In February 2022 a revised version of ISO 27002:2022 “Information security, cybersecurity and privacy protection — Information security controls” was published with some significant changes.
This is relevant because Annex A of the ISO 27001 standard is based on this control set and so, currently (as of June 2022), the two standards are misaligned.
Therefore despite previous reports that ISO 27001:2013 was not going to be revised in 2022, much of the industry is now expecting an updated version towards the end of the year, replacing the Annex A controls with the new ISO 27002 set, but containing no significant changes to the Clause 4 to 10 framework.
If this does occur it still represents a fairly major update to existing Information Security Management Systems (ISMS).
So, should you delay implementing ISO 27001 or start working on the transition now? This will be discussed further below.
See More: What has Changed in ISO 27002:2022?
Should I wait for ISO 27001:2022 to be published before Getting ISO 27001 Certified?
If you are not yet certified to the ISO 27001 standard you may be considering delaying the process until a new version of the standard is published.
Whether this is a viable option depends on your driver for achieving certification and your desire to manage information security risks.
As noted above, we do not expect any major changes to the framework of the management system. This follows Annex SL and includes requirements for risk assessment, risk treatment and other core themes that are unlikely to change.
It is also important to remember the time frame ISO Certification Bodies work to when a new standard is published. It is unlikely Certification Bodies will immediately begin auditing to the new standard. This is because they need to ensure correct understanding of the standard, auditor competence, UKAS and IAF directives and other practicalities. They will also have to create a transition pathway, discussed more below.
So with that in mind, although the standard may be published in 2022, ISO 27001:2022 Certification may not be properly available until some time after.
During that time your organisation could have been benefiting from the current information security management system standard to manage your information security risks, and getting the benefits of promoting your ISO 27001 Certification.
Although ISO 27002, the control set for the standard, has been updated, Assent’s consultants have been working hard to map the control sets, understand the new themes, structures and controls within the standard, and plan simple ways for our clients to implement the changes when they need to.
So why wait for ISO 27001 Certification? Contact our consultants to get started!
Should I Transition to ISO 27001:2022 Now?
As of June 2022, ISO 27001:2022 has not been published, only the guidance in ISO 27002:2022 has changed.
Therefore all current ISO 27001:2013 certificates remain valid and we expect, as usual when a new standard is published, there will be a transition period of around 3 years in order to make the change.
So there is no rush to update documents and processes.
However, some clients are keen to be early adopters of the new standard, particularly as the new control set has improved the way it addresses the risks in Cloud Services, and other areas, making it more comprehensive.
With that in mind, Assent’s consultants are ready to help you update your existing framework, map current controls to new ones, and implement newly required policies and procedures.
As mentioned earlier, we do not believe there will be any significant changes to the clause 4 to 10 framework, so the majority of the changes will be through the risk management process, including the SOA and any supporting policies and procedures.
Contact us today to start implementing the new requirements of ISO 27002:2022.
How Can Assent Help Me with ISO 27001:2022 and ISO 27002:2022?
Since ISO 27002:2022 was published in February, we have held several workshops with the Assent team and our network of associate consultants to break apart the new controls of ISO 27002, and work to fully understand them both on paper and in the real world.
We have developed new documentation to fully address the new requirements, created Awareness Training materials AND updated our trusted ISO 27001 Implementation Project Plan on our cloud-based project tool used by consultants and clients.
So while we can’t be 100% certain what will be in the ISO 27001:2022 version, we are in a strong position to quickly implement new requirements and make the transition!
Assent also has strong links with the accredited certification bodies, so we can guide you through the transition audit process.
Now ISO 27002:2022 has been published, it is only a matter of time before those changes are reflected in ISO 27001.
The new control set is more suited to modern information security risks and therefore organisations who adopt them early will benefit from increased cyber resilience.
However, from an ISO Certification perspective, the new version of ISO 27001 has not yet been published, and when it is there will be a transition period to allow organisations to make the relevant changes.
Not sure how to proceed? Contact one of our consultants for a free discussion.