S2 E20: ISO 27001: 2022 Common Challenges and Solutions

ISO 27001: 2022 Common Challenges and Solutions


Jordan Eisner: So, hello everyone and welcome back to Compliance Pointers. I’m your host, Jordan Eisner, and I’m the VP of Sales with CompliancePoint. I’ve been with the organization for a little over 10 years, and I have the honor of hosting this podcast.

And today I’m joined by Jim Tierney. Jim works in our security assurance group here at CompliancePoint, one of five focused practice areas we have. And Jim is a well-known SOC 2 expert, right, in the world. Of course, no, I’m just kidding. But definitely in these circles, right, he’s our SOC 2 guru, works with a majority of our clients that we’re helping ready and prepare for SOC 2 audits.

But Jim also has expertise in ISO 27001. And really the topic today is talking about the transition from ISO 27001, version 2013, to version 2022, right? And some of the common challenges organizations might face with the transition and some solutions to those challenges.

Jim, prior to joining CompliancePoint, spent a good career with his PWC, right, Jim?

Jim Tierney: Yep.

Jordan Eisner: Several years there, several different roles. But actually was in charge of the internal, right, annual SOC 2 attestation, right, is my understanding, in addition to, you know, his expertise in terms of technical systems there, you know, operational controls and other things from a data security standpoint. And has been a great addition to the team here at CompliancePoint and is beloved by clients and will no doubt be beloved by the podcast audience, right, on this call today,

So, you know, you need no further introduction after that.

Jim Tierney: Yeah, no, thanks, Jordan. I appreciate it. Yeah, SOC 2 at PWC, among other audits. So, I also fielded all the, you know, I assisted on several ISO 27001, 2013 audits before the version upgrade occurred and then plenty of client audits, internal audits, so all around the horn.

Jordany Eisner: It’s all the same. You dream in audits.

Jim Tierney: That’s right. I’m the counter audit task force.

Jordan Eisner: There you go. I like that. CATF, C-A-T-F. All right. All right.

Well, let’s talk first about where we are. Where are we in the transition timeline? Is 2013 officially out? Is there a grace period? Are we on to 2022? Right? What’s that look like?

Jim Tierney: Well, there’s still transition time, so everyone’s got to transition by October 31st of 2025. But realistically, I would say the next full cycle, you know, organizations should be, you know, kicking off the new version.

Jordan Eisner: Okay, so Halloween next year. Yep. Okay. Well, that helps frame it from time to time. So, there’s still some time, right, for organizations to continue to certify or recertify, right, depending on what year they are.

Jim Tierney: Yeah, I would imagine from the audit bodies you’re going to start, you know, anyone on the 2013 is going to start getting pressured to upgrade at least by their next full cycle. So, I would anticipate that you’re going to hear more and more about it as it gets closer. So, I’d say the window is probably closing a little faster than the final deadline, just because of the way, you know, audit bodies tend to operate. You know, they’re going to want to, you know, make that shift at the first reasonable time for you.

Jordan Eisner: Okay. Well, what are some common challenges, right? Let’s get into that. So, making this transition, making this shift. If organizations are going to maybe start feeling a little bit sooner before that, they probably need to start planning and anticipating that. So, what are some common challenges you’re seeing they can expect as part of transitioning from 2013 to 2022?

Jim Tierney: For moving from 2013 to ISO 27001: 2022, I would say there’s some internal change management that needs to occur because you have some different controls. There are actually fewer overall, but some in new areas. So, you’ll have to get your key control owners and stakeholders on board with what the transition means. New control areas, you’ll have to get management buy-in because it could require some, you know, other resources or tools and certainly planning.

The good news is if you were at the, if you were, if you already have an ISMS in place, then while the shift is significant, you have things in place that will translate. You know, you will have already have a functioning internal audit. You will have, you know, a documented ISMS. So, it’s revisiting documentation that you already have and making sure that you have coverage over the new controls.

I would not overlook the change management piece of this internally because a lot of, depending on your organization and how many audits you endure, you know, often just the audit fatigue itself means you want to be clear with stakeholders about what those changes are. So, you know, having the GRC team, Governance Risk and Compliance, do the homework and lifting on what exactly is changing for each stakeholder and then pulling them in and talking to them ahead of the shift will help reduce the friction of the challenge in transition.

Jordan Eisner: Makes sense. So, maybe more tactically, how should organizations address these challenges right now? That’s what they are and something that they need to consider. But how would you recommend going about doing it?

Jim Tierney: I would recommend making sure that leadership is behind the shift. Know that there’s not really going to be a choice much longer as far as shifting to the new standard. That usually gets management’s attention there. They don’t want to lose their ISO certification. So, and then, you know, maybe prior to going to management identify, you know, pull down the new standard, compare it to your current control environment, and see what changes you’ll need to put in place. So, there are new areas that you’ll need control over, and then there are some controls that can be consolidated. So, that won’t be much, but you want to be able to clearly show management what the differences are so that they can plan accordingly.

