ISO 27001:2022: Key Updates and Transition Process
What You Need To Know To Ensure a Smooth Transition to the New Compliance Requirements
Authors: Matthew Schiavone, Managing Director, Information Assurance & Cybersecurity & Brian Kirk, Senior Manager, Information Assurance & Cybersecurity
Overview of ISO 27001
After nine years, the International Standards Organization (ISO) updated its ISO 27001:2013 standard. Superseded by ISO 27001:2022, the standard was published on October 25, 2022. ISO 27001 is an internationally recognized information security standard, designed to provide requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS).
In this article, we will cover the updates to the 27001:2013 standard, as well as when and how organizations can prepare to transition to ISO 27001:2022.
ISO 27001 Technical Updates
Changes in the normative references of the standard are only small and can be done rather quickly, with only slight changes in the documentation and processes. The Annex A changes, however, require more consideration.
First, albeit a minor update, the title of Annex A has been updated to “Information security controls reference” from “Reference control objectives and controls.” More importantly, 11 new controls were added to the Annex A, yet the total number controls have decreased from 114 to 93. This was achieved via the following:
- 57 controls were merged into 24
- One control was separated into two
- 35 controls remained unchanged
- 23 controls were simply renamed
- 11 new controls were added
The new controls come by way of recognizing advancements in technology and the risk landscape since the 2013 release. Specifically, these controls are as follows:
- Threat Intelligence
- Information Security for Cloud Services
- ICT Readiness for Business Continuity
- Physical Security Monitoring
- Configuration Management
- Information Deletion
- Data Masking
- Data Leakage Prevention
- Activity Monitoring
- Web Filtering
- Secure Coding
ISO 27001:2022 Transition Requirements
All organizations currently certified under the ISO 27001:2013 standard have until October 31, 2025 to transition to the new version.
New certification applicants may continue to be audited against the 2013 revision of ISO 27001 until April 30, 2024—an update from the initial deadline of October 31, 2023.
All organizations must transition to the new ISO 27001:2022 standard no later than October 31, 2025, regardless of the date of original registration. All remaining ISO 27001:2013 certificates will be withdrawn and considered to be expired as of October 25, 2023, regardless of the certificate expiration date.
A detailed report of the transition requirements can be found here.
October 25, 2022
ISO 27001: 2022 Update Published
February 15, 2023
Transition Requirements for ISO/IEC27001:2022
April 30, 2024
Final date for certifications issued 27001:2013
October 31, 2025
All ISO 27001:2013 Certifications Expire
Deadline for All Certified Companies to Transition to 27001: 2022
3-Year Transition Period
Making the Transition to ISO 27001:2022
Every successful initiative begins with planning. Education and awareness are key components of the planning process. Management and key stakeholders should be made aware of and become familiar with the changes. Management also must consider requirements from internal and external interested parties that are relevant to the ISMS. For example, organizations may have contractual or regulatory requirements to maintain their ISO certification . In which case, it may be key to ensure the organization’s ISO certification is maintained throughout the transition period. ISMS leadership should obtain support over the transition process from key stakeholders by developing a transition timeline and project plan for their approval.
Once a project plan has been developed and accepted, a gap assessment against the new and modified Annex A controls should be performed. Prior to performing the assessment, management needs to determine whether it has in-house expertise or if it needs to consult with a third-party to perform the assessment. The gap assessment should take a risk-based approach to identify where management needs to implement new processes and controls, modify existing processes and controls, update current ISMS documentation or update evidence to support the implementation of the Annex A controls.
Documentation and certain processes will likely need to be updated, including evidence of new or modified process changes. Management needs to have confidence that it can produce evidence to support the implementation of any new or modified processes. Additionally, the Statement of Applicability (SoA) will need to be updated to reflect changes to implemented controls and to conform with ISO 27001:2022. Once management has completed its remediation process, they should begin to prepare for a transition audit or recertification.
How We Can Help Your Organization Transition to the New ISO 27001:2022 Standard
Cherry Bekaert’s Information Assurance & Cybersecurity practice can help provide guidance and support as your organization navigates the ISO standard requirements. Our professionals understand your business and the risks you are facing.
Cherry Bekaert assists organizations with various cybersecurity and ISO 27001 related services, including ISMS buildout, gap/readiness assessment, policy/procedure development, internal audit support, project management, education and training and virtual CISO services.
By leveraging our ISO knowledge, Cherry Bekaert can assist organizations transitioning to the updated standard by performing a gap analysis, updating the SoA and current policy/procedure documentation. Contact us today to learn more about how we can help.