In today’s fast-evolving landscape, concepts, regulations and industry standards are constantly changing to fit industry needs. Staying up to date with the latest trends and changes is critical to ensure that your business remains compliant, efficient and even competitive. By doing so, organisations can adapt swiftly, avoid potential costly missteps and take advantage of the new opportunities to maintain the highest level of operational integrity. Find out what Robert Clements, Founder and CEO of Assent Risk Management, has to say about ISO 27001:2022. He provides valuable insights, discussing the transition guide, recommended timeframes and best practices for a smooth transition.
Key Changes to ISO 27001:2022 – What’s New in the Standard
With the release of a new standard, the previous version, ISO 27001:2013, is no longer current. This means that everyone needs to move their certifications to the new version. With this, comes a process and that does take time but if we talk about what has actually changed, the biggest change is in the control set. Annex A of ISO 27001 has been revised, with the control set being reduced from 114 controls to 93. These are divided into four categories: organisational, people, technological and physical.
The update centres more around cloud services and cloud infrastructure and the names of the controls are also slightly different which include privacy and cybersecurity too. In the framework itself, the clauses 4 to 10 of ISO 27001 has had minor changes to bring the standard more in line with other standards like ISO 9001 and ISO 14001.
How to Prepare Your Organisation for a Smooth ISO 27001:2022 Transition
To prepare for the transition, the most important thing that’s recommended to do, is to acquire a copy of the standard if you are not going through a consultant. It is also recommended to get a copy of ISO 27001 update 2022 and the supporting standard ISO 27002:2022. There is a mapping annex at the end of the standard that shows the old control against the new control which is extremely beneficial to map everything across and update existing policies and procedures. A huge benefit, if you have a consultant like Assent Risk Management, is that they will already be prepared to help you; they will be talking to the certification bodies and analysing how other customers are dealing with this change. It is crucial to apply any updates or create new procedures or policies that meet the standards in line with your risks.
Another tip to prepare for this transition is to do an internal audit to identify any weaknesses in the system, providing the audit is impartial. It is a fresh take at assessing what the standard is asking for and what has been applied.
ISO 27001:2022 Transition Timeline and Certification Deadlines
With any timeframe with variables, it is hard to put a number on an exact transition period for clients as it depends on many factors that they have going on. Like everything, businesses have other things going on in the background, for example, other projects – how many people are working on those projects? However, it has been widely agreed across businesses and the certification bodies that the update is straightforward. There are no major changes, just minor updates to align with existing policies and procedures to ensure minimal disruption.
In terms of the certification process, there are deadlines. In the UK, most of the certification bodies are governed by UKAS (United Kingdom Accreditation Service) who have set out a timeline from April 2023 to complete the process by October 2023. This process ensures that the certification bodies are assessed, meaning that the certified auditors are competent and have the correct processes in place. During this time, any new certificates that are issued must be against the new version of the standard ISO 27001:2022.
As for timings, it’s slightly easier for new clients to implement this updated version to build the system and put it into place, as opposed to those who already have the certification, as they will have to go through the transition process from old to new. There is a process where certification bodies can issue you a certificate before the timeframe above, but the certificate is not UKAS-accredited. Once the UKAS accreditation has been achieved, the certification will be reissued provided that all requirements have been met.
Generally, the certification body would need to audit the new controls and new system to show they have checked that you are compliant; this may include a pre-audit, a checklist or a readiness review. The UKAS guidance is that it would consist of something like an additional day of auditing, whether that is a separate audit to transition or part of an existing surveillance audit, or even the recertification, depending on the certification body.
How Assent Risk Management Supports a Successful ISO 27001:2022 Transition
Assent will provide you with what you need, whether that is dealing with the certification body and understanding processes or a whole support package to help you transition in several ways. Assent uses a gap analysis exercise to look at what you have vs what the new standard requires to provide you with a report that will list things that need to be worked on. Assent can help draft policies or check that processes are up to date, providing recommendations to meet the new standard. Being an external party, Assent can provide an impartial service to check and test the system before the certification body comes in to advise any fixes still needed, or plenty of other useful tools like online training, in-house training and more.
Get Started
If you have any questions or want to start your ISO journey, don’t hesitate to contact us