So, do that homework before that discussion. You know, here’s what it’s going to take for us to meet the 2022 standard. And at that point, once they’re like, okay, make it happen, then you’re going to want to break out the controls by control owner and have those conversations with those groups and see what changes they’re going to have to implement in how they’re managing their areas. That way, you’re very pointed with, you know, what exactly will change, what may change in their process, and of course, you know, be in the governance, risk, and compliance group, aligning your documentation to the new standard will be key.

Jordan Eisner: And to reframe it too for everybody, right? It’s not like we’re starting from scratch, right?

Jim Tierney: Yeah, and I don’t know if, you know, if any of our listeners were, you know, part of their first, you know, ISO certification for the organization. That can be a considerable effort from a documentation perspective, from assigning ownership of controls and really getting the ISMS in place. So the good news is you’re not doing all of that again. It’s more, hey, what, how do our existing controls and you may have, you know, controls that are outside of ISO because of, you know, particular contractual commitments. Maybe you have other frameworks to which you align at the same time. Maybe you also get a SOC 2 every year. So a lot of the controls you’ll be able to use, but I would say, you know, to have the best conversation with leadership and stakeholders, control owners in your organization, I recommend doing the heavy lifting of, you know, telling them exactly what they need. Because you have to remember that GRC people are the ones who really own this from a full-time perspective. Most systems admins, for instance, have a lot of system administration to do. A lot of the, you know, log engineers logging and risk identification, you know, they have very busy areas.

So you want to make it as easy for them to understand what’s changing as you can, because, you know, ultimately you’re going to be dependent on their procedures for the evidence when the auditors come in. So you want to make them happy by doing, you know, some of the, at least the homework piece.

Jordan Eisner: How realistic is it to do all this internally, right? Are organizations getting third-party help. With ISO, you have to have a third party, obviously, for the certification. I know a lot of companies additionally use a third party for some internal independence. But what about, you know, this is not either of those per se, but it’s more so readying, right, for the transition. Would you recommend a third party or, you know, what circumstances would you want to know about an organization before you made that decision?

Jim Tierney: Yeah, you know, given, you know, the changes, if I had the opportunity I would engage a third party just because it’ll help expedite what the key changes are. So someone who’s seen the transition, what kind of roadblocks they’ve encountered and other engagements, I would like the opportunity where I’m looking at doing this for my organization to build off of what people have already seen. Just because time is of the essence. So if someone can save you time, then I recommend considering some outside help. Someone who’s been through the transition with several clients that can, you know, identify the, what I like to call the usual suspects or obstacles that have come up in other organizations so that I can, you know, expediently deal with those. And move seamlessly from 2013 to 2022.

So, you know, you probably can do it yourself. It’s, you know, it’s just more kind of homework and a little bit of guessing of, you know, where the sticking points might be. But if you have, you know, ISMS trained personnel and you can, you know, shift them, you know, they would need extra time away from their particular duties to really focus in on the exact changes and what that means for your organization. But if they’re kind of already managing a large complex program, it might be a little much to ask them to also shift an entire organization to from 2013 to 2022.

So in those instances, I would, you know, look to outside help to just help kind of identify a clear path and to avoid snafus that, you know, they’ve seen in the past so that you can deliver it for your management in an efficient way.

Jordan Eisner: How long would you anticipate? Right. This should take somebody focused on it.

Jim Tierney: I think the transition could be three to six months would give, because you always have, you know, getting time with control owners. You need some time to actually focus on what the changes are. You know, do a gap analysis of the new requirements versus the control framework you typically operate from, you know, given that, you know, we’re having this discussion because someone’s already, you know, 2013 certified. You know, you have kind of those measured out and mapped, but kind of remapping the new control set would be, you know, what I would say would be the upfront work. I’d say typically, for whatever reason, things that seem like they could take 30 days take 90. So I would say probably 90 days to get geared up.

Jordan Eisner: To allocate time to check your work and to have peace of mind that you’re ready and not rush it.

Jim Tierney: You don’t want to rush in and then find out that, you know, preventable errors are there and there’s nothing to do about it once the auditor ships them.

Jordan Eisner: Okay. I think we knew this would be short and sweet. I think this was both short and sweet, which is good. Right. Quick hitter for our listeners. Anything additional you would add or you think we didn’t check?

Jim Tierney: No we got the high-level gist.

Jordan Eisner: That’s a good plug there. Right. If somebody has more questions and they want to talk more specifics on the transition and, you know, where compliance could help or what they even need to know from a ISO 27001: 2022 conversation standpoint, we’re happy to do that. So Jim and myself are both on LinkedIn. Reach out to us that way. And then compliance one as many channels that you can come to us with phone number, website, email address all on our website. Sorry. Phone number. Yeah. Yeah. Email address on our website. I think I said our website was on our website. That’s a given.

So for the listeners out there, if you want to learn more, talking more specifics, please don’t hesitate to reach out. We’ll continue to post content like this and keep our subscribers abreast of changes and what they need to do.

So until next time, Jim, thanks for your time.

Let us help you identify any information security risks or compliance gaps that may be threatening your business or its valued data assets. Businesses in every industry face scrutiny for how they handle sensitive data including customer and prospect information.