ISO 27001:2022 Updated
What it means and how will it affect the businesses
What has changed?
As mentioned, ISO 27001: 2013 has yet to be completely overhauled. Only minor to moderate changes have been made, but, as per International Standard Organization, these changes were highly needed. They can help organizations prevent/deal with the more severe and sophisticated threats that have recently challenged numerous leading businesses and organizations, including the UK’s NHS.
Annex A of the ISO/IEC 27001 has seen the most changes. These changes include a change in the number of controls as well as listing in groups. Here is a brief overview:
- The title of Annex A has been changed to Information Security Controls Reference from Reference Control Objectives and Controls. To justify the change, the reference objectives have been removed.
- There used to be 114 controls in Annex A. The updated ISO 27001:2022 standard has 93 controls. But, the controls haven’t been reduced/removed. Many of them have been merged. 35 controls have remained unchanged. 57 controls are merged into 24 controls, 23 out of 114 controls have been renamed for better clarity, and 11 new controls have been added.
- In the ISO 27001:2022 standard, the 93 controls are divided into 4 groups instead of the 14 groups used in the previous versions. The 4 groups are based on four themes; Organizational control, People control, Physical control, and Technological control.
The mandatory clauses, i.e., the clauses from 4 to 10, have undergone only slight changes. Most of the changes are made to make it align with other related ISO standards such as ISO 9001, ISO 14001, etc. New content has been added to clauses 4.2, 6.2, 6.3, and 8.1.
Will ISO 27001:2022 impact your existing certification?
When is the right time to start transitioning from ISO 27001:2013 to ISO 27001:2022?
What is the best approach to transition from ISO 27001:2013 to ISO 27001:2022?
Transitioning to the newer version quickly can give you a competitive and reputational advantage. However, the best approach is to go slow and do it methodically instead of haphazardly. Here is how you can get started:
- Familiarize yourself with the new controls and categorizations. A better understanding will help with better implementation.
- Once you know what needs to be done, conduct a gap/readiness test to determine the necessary changes in your existing Information Security Management System.
- Come up with a plan to implement those changes. Assign responsibilities and deadlines.
- Implement the changes once you have prepared a foolproof plan.
- Conduct a thorough internal audit to ensure everything is per the revised standard.
- When you are ready, update your Statement of Applicability (SoA) and get it reviewed by any certification body of your choice. It will then conduct a transition audit.
Get Your ISO 27001:2022 Certification
Online exam. Self-paced. Self-study course materials included.