After the revised version of ISO 27002:2022 ‘Information security, cybersecurity and privacy protection – Information security controls’ was published in February 2022, it was expected that an updated version of ISO 27001:2013 would be released later in the year. As expected, this week ISO 27001:2022 was published, replacing the Annex A controls with the new ISO 27002 set.
This interview with Robert Clements explores what has changed with this update and what it means for current and new clients.
What has changed with ISO 27001:2022?
We’ve been waiting for this all year, since ISO 27002 was updated in February 2022 and that updated the list of controls in the standard, which are used in Annex A of ISO 27001. So we were expecting that there would be a new version of ISO 27001 coming out soon. And it’s finally here in October 2022 and we were very excited.
What are the new requirements for ISO 27001:2022?
If we take the controls first, this is in Annex A of the standard. In the previous list of controls, there were 114 of them, so quite a few. Most people will know it’s not just IT security, but it’s Information Security as a whole. Now, [in this] version, there are 93 controls, instead of 114, so they’ve been consolidated a little bit.
It’s also significant to say that the title of the standard has changed a little bit, so it now [not only] includes Information Security, but also Cybersecurity and Privacy Protection. So some of the controls are a bit more expanded. There are some controls that have been removed completely, 24 of them have merged and 11 of them are new.
How can existing clients move to the new standard?
Standards update all the time anyway when they go through a review cycle, there’s nothing unusual about that. I think the first thing clients should do is look at what they’re doing already and compare that against the new requirements. So that would be either completing a gap analysis or working with a consultant like Assent and we’ll be able to tell you what’s been changed and how you can adapt your system. There’s a bit of a process there. Obviously, there are new requirements, so that’s going to require some new policies or new processes to implement. An Assent consultant can advise on that. Once you’ve done that, I think the next thing to do is an internal audit, because then you can tell if the new things that you put in place are actually working and are going to do the job for you. So Assent can go through that process and then finally, it would be a case of engaging with the certification body to come and do the transition. We do think there’s going to be a transition period. For other standards, that would normally be about three years, although we aren’t sure what it is in this case, but we hope to find out soon.
Can organisations make the transition to ISO 27001:2022 now?
Yes, organisations can make the change now. What you do in your own system is up to you. That doesn’t affect your certificate. I think it’s probably a good idea to start now the standard has officially been published, because we know that those requirements are set in stone for a while. So the sooner the better really, get a head start on it I say.
What does the ISO 27001:2022 update mean for new clients?
New clients should be adopting the new standard from the outset. The standard is much broader now, it covers not only information security but also cybersecurity and privacy. It’s a much more holistic approach. So really just any standard, go through the process, either on your own or with a consultant, like Assent. We offer a gap analysis process to start with that normally is the best way to start, but you can always reach out to us and we can advise you.
Thank you Robert for taking the time to talk about the ISO 27001:2022 update. For more information on how to transition, or to start your ISO journey, contact Assent.