In October 2022, the updated version of ISO 27001:2013 was published, replacing the Annex A controls with the new ISO 27002 set. This interview with Robert Clements explores what has changed with the update and how to transition to the new requirements.
What has changed with the ISO 27001:2022 Update?
So with a new standard being released, the previous version, ISO 27001:2013, is no longer current, so everyone needs to move their certifications to the new version. And obviously, there’s a process to that and it takes a little bit of time.
If we talk about what’s changed, the biggest change is in the control set. ISO 27001 has an annex, Annex A, and that’s got lots of controls in there that you can use to treat your various information security risks, that’s been revised. The changes aren’t hugely different, but they’ve been updated really for the world as it is today.
The update includes a lot more around cloud services and cloud infrastructure and also the name of the controls are slightly different. They include privacy and cybersecurity now as well, so it’s a much broader field and that’s where the big changes are.
In what you might call the framework itself, clauses, four to ten of the standard, that’s only had very minor changes, and that was more to bring it into line with other standards like ISO 9001 Quality Management and ISO 14001 Environmental Management. Although it already aligned pretty well as time has gone on and they’ve evolved, the 27001:2022 has just been updated to reflect.
How to prepare and transition to ISO 27001:2022?
The first thing that you should do is if you’ve got a consultant like Assent Risk Management, then you should talk to them because they’ll be prepared and ready. They’ll be talking to the certification bodies, and they’ll also be seeing how other customers are dealing with this as a real benefit of using a consultant.
But you don’t have to use a consultant, you can make the changes on your own. My advice would be to first, get a copy of the standard, and I would recommend getting a copy of ISO 27001:2022, and also the supporting standard, ISO 27002:2022. At the end of that standard, there’s a mapping annex that shows you the old control against the new control.
That is really helpful if you have the time to map everything across and update your policies and procedures and whatever needs doing.
Obviously, you should always look at the risk assessment and keep that up to date, looking at your objectives etc. That’s the first step, find out what’s changed, try and map across what you’ve got already, apply any updates or create any new procedures or policies that you need to meet the standard in line with your risks.
After that, before you go ahead with the certification transition, I would recommend an internal audit. They are always worth doing because that really helps to identify any weaknesses in the system. And those internal auditors should be impartial and should be separate from what they’re auditing. It’s a good opportunity for someone to have a fresh look at what the standard is asking for and what you’ve applied and get someone to assess that.
How long is the transition period for ISO 27001:2022?
It’s always really difficult to talk about timelines for clients because it depends on what else they’ve got going on in their business, for example, if they’ve got any other projects, or how many people are working on it. But generally from the people I’ve spoken to in the industry, other consultants and people from the certification bodies, I think we all agree that it’s a fairly straightforward update. There are no major changes, everything’s just been updated a little bit to align with what people are doing.
But in terms of the certification process, there are some deadlines. In the UK, most of the certification bodies are governed by UKAS, which is the accreditation body, and they’ve set out a timeline. So from the end of April 2023, they will be ready to assess certification bodies themselves, because the auditors that certify need to be competent and know what they’re doing and have the right processes in place. All of the UKAS certification bodies need to have completed that process by the end of October 2023. That’s the deadline for the certification bodies to complete the transition for themselves.
But also at that point, any new certificates they issue must be against the new version of the standard, ISO 27001:2022. And as consultants, what we’re saying to our inquiries and our clients now is really, there’s no point implementing the old one (ISO 27001:2013), they instead should really implement the new standard. So if you’re a new client and putting this in for the first time, it’s slightly easier, obviously, it takes a little bit of time to build the system and put that in place. But in terms of the certification, the certification body will be certifying you to the new version.
If you’ve already got certification, then we need to go through a transition process with your existing certification body. Firstly, that depends on when they’re accredited. That’s anytime between the end of April and the end of October. So somewhere in that timeline, they’ll be ready. There is a process where certification bodies, can issue you a certificate before that, but it would just be not UKAS accredited. And what they would tend to do is when they achieve the UKAs accreditation, they would reissue the certificate for you, providing that they’ve met all the requirements that they need to.
When transitioning to ISO 27001:2022 from ISO 27001:2013, do you need to have an audit?
The certification bodies are dealing with it slightly differently, but essentially the principle is that the certification body would need to audit the new controls and the new system. They need to be able to show that they’ve checked, that you’re compliant. Some of the certification bodies are doing a pre-audit, also known as a checklist or ready list review. They’re adding that on at the start. I think the UKAS guidance is that it would just be one additional day of auditing or something similar. But how you fit that in, whether that’s a separate audit to transition, or whether you have that as part of your surveillance audit or your recertification, it depends on the certification body you’re working with. The best thing to do is ask about their process. And as you know, we deal with lots of different certification bodies and see how they deal with it differently, so you can always come to us for help and advice on that as well.
How can Assent Support the transition to ISO 27001:2022?
We’re here to help with anything that you might need, whether that’s just dealing with a certification body and understanding that process, or whether it’s a whole support package to help you transition to the new version of the standard.
There are a number of ways we can approach that. We have a gap analysis exercise, where we look at what you’ve got already and what the new standard wants and we identify what those gaps are, that’s quite good because at the end of that process, you’ll have a gap analysis report and the report will list a number of items to work on. Basically, it becomes a bit of a to-do list that works really well going on from there.
As we have some experience with what’s required to meet the new standard, we can help you draft policies and check the same processes are up to date, so we can help in a consultancy capacity to do that.
If you’ve done a lot of the work yourself and you feel that you’re ready to certify to the new standard, we would tend to recommend there is an internal audit. As I mentioned before, the internal audit is a really good process to check and test your system before the certification body comes in and we can provide that service.
And being an external party, we’re completely impartial. We’re not auditing our own work, so it actually works really well to bring us in to do that. And then, any findings from that audit, we can help you to fix or advise on how to correct them.
Finally, we’ve got some other useful tools. We’ve got some online training through our Lorators brand. At the moment, there’s still a free course on there, so you could take that to get an idea of what’s new, what the requirements are, and we can come up with other solutions, like in-house training for your staff, such as awareness training. Anything related to ISO and international standards, we’ve normally got a solution for it, so just contact us, and we’ll be happy to help.