In February 2022 a revised version of ISO 27002:2022 “Information security, cybersecurity and privacy protection — Information security controls” was published with some significant changes.

This is relevant because Annex A of the ISO 27001 standard is based on this control set and so, currently (as of June 2022), the two standards are misaligned.

In October 2022, despite previous reports that ISO 27001:2013 was not going to be revised in 2022, an updated version of ISO 27001:2013 has been released, replacing the Annex A controls with the new ISO 27002 set, but containing no significant changes to the Clause 4 to 10 framework.

This has resulted in a fairly major update to existing Information Security Management Systems (ISMS).

So, should you delay implementing ISO 27001:2022 or start working on the transition now? This will be discussed further below.

See More: What has Changed in ISO 27002:2022?

Should I use the ISO 27001:2022 framework straight away if Getting ISO 27001 Certified?

If you are not yet certified to the ISO 27001 standard you may be considering if you should adhere to the ISO 27001:2022 or ISO 27001:2013 framework.

As noted above, we do not expect any major changes to the framework of the management system. This follows Annex SL and includes requirements for risk assessment, risk treatment and other core themes that are unlikely to change.

It is also important to remember the time frame ISO Certification Bodies work to when a new standard is published. It is unlikely Certification Bodies will immediately begin auditing to the new standard. This is because they need to ensure correct understanding of the standard, auditor competence, UKAS and IAF directives and other practicalities. They will also have to create a transition pathway, discussed more below.

So with that in mind, we would recommend all new projects to be ISO 27001:2022, so that your company is ready when the Certification Bodies are.

During that time your organisation could have been benefiting from the current information security management system standard to manage your information security risks, and getting the benefits of promoting your ISO 27001 Certification.

Although ISO 27002, the control set for the standard, has been updated, Assent’s consultants have been working hard to map the control sets, understand the new themes, structures and controls within the standard, and plan simple ways for our clients to implement the changes when they need to.

So why wait for ISO 27001 Certification? Contact our consultants to get started!

Should I Transition to ISO 27001:2022 Now?

All current ISO 27001:2013 certificates remain valid and we expect, as usual when a new standard is published, there will be a transition period in order to make the change.

So there is no rush to update documents and processes.

However, some clients are keen to be early adopters of the new standard, particularly as the new control set has improved the way it addresses the risks in Cloud Services, and other areas, making it more comprehensive.

With that in mind, Assent’s consultants are ready to help you update your existing framework, map current controls to new ones, and implement newly required policies and procedures.

As mentioned earlier, there are not any significant changes to the clause 4 to 10 framework, so the majority of the changes will be through the risk management process, including the SOA and any supporting policies and procedures.

How Can Assent Help Me with ISO 27001:2022 and ISO 27002:2022?

Since ISO 27002:2022 was published in February, we have held several workshops with the Assent team and our network of associate consultants to break apart the new controls of ISO 27002, and work to fully understand them both on paper and in the real world.

We have developed new documentation to fully address the new requirements, created Awareness Training materials AND updated our trusted ISO 27001 Implementation Project Plan on our cloud-based project tool used by consultants and clients.

We are now also running ISO 27001:2022 workshops to ensure our consultants are up to date with changes in the updated standard and we can help our clients to quickly implement new requirements and make the transition!

Assent also has strong links with the accredited certification bodies, so we can guide you through the transition audit process.

Speak to one of our ISO 27001 Consultants.

Conclusion

Now that ISO 27001:2022 has been published, it is the perfect time to start implementing ISO 27001.

The new control set is more suited to modern information security risks and therefore organisations who adopt them early will benefit from increased cyber resilience.

However, from an ISO Certification perspective, Certification Bodies will not be able to certify to the new version just yet, and there is currently a transition period to allow organisations to make the relevant changes.

Not sure how to proceed? Contact one of our consultants for a free discussion.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
CONSENT	16 years 3 months 23 days 8 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	These cookies are set via embedded youtube-videos.
yt-remote-device-id	never	These cookies are set via embedded youtube-videos.

When Should I Implement or Transition to ISO 27001:2022?

Should I use the ISO 27001:2022 framework straight away if Getting ISO 27001 Certified?

Should I Transition to ISO 27001:2022 Now?

How Can Assent Help Me with ISO 27001:2022 and ISO 27002:2022?

Conclusion

Robert Clements