What is ISO 27001:2022 and how does it impact you?

ISO 27001 is a specification for an ISMS – an Information Security Management System. An ISMS is a set of policies, procedures, processes and systems that manage information security risks, such as cyber attacks, hacks, data leaks or theft. The ISO 27001 standard provides requirements for establishing, implementing, maintaining and continually improving an ISMS.

With ISO 27001:2013 being nearly a decade old, the new version ISO 27001:2022 is much needed. The technology and threat landscape has shifted significantly, with trends such as the move to cloud computing and heavy adoption of third party applications, which is underrepresented in the 2013 version of the standard. The changes in the update are a positive step for keeping the most up to date controls in place to protect your organisation. 

The release of the new version of the standard will create considerations for those looking to implement an ISO 27001 system for the first time, as well as those who are already certified to ISO 27001:2013.

New to ISO 27001?

For those companies looking to implement ISO 27001 for the first time, we have entered into a short period where the decision about which standard to implement is up in the air. 

Certification bodies will require a number of months after the anticipated October 2022 release to be accredited by UKAS to certify against the new standard. Most certification bodies are not completely sure when they will be able to audit against the new standard, however April 2023 has been stated as the target by several certification bodies. 

This means that if you are an organisation looking to certify before February 2023, you would be best certifying to ISO 27001:2013 and then transitioning at your first or second annual audit. If you have started to, or are about to undertake an implementation but don’t expect to certify until around April 2023, it will likely be best to implement the new version of the standard (ISO 27001:2022).

What do you do if you have an existing ISO 27001 system?

If you are already certified to ISO 27001:2013 you will need to transition to the new version of the standard within 3 years of its initial release (roughly October 2025). This gives plenty of time to alter your system to meet the new requirements. 

We recommend transitioning (i.e. being assessed against the new standard) at one of your regular annual audits. Depending on a number of factors, the transition is likely to add a day or two to the length of your regular audit.

What are the differences between ISO 27001:2013 and ISO 27001:2022?

Clause 4-10 of ISO 27001 already aligns with the other main ISO standards and so it would be surprising if any game changing requirements are added here. 

We instead anticipate that the main differences between the standards will be held in Annex A of the ISO 27001 standard - the long list of 114 security controls. This is also represented in your “Statement of Applicability” if you are already certified to ISO 27001:2013.

In Annex A of ISO 27001:2013, the 114 controls were spread across 14 categories. These will be modified with the new standard, which will instead have 93 controls across 4 domains.

11 controls are completely new and others have been modified or merged. (A proportion of controls remain unchanged in substance from the old version). To give a flavour of some of the updated requirements, these include:
•    Threat intelligence
•    Information security for use of cloud services
•    ICT readiness for business continuity
•    Physical security monitoring
•    Configuration management
•    Information deletion
•    Data masking
•    Data leakage prevention
•    Monitoring activities
•    Web filtering
•    Secure coding

What next?

Deciding when and how to transition or which standard to implement will take some consideration.

Email us at info@2sb.co.uk to discuss your path to becoming certified against the new ISO 27001:2022 standard.

Contact an ISO Consultant