Should you migrate to ISO 27001:2022 or wait?

The release of the new version of ISO 27001 in 2022 has created a lot of buzz after almost 9 years. The industry has eagerly awaited its arrival and is now keen to understand and implement it. However, is it wise to rush into immediate adoption? Let’s consider some insights.

Contents show

Back in 1999, there was no specific ISO standard in place. The widely discussed framework at the time was BS7799, which later evolved into ISO27001:2005 and subsequently revised to ISO27001:2013. Many of us have undergone numerous migrations across these versions for various implementations and audits. Each migration posed challenges as the standard evolved to keep up with the changing times.

The real dilemma arises for those currently implementing ISO27001:2013, only to be confronted with the release of the 2022 version. They now face the tough decision of choosing which version to pursue.

Before hastily jumping onto the newer version of ISO27001, it’s essential to consider some key points. One should not embrace it simply because it’s the latest release. Careful thought and analysis are required to make an informed decision. By approaching the transition to the new version of ISO27001 thoughtfully, organizations can ensure a smooth and successful migration that aligns with their specific needs and goals.

ISO 27001 & ISO 27002 Comparison and History

The history of ISO 27001 and ISO 27002 spans several years, starting with the publication of the initial version, known as BS 7799-2, back in 1999. Since then, both standards have undergone significant changes.

It’s important to note that ISO 27001 and ISO 27002 are distinct standards. ISO 27001 is the primary standard against which companies can seek certification, while ISO 27002 serves as a supporting standard that provides guidance on implementing security controls. Notably, ISO 27002 is not a prerequisite for ISO 27001 certification, and a company cannot be certified solely against ISO 27002.

ISO 27002 was initially published as BS 7799-1 in 1995. In February of this year, the revised version ISO 27002:2022 was released, featuring a new structure comprising 93 controls. Interestingly, ISO 27001:2022 adopted the same control structure as ISO 27002.

When comparing the 2022 revision of ISO 27001 to its 2013 counterpart, the changes are generally modest. The main part of the standard retains its 11 clauses, with minor adjustments. Annex A, on the other hand, has undergone more noticeable changes. The number of controls has been reduced from 114 to 93, and the organization of sections has been consolidated from 14 to 4. However, a closer examination reveals that the changes in Annex A are still within a moderate range.

In summary, the history and revisions of ISO 27001 and ISO 27002 reflect a continuous process of refinement and adaptation, ensuring that these standards remain relevant and effective in addressing evolving security requirements.

The New Changes of ISO 27001:2022

The revisions in ISO 27001:2022 introduce some noteworthy changes, although not extensive. Here are a few key points to consider:

Clause 4.4 Information security management system: This new requirement emphasizes the identification of processes and their interactions, resembling the approach seen in ISO 9001. It allows for the incorporation of interactions within diagrams and flow charts.
Annex A controls: It is important to note that the controls listed in Annex A are not exhaustive and should serve as a foundation. Each organization must assess its specific environment to identify any additional controls and risks that may be necessary.
Clause 6.2 Information Security objectives: The standard now mandates that objectives be documented and accessible to all stakeholders.
Clause 6.3 Planning of changes: Going forward, documented planning is required for all changes made within the organization.
Clause 8.1 Operational planning and control: Organizations must establish criteria for operational processes. These criteria can encompass various aspects, such as security requirements, business needs, or customer requests.
Clause 9 Performance evaluation: Methods employed to evaluate and monitor controls should yield comparable results, enabling the organization to assess trends effectively.
Clause 9.2 Internal audits: Internal assessments must encompass all organizational requirements, extending beyond ISO 27001. This indicates a broader effort to ensure a comprehensive Management System.

ISO 27001 2022 Revision

By understanding these changes, organizations can adapt and align their information security practices to comply with ISO 27001:2022 effectively.

Significant Changes in ISO 27001 Annex A

The most significant changes in ISO 27001 Annex A are evident, with a complete restructuring and revision. The updated version has resulted in a reduction of controls from 114 to 93, organized into four sections instead of the previous 14.

This restructuring aims to streamline and simplify the standard, eliminating overlaps and repetitions. The controls have been regrouped into five major security attributes, making them easier to understand and implement.

The revised Sections and Controls in ISO 27002:2022 are as follows:

Section 5: Organizational (37 controls)
Section 6: People (8 controls)
Section 7: Physical (14 controls)
Section 8: Technology (34 controls)

ISO 27001_2022 MAIN CHANGES

To summarize, 35 controls remained unchanged, 23 controls were renamed, 57 controls were merged to form 24 controls and 11 new controls were added. These changes in ISO 27001 Annex A reflect a concerted effort to enhance clarity and effectiveness in implementing information security measures.

