In February 2022 a revised version of ISO 27002:2022 “Information security, cybersecurity and privacy protection — Information security controls” was published with some significant changes.
This is relevant because Annex A of the ISO 27001 standard is based on this control set and so, currently (as of June 2022), the two standards are misaligned.
In October 2022, despite previous reports that ISO 27001:2013 was not going to be revised in 2022, an updated version of ISO 27001:2013 has been released, replacing the Annex A controls with the new ISO 27002 set, but containing no significant changes to the Clause 4 to 10 framework.
This has resulted in a fairly major update to existing Information Security Management Systems (ISMS).
So, should you delay implementing ISO 27001:2022 or start working on the transition now? This will be discussed further below.
See More: What has Changed in ISO 27002:2022?
Should I use the ISO 27001:2022 framework straight away if Getting ISO 27001 Certified?
If you are not yet certified to the ISO 27001 standard you may be considering if you should adhere to the ISO 27001:2022 or ISO 27001:2013 framework.
As noted above, we do not expect any major changes to the framework of the management system. This follows Annex SL and includes requirements for risk assessment, risk treatment and other core themes that are unlikely to change.
It is also important to remember the time frame ISO Certification Bodies work to when a new standard is published. It is unlikely Certification Bodies will immediately begin auditing to the new standard. This is because they need to ensure correct understanding of the standard, auditor competence, UKAS and IAF directives and other practicalities. They will also have to create a transition pathway, discussed more below.
So with that in mind, we would recommend all new projects to be ISO 27001:2022, so that your company is ready when the Certification Bodies are.
During that time your organisation could have been benefiting from the current information security management system standard to manage your information security risks, and getting the benefits of promoting your ISO 27001 Certification.
Although ISO 27002, the control set for the standard, has been updated, Assent’s consultants have been working hard to map the control sets, understand the new themes, structures and controls within the standard, and plan simple ways for our clients to implement the changes when they need to.
So why wait for ISO 27001 Certification? Contact our consultants to get started!
Should I Transition to ISO 27001:2022 Now?
All current ISO 27001:2013 certificates remain valid and we expect, as usual when a new standard is published, there will be a transition period in order to make the change.
So there is no rush to update documents and processes.
However, some clients are keen to be early adopters of the new standard, particularly as the new control set has improved the way it addresses the risks in Cloud Services, and other areas, making it more comprehensive.
With that in mind, Assent’s consultants are ready to help you update your existing framework, map current controls to new ones, and implement newly required policies and procedures.
As mentioned earlier, there are not any significant changes to the clause 4 to 10 framework, so the majority of the changes will be through the risk management process, including the SOA and any supporting policies and procedures.
Contact us today to start implementing the new requirements of ISO 27002:2022.
How Can Assent Help Me with ISO 27001:2022 and ISO 27002:2022?
Since ISO 27002:2022 was published in February, we have held several workshops with the Assent team and our network of associate consultants to break apart the new controls of ISO 27002, and work to fully understand them both on paper and in the real world.
We have developed new documentation to fully address the new requirements, created Awareness Training materials AND updated our trusted ISO 27001 Implementation Project Plan on our cloud-based project tool used by consultants and clients.
We are now also running ISO 27001:2022 workshops to ensure our consultants are up to date with changes in the updated standard and we can help our clients to quickly implement new requirements and make the transition!
Assent also has strong links with the accredited certification bodies, so we can guide you through the transition audit process.
Now that ISO 27001:2022 has been published, it is the perfect time to start implementing ISO 27001.
The new control set is more suited to modern information security risks and therefore organisations who adopt them early will benefit from increased cyber resilience.
However, from an ISO Certification perspective, Certification Bodies will not be able to certify to the new version just yet, and there is currently a transition period to allow organisations to make the relevant changes.
Not sure how to proceed? Contact one of our consultants for a free discussion.