ISO 27001:2022 Updated

What it means and how will it affect the businesses

First published in 2005 and revised in 2013, ISO 27001 has recently been revised/updated to make it even more effective in dealing with the ever-evolving variety of cyber threats and information security risks. The new standard is now being called ISO/IEC 27001:2022. The revisions/updates done are moderate. So, businesses and organizations are not required to make significant, urgent changes to upgrade their certification to the new one. You have 3 years to do that. This article briefly explains the changes that the new ISO 27001:2022 standard has brought and how it will impact businesses and organizations.

What has changed?

As mentioned, ISO 27001: 2013 has yet to be completely overhauled. Only minor to moderate changes have been made, but, as per International Standard Organization, these changes were highly needed. They can help organizations prevent/deal with the more severe and sophisticated threats that have recently challenged numerous leading businesses and organizations, including the UK’s NHS.

Annex A of the ISO/IEC 27001 has seen the most changes. These changes include a change in the number of controls as well as listing in groups. Here is a brief overview:

The title of Annex A has been changed to Information Security Controls Reference from Reference Control Objectives and Controls. To justify the change, the reference objectives have been removed.
There used to be 114 controls in Annex A. The updated ISO 27001:2022 standard has 93 controls. But, the controls haven’t been reduced/removed. Many of them have been merged. 35 controls have remained unchanged. 57 controls are merged into 24 controls, 23 out of 114 controls have been renamed for better clarity, and 11 new controls have been added.
In the ISO 27001:2022 standard, the 93 controls are divided into 4 groups instead of the 14 groups used in the previous versions. The 4 groups are based on four themes; Organizational control, People control, Physical control, and Technological control.

The mandatory clauses, i.e., the clauses from 4 to 10, have undergone only slight changes. Most of the changes are made to make it align with other related ISO standards such as ISO 9001, ISO 14001, etc. New content has been added to clauses 4.2, 6.2, 6.3, and 8.1.

Will ISO 27001:2022 impact your existing certification?

The new change will not affect your current certification until it gets obsolete. But don’t panic; ISO 27001: 2013 will exist for another three years until October 31, 2025. You have three years to understand the changes, implement them, and get certified. Businesses almost ready to apply for ISO 27001:2013 certification/renewal should finish their work and apply for an audit. There is no need to wait for the implementation of the updated standard because it may not be implemented for at least 6 more months from October 2022. Plus, you have already done much (or most) work on it. Instead of wasting all those precious hours of work, you can apply for ISO 27001:2013 certification. Later, during the renewal or recertification process, you can go for the updated ISO 27001:2022 standard instead.

When is the right time to start transitioning from ISO 27001:2013 to ISO 27001:2022?

There is no rush in transitioning because you have three years to do that. And, it’s not a lot of work because, as mentioned above, the changes are minor to moderate. You won’t have to start from scratch. But make sure you still keep it on your priority list because the transition needs to be completed by October 31, 2025. The certification bodies responsible for certifying organizations need to start offering the new revision by max October 31, 2023, which is still almost a year from now. Until then, stick to the older version. Get it renewed on time, or go ahead if you are about to get yourself certified. No need to wait and waste your time because cyber attackers will not wait. However, if you are a large corporation/military/business that can spare enough manpower to start the transition process asap, go ahead; nothing comes before safety! Plus, the sooner you adopt cyber resilience, the quicker you will emerge as a leader in your industry. You will gain a competitive advantage. Your clients, prospects, and stakeholders will admire you. And by implementing the latest ISO 27001:2022 standard, you should be able to reduce/prevent those cyber risks that the older versions may have missed.

What is the best approach to transition from ISO 27001:2013 to ISO 27001:2022?

Transitioning to the newer version quickly can give you a competitive and reputational advantage. However, the best approach is to go slow and do it methodically instead of haphazardly. Here is how you can get started:

Familiarize yourself with the new controls and categorizations. A better understanding will help with better implementation.
Once you know what needs to be done, conduct a gap/readiness test to determine the necessary changes in your existing Information Security Management System.
Come up with a plan to implement those changes. Assign responsibilities and deadlines.
Implement the changes once you have prepared a foolproof plan.
Conduct a thorough internal audit to ensure everything is per the revised standard.
When you are ready, update your Statement of Applicability (SoA) and get it reviewed by any certification body of your choice. It will then conduct a transition audit.

Wrap up

We hope this article has briefly addressed most of the queries regarding the revised ISO 27001:2022 standard. If you still have questions, don’t hesitate to contact us via email; we will get back to you as soon as possible.

Get Your ISO 27001:2022 Certification

Online exam. Self-paced. Self-study course materials included.

Learn more

← What is the Purpose of ISO 22301? What is CCPA? →