Making the Transition to ISO 27001: 2022

In late 2022, the ISO 27001: 2022 standard was published, marking the first update to the highly regarded international security standard for information security management systems (ISMS) since 2013. ISO-certified organizations have until  October 2025 to make the transition from the 2013 to 2022 standard. Organizations seeking certification for the first time can certify against the 2013 standard until October 2023. Those organizations will also have to complete the transition to the 2022 standard by 2025.

2025 may seem like it’s a long way off, but putting off the work that will be required for the transition will only make the process more challenging. Here are some steps your organization can take as it starts preparing to certify against ISO 27001: 2022.

Know What is Different about the 2022 Standard

The first step to transitioning from the 2013 standard to the 2022 standard is understanding the changes introduced in the new version. Some of the key updates include:

Minor changes to the clauses 4-10 in the first half of the Standard:

• Clause 4.2 (C) Requirements of interested parties to be addressed in the ISMS
• Clause 6.3 Planning of Changes to the ISMS
• Clause 8.1 Establishing criteria for control processes and implementing those processes
• Clauses 9.2 and 9.3 Management Review input from changes in the needs and expectations of interested parties

Changes to the Annex A controls in the second half the standard:

• 4 major sections instead or the original 14
• Reduction of Annex A controls from 114 to 93
• 57 merged controls, 23 renamed controls

These 11 controls were added to Annex A:

• 5.7 Threat intelligence
• 5.23 Information security for use of cloud services
• 5.30 ICT readiness for business continuity
• 7.4 Physical security monitoring
• 8.9 Configuration management
• 8.10 Information deletion
• 8.11 Data masking
• 8.12 Data leakage prevention
• 8.16 Monitoring activities
• 8.23 Web filtering
• 8.28 Secure coding

You can learn more about the ISO 27001: 2022 changes here.

Conduct a Gap Analysis

Once you have a clear understanding of the changes, conduct a gap analysis to identify the areas where your current ISMS might be at variance of the new requirements. The gap analysis should cover all the changes introduced in ISO 27001:2022. Be sure to document the results for future reference.

Develop an Action Plan

Leverage the data from the gap analysis to develop an action plan that outlines the changes you need to make to transition to the new standard. Assign responsibilities, set timelines, and prioritize the changes based on their impact and urgency.

Update the ISMS

Using the results of the gap analysis, update your ISMS to comply with the new requirements. The updated ISMS should be well documented and communicated to all relevant stakeholders.

Implement New Controls

ISO 27001:2022 places emphasis on the organization’s ability to identify and assess risks and develop controls accordingly. Your organization must implement controls that are appropriate for its operations and mitigate unacceptable risks. The controls must be effective and aligned with the organization’s risk tolerance and business objectives.

Conduct Internal Audits

Once the updated ISMS is in place, conduct an internal audit to ensure that the new requirements are being met and have been implemented. The internal audit should be conducted using a risk-based approach and cover all areas of the ISMS. The results need to be documented and available to all key stakeholders. Remediate any gaps that are found.

The Certification Audit

Finally, if transitioning, go through the certification process with your certification body. For organizations with existing certification, that can usually be done as part of your usual audit cycle, though you should plan that with the input of your certification body.

For organizations looking to acquire ISO 27001 certification for the first time, given that we are already well into 2023, CompliancePoint recommends that you certify to the 2022 version of the Standard. The certification process involves an external audit by an accredited certification body (CB). The certification body will review your ISMS, conduct interviews with relevant stakeholders, and review documentation to ensure compliance with the new standard. Once the certification is obtained, it is important to maintain the ISMS and continually improve it to remain in compliance.

Whether your organization is already ISO-certified, and needs to transition to the new 2022 Standard or seeking your certification for the first time, CompliancePoint has a team of experienced ISO practitioners that can get you on the path to ISO 27001: 2022 success. Contact us at connect@compliancepoint.com to learn more about how we can help with the new standard.