New ISO 27001:2022 released – Finally!

Hot off the press – ISO 27001:2022 has been published!

The much-anticipated update to ISO 27001:2013 has arrived. The new version of the standard, released on October 25, 2022, aligns to the new version of ISO 27002: 2022. ISO 27002 has been extended to address global cybersecurity challenges and modern risks presented in today’s information security environment.

Here, we will explain the changes to ISO 27001, and how these changes affect organisations that are certified or thinking about certifying to ISO 27001.

What has changed in ISO 27001:2022?

New title

The title of the standard has changed.  The new title “ISO – ISO/IEC 27001:2022 – Information security, cybersecurity and privacy protection — Information security management systems — Requirements” better reflects the purpose of the standard, which is designed to provide a streamlined approach when implementing security controls to support an Information Security Management System (ISMS) based on ISO/IEC 27001.

Re-naming the 2022 version confirms the focus is not just on information security but also the more technical aspects of cyber security, cloud services and threat intelligence, as well as the human elements that come with privacy protection, securing information assets and improving digital trust. It also aligns with the new title of ISO 27002 – calling out cybersecurity and privacy protection as part of the control suite provided.

Updated Annex A: The biggest change has already happened!

The biggest change to ISO 27001:2022 is the complete re-vamp of Annex A.  The new Annex A now includes the revised control set, from the substantially updated ISO 27002: 2022.  It also refers users for additional guidance to the 2022 (not the 2013) version of ISO 27002.

We’ve previously covered in more detail here – when ISO 27002 was updated to the 2022 version.

Changes to Clause 6.1.3 – Risk Treatment

The changes to ISO 27001 Clause 6.1.3 are minor but important.  They include:

• Changing the wording of 6.1.3 c to now reference Annex A as containing a list of possible information security controls. This is a change from it containing a comprehensive list of control objectives.
• Removing the wording that control objectives are implicitly included in the controls chosen.
• Changing from the control objectives listed in Annex A as being not exhaustive with additional controls may being needed to the wording of Information Security Controls listed in Annex.
• Changing the word control objectives to controls.
• Changing the sentence of 6.1.3 d into a list for ease of reading

New Clause 6.3 – Planning of Changes

There is a new clause: 6.3 – Planning of Changes; meaning when you make changes to the ISMS, do it in a planned manner. (We would be very surprised if you weren’t doing this anyway!).

Other changes to ISO 27001:2022

In addition to the updating of the controls in Annex A, and changes to Clause 6, there are some additional small changes to the management system, aligning it to Annex SL.  These changes (some are really small!) include:

• Refinement of 4.2 Interested parties
• Refinement of 8.1 Operational planning
• Splitting 9.2 into 9.2.1 General / 9.2.2 Audit program
• Splitting 9.3 into 9.3.1 General / 9.3.2 Input / 9.3.3 Output

These, alongside other minor editorial changes focus on clarity or simplification, and a numbering restructure. They should not have a significant impact on the way your ISMS is implemented or operated.

However, these are all changes (particularly those to Annex A) and they require certification bodies to update their accreditation. Certification bodies should do so within 12 months after publication of the standard (source) – so they can start certifying against the new standards.

What do you need to do?

Our organisation has already implemented an ISMS based on ISO 27001:2013, what should we do now?

This is the most common question we get.

You certainly do not need to panic. Current ISO 27001:2013 will remain valid. The industry is not ready to officially audit against the new version of the standard.

There will be a transitional period in order for certification bodies to make the change; accredited certification bodies need to establish an ISO/IEC 27001:2022 certification scheme and train auditors on the revised scheme.

We’ve been advised that that transition period is likely to be 12 to 18-months to allow for organisations to adopt ISO 27001:2022, meaning that you won’t be audited against the new version of the standard until at least the end of 2023 or early 2024.

We’ve completed our Stage 1 audit, do we need to update to the new ISO 27001: 2022?

Again, don’t panic. There will be a transition period of at least 12 months (see below). So, unless there is a huge delay between your Stage 1 and Stage 2 audit you can continue on and get audited against the old ISO 27001: 2013.  However, you will be expected to transition to the new standards as part of your surveillance audits.

We’ve done our Gap Analysis, do we need to update to the new ISO 27001: 2022?

Our recommendation would be to move to the new versions of both ISO 27001 and ISO 27002 now if you’re still at the gap analysis stage.

Remember – ISO 27002 Table B.1 and Table B.2 provide an easy cross walk between the old ISO 27002: 2013 and the new ISO 27002: 2022. They will help you quickly identify what’s changed, what’s stayed the same and what’s new.

We like the new ISO 27002. Its language is easier to understand, laid out more clearly and includes some really helpful additional controls.  The new attributes can also provide additional value.

We particularly like the more targeted controls around cloud suppliers, secure coding and privacy protections.  We recommend moving to the new ISO standards, or at least starting to think about some of the changes, earlier rather than later.

The Transition to ISO 27001: 2022

The changes to ISO 27001 aren’t big but they shouldn’t be ignored. As with any audit, preparation is key. We wouldn’t advise to leave it till the last minute to meet your new obligations.

We highly recommend purchasing yourself a copy of the new version now that it has been released.

Organisations can start implementing the new ISO 27001:2022 framework immediately, meaning you will be a step ahead of the certification bodies when they start auditing against the new standard.

How can Privacy 108 Help?

ISO 27001:2022 ensures you can align your ISMS with the most up-to-date best-practice so your organisation’s information security practices are resilient enough to address evolving security threats – vital in today’s increasingly digital world.

Please contact us to request a full list of changes to the new ISO 27001:2022 or a free session on what the changes might mean for you.

Our team of privacy and information security experts are available to assist you at any time with your privacy and security needs.

We are familiar with ISO 27001, 27002 and 27701 and other ISO standards and can support you in the design, implementation, maintenance and review of your Information Security Management System.

Sarah Nash

Compliance and risk. Sarah has extensive business experience in compliance, internal audit, and policy development.