ISO27001:2022 changes

The ISO standards have a usual lifespan of 5 – 7 years, with ISO27001 being released in 2013, an update to the ISO27001 standard was overdue.

The release dates of the two main components of the standard were out of sync, with the main controls document, ISO27002:2022, being released in February 2022, while the standard itself, ISO27001:2022, was released in October 2022, the only significant change being an updated Annex A to reflect the new ISO27002 controls.

In line with this later release date of ISO 27001, the International Accreditation Forum and accreditation bodies have advised that the transition period will be up to November 2025, this being the standard 36 months to achieve transition.

…Therefore, what does it mean if you already have the standard, or if you are in the process of applying for certification?

If you are already certified, then you will have until end of October 2025 to transition to the new version. This can be done through an extended regular surveillance audit or at the next recertification audit, however, if this is imminent and you believe that you are not ready, then you can recertify under ISO27001:2013 and seek transition at a later surveillance audit, but before November 2025.

If you are currently contemplating being certified to the standard, then if you have an urgent requirement, you should continue with ISO27001:2013, however if you are looking at mid 2023 or later as a target date, then planning your implementation for the new version would probably be a good idea.

How will I ensure that I remain compliant?

You will need to Gap Assess your current controls against the new ISO 27002 standard. A cost-effective way to do this would be to include the effort in your next ISO 27001 ISMS internal audit.

•  Revisit your Context—which you really should be doing at least once per year anyway.
• Update your risk assessment as the controls you will be using to mitigate risks may have been updated.
• The risk assessment updates plus the changes in the new Annex A will require you to redo your Statement of Applicability (SOA).
• Several of your Policies/Standards/Procedures will need to be updated to reflect the new ISO 27002 changes.

You may need to implement new Policies/Standards/Procedures to address the new ISO 27002 controls.
You may need to make changes to key tools in your environment (for example, a GRC platform, SIEM reporting) to ensure that artefacts used to demonstrate compliance are aligned with the new requirements.
Your Security Metrics should be updated to reflect your new Risk Assessment and Annex A changes.
Your ISMS Internal Audit Program will need to be updated to reflect the changes to your ISMS.

Contact us for further advice and guidance if required.