ISO 27001 is an internationally accepted standard specifically focused on your organization’s information security management system (ISMS). Following ISO 27002 guidelines, ISO 27001 is used to help manage the security of your services, leveraging your overall security posture against one of the most in-depth standards out there.
All ISO standards are officially reviewed at least once every five years to remain current and reflect new and evolving security challenges. ISO 27001:2013 was the latest version, and this year the standard was updated, adding a few new changes and controls.
Let’s take an in-depth look at what you can expect from ISO 27001:2022 and how your organization can best transition with the recent updates.
Most updates to ISO 27001:2022 are minor, which means you can rest assured your organization won’t need to go through a major overhaul with your security program. Main ISO 27001:2022 changes can be broken down into two parts:
For the 2022 version, there’s been a small change to ISO 27001 management system clauses which address clauses 4.4 and 8.1.
Additionally, minor clarifications and specifications have been made to a handful of other management system clauses.
Annex A controls updates are moderate and have been derived from ISO 27002:2022, which was released earlier this year. Organizationally, the former 14 families of Annex A are now focused on four themes: organizational, people, physical, and technological.
Most controls have stayed the same or been renamed, and another group of controls were merged to reduce the total number of controls. However, the requirements within those controls are almost all the same.
The biggest change has been the addition of 11 new controls, added to reflect new and evolving security areas. Specifically, the control categories are as follows:
For further details and descriptions of these controls, we recommend purchasing the ISO 27001 and 27002 standard and reviewing those documents with your team.
When conforming to the newly updated ISO 27001:2022 standard, there’s a three year transition period for all organizations. ISO 27001:2013 certificates will expire or be withdrawn no later than October 31, 2025. For organizations working toward a certification, companies are eligible to certify against the 2013 version up until October 31, 2023.
If your organization obtains an active certification, don’t worry—there’s plenty of time to make the necessary changes.
A few tips for transitioning your certification to the updated ISO standard include:
For organizations working toward certification, start incorporating the new standards into your preparations today. Certification bodies will require you to be ready to certify against the new standard by April 30 of 2023, though most will be ready to certify prior.
Standard updates and the associated transition process can sometimes feel a bit daunting, but BARR is here to walk your teams through the process and reduce some of the burden.
Interested in learning more about how ISO 27001:2022 can benefit your organization? Contact us for a free consultation.