5.23 Information Security for use of cloud services
5.30 ICT readiness for business continuity
5.7 Threat Intelligence
7.4 Physical security monitoring
8.1 Data masking
8.9 Configuration management
8.10 Information deletion
8.12 Data leakage prevention
8.16 Monitoring activities
8.23 Web filtering
8.28 Secure coding

Changes in Annex A security controls in ISO 27001

Will ISO 27001:2022 Affect Your Current Certification?

Rest assured, the new changes will not immediately affect your current certification. ISO 27001:2013 will remain valid for the next three years until October 31, 2025. This gives you ample time to understand and implement the changes before seeking certification.

If your business is already in the process of applying for ISO 27001:2013 certification or its renewal, it is recommended to proceed with the necessary steps and complete the audit. There is no need to wait for the updated standard to be fully implemented, which could take around six more months from October 2022. By obtaining ISO 27001:2013 certification, you can make use of the progress you have already made, avoiding any wasted effort.

When it comes to the renewal or recertification process, you can smoothly transition to the updated ISO 27001:2022 standard. This ensures that the work you have put into achieving ISO 27001 compliance is maximized while allowing for seamless adoption of the newer version when the time is right.

How Will the Update Impact Your Organization if You’re Implementing ISO 27001:2022?

No need to worry, as certification bodies are expected to offer certification for ISO 27001:2022 within approximately six months after its release. Furthermore, ISO 27001:2013 will remain valid for another three years, ensuring that the efforts you’ve put into implementing it won’t go to waste.

However, depending on the progress of your ISO 27001:2013 implementation project, you may consider incorporating the new Annex A controls from ISO 27001:2022 as an alternative control set. It is crucial to conduct a comprehensive comparison between the new controls and the 2013 Annex A controls listed in your Statement of Applicability. This evaluation will help you assess their suitability and determine if integrating them aligns with your organization’s objectives.

What is the Recommended Approach for Transitioning from ISO 27001:2013 to ISO 27001:2022?

Transitioning to ISO 27001:2022 can offer your organization a competitive edge and enhance its reputation. However, it is crucial to adopt a deliberate and systematic approach rather than rushing through the process. Here are the steps to guide you in getting started:

Familiarize yourself with the new controls and their categorizations. This deep understanding will facilitate a smoother implementation.
Conduct a comprehensive gap analysis or readiness test to identify the necessary changes required in your existing Information Security Management System.
Develop a well-structured plan that outlines the implementation strategy, including assigning responsibilities and setting realistic deadlines.
Execute the planned changes methodically, ensuring a careful and systematic implementation process.
Perform a thorough internal audit to verify compliance with the revised standard and address any identified gaps or areas for improvement.
Once you feel confident in your preparedness, update your Statement of Applicability (SoA) to reflect the implemented changes. Seek a thorough review from a certification body of your choice, who will then conduct a transition audit to assess your compliance with ISO 27001:2022.

By following this meticulous approach, you can successfully transition from ISO 27001:2013 to ISO 27001:2022, ensuring a seamless and effective integration of the updated standard into your Information Security Management System.

Benefits of Adopting ISO27001:2022 Immediately:

Stay Ahead of Evolving Threats: Cyber threats are constantly evolving, and waiting to adopt the latest standard means exposing your organization to potential vulnerabilities. By implementing ISO27001:2022 immediately, you can proactively address emerging risks and ensure your security measures are up to date.
Demonstrate Commitment to Security: ISO27001:2022 certification is a powerful testament to your organization’s dedication to information security. It showcases that you have implemented a robust ISMS and are committed to protecting the confidentiality, integrity, and availability of data. This can provide a competitive advantage by instilling trust and confidence in your customers and stakeholders.
Enhance Compliance with Regulatory Requirements: Many industries have strict regulatory requirements related to data protection and security. Adhering to ISO27001:2022 can assist in meeting these obligations and demonstrating compliance with relevant laws and regulations. This can save you from potential fines, legal issues, and reputational damage.
Strengthen Business Resilience: ISO27001:2022 emphasizes the importance of business continuity and risk management. By adopting the latest standard, you can strengthen your organization’s resilience in the face of disruptions, such as cyberattacks, natural disasters, or system failures. This enables you to minimize downtime, maintain operations, and quickly recover from incidents.

Conclusion

ISO27001:2022 brings significant advancements to information security management, aligning organizations with the latest best practices and technologies. Waiting to adopt the new standard can potentially leave your organization exposed to evolving threats and hinder your ability to stay ahead in the competitive landscape. Therefore, we strongly recommend businesses to consider implementing ISO27001:2022 immediately.

If you are unsure how to start or need expert guidance, reach out to our team of certified professionals who can help you navigate the ISO27001:2022 certification process smoothly. Don’t delay your organization’s journey towards improved information security and enhanced customer trust. Take action now and secure your digital future!

Remember, in today’s interconnected world, investing in robust information security is not just a necessity but also a strategic advantage that can set your business apart from the competition. Act today and reap the long-term benefits of ISO27001:2022 certification.