ISO 27001:2022 has been published
ISO 27001 is the internationally recognised information security standard. Obtaining ISO 27001 demonstrates to clients and prospects that you take information security seriously.
In this article, we’ll break down the key things you need to know about the latest version of the standard, what’s changed, and what it means to you if you are already certified or thinking about becoming certified.
This article covers:
Why has the ISO 27001:2013 standard been updated?
The standard hadn’t been updated since 2013, the update reflects the rapid change in technologies over the last 9 years and a significant increase in cybersecurity threats.
What has changed in ISO 27001:2022?
There is an increased focus on cyber security which has resulted in a number of changes to the Annex A controls, however, the ISMS (Information Security Management System) outlined in the standard’s clauses has not significantly changed.
The previous 114 controls divided into 14 categories are being replaced by 93 controls, divided into 4 themes. Each control also now has a number of attributes\tags associated with it. These tags can be used to more easily identify a specific group of controls and manage the ISMS.
Clauses within the standard have some rewording, a few deletions, a new clause and some renumbering. There is an increased emphasis within Clauses 4 and 8 on planning, implementing and controlling the processes that need to be undertaken to manage risk. Previously many businesses would detail what should be done within a company policy but they omitted to detail how i.e. exactly what processes would be undertaken, when they would be completed and by what method their success would be verified.
The four key areas updated in ISO 27001:2022:
We currently hold ISO 27001:2013 certification. What do we need to do?
You have until October 31st 2025 to update your ISMS and transition your certification to ISO 27001:2022. After October 31st 2025 all ISO 27001:2013 certificates will cease to be valid.
You can transition to the new framework whilst undertaking your annual surveillance audit or at recertification (3 years after initial audit). The transition assessment will review whether you have updated your information security management system to meet the new requirements of ISO 27001:2022.
Adoptech has made it easy!
ISO 27001:2013 controls are mapped automatically from the old to the new framework which means no re-entry of data. You can also plan, track and collate evidence that the control processes necessary to manage risk are being successfully completed.
Not an existing Adoptech client? Don’t worry, join us and we will do the hard work for you. Our analysts will upload your existing 2013 ISMS data to Adoptech and it will be automatically mapped.
We are new to ISO 27001. Which version should we work towards?
Waiting for the ability to get certified against the new standards will likely leave your company at a greater cyber security risk and impact sales. The 2013 version is valid until 2025 and with Adoptech’s automated mapping between the old and new standard, time won’t be wasted if you work towards the 2013 certification.
Auditors are likely to start supporting the 2022 version in Q2 2023 at which point the Adoptech team will help clients migrate in plenty of time for their next external audit.
Key takeaways
Before you decide to embark upon ISO 27001 certification or as you approach re-certification, consider the following:
- You do not need to transition to ISO 27001:2022 until October 2025
- Auditors are not likely to start supporting the new standard until Q3 2023
- Transitioning to the new framework doesn’t need to be hard. Adoptech automatically maps your existing control data across multiple frameworks, including the latest version of ISO 27001, so that you don’t have to re-enter any data.
Talk to an expert
Got questions about ISO 27001 or the transition to the latest version? We’ll convert them into answers. Book a call with an ISO expert or open a chat.