changes made to your existing documents will be tracked and highlighted.

Step 3. Implementation. You will be provided with a step-by-step implementation checklist and our consultant will meet with you during the implementation phase to provide support, training and answer questions.

Step 4. Certification Support – Upon completion of the certification audit, we will assist in responding to any finding(s) related to the scope of work during the initial certification audit, until certification is achieved. Most of our clients undergo audits with zero to very minor findings. We will continue to be available via phone or email for 30 days upon achieving certification.

You can learn more about our transitional support services by visiting our website.

Conclusion

In preparation for the transition audit, you will need to update your information security management system to conform with the requirements of ISO 27001:2022. A management review and internal audit must be conducted in accordance with the new standard requirements prior to the transition audit being conducted.

Our consultants are prepared and ready to help your organization overcome the challenges of transitioning your management system to the latest standard. Our certified consultants can address the robust needs of any organization, no matter the size. Contact us for the guidance and tools necessary to make the transition from ISO 27001:2013 to ISO 27001:2022 smooth.

Author

Christina Gamache | Sales & Marketing Coordinator