Summary
This article delves into the modifications and enhancements incorporated into the ISO 27001 standard, released on October 25, 2022.
It outlines the evolving landscape of technology and security threats, emphasising the necessity for organisations to adapt their security processes.
As businesses embark on the transition journey to ISO 27001:2022, this piece explores the crucial alterations, supplying insights into the approaches needed for a seamless transition by the mandated deadline of October 31, 2025.
Even if you are already ISO 20071 certified, this article will help you understand why you should transition.
Understanding ISO 27001
ISO 27001 stands as a global standard defining the framework for an Information Security Management System (ISMS). This systematic approach aids in implementing security controls to manage risks effectively. Covering people, processes, and technology, ISO 27001 guides organisations in safeguarding information assets. Certification is achieved through an external audit, showing compliance with the standard's requirements, and serves as a benchmark for information security management.
Evolution of ISO 27001
Originally published in 2005 and revised in 2013 as ISO/IEC 27001:2013, the latest iteration, ISO/IEC 27001:2022, introduces substantial changes. A notable structural adjustment involves the Annex A controls, which are reorganised, updated, and expanded, aligning with ISO/IEC 27002:2022. This revision prompts organisations to reassess and realign their security processes.
Key Changes to ISO 27001
The management clauses (4-10) have undergone minor adjustments, particularly in areas such as understanding the needs of interested parties, information security objectives, operational planning, and internal audits. Noteworthy is the addition of Clause 6.3, focusing on planning changes to the ISMS. Organisations must ensure meticulous planning, documentation, and evidence retention for effective transition. This is where SAMEC can help take your organisation through the correct steps.
Changes to Annex a Controls
ISO 27001:2022 brings a restructured Annex A with 93 controls, categorised into Organisational, People, Physical, and Technological domains. Eleven new controls address contemporary concerns, including threat intelligence, cloud services security, and data leakage prevention. The restructuring combines controls, reducing the total count from 114 to 93, with contextual updates to some.
Transition Points for ISO 27001:2022
Organisations certified under ISO 27001:2013 have a three-year transition window, ending on October 31, 2025. Certifications based on the earlier version will expire after this period. Those pursuing ISO 27001 for the first time can opt for the 2013 version until October 2023. All new certifications post-November 1, 2023, should align with ISO 27001:2022, emphasizing the importance of a prompt transition.
Certification Timeline
Entities holding ISO 27001:2013 certificates must complete the transition within 36 months, with existing certificates still being valid during this period. ISO 27001:2022 certificates will follow the three-year recertification cycle. Transition audits can occur through surveillance, recertification, or special audits, encompassing gap analysis, updates to the Statement of Applicability, and the risk treatment plan. At SAMEC we help organisations protect their information whether they have the older version of ISO 27001 or are completely new to information security.
How to Approach the Transition?
Organisations navigating the transition to the revised Annex A in ISO 27001:2022 can adopt two distinct approaches. The first option involves a meticulous comparison between the existing risk assessment and the newly introduced Annex A controls. This entails evaluating the applicability of the new controls and updating risk treatment plans accordingly.
The Statement of Applicability (SOA) needs modification to incorporate any additions or modifications to controls. Conversely, the second approach entails conducting a fresh risk assessment, finding pertinent controls from the updated Annex A to manage associated risks. It is imperative to ensure comprehensive coverage of all relevant Annex A controls during this process.
Amendments to risk treatment plans may have to address new risks, and the creation of a new SOA aligned with the updated controls is crucial. The last step involves updating any documents that reference the outdated set of controls, ensuring a seamless transition to the revised ISO 27001:2022 standards.
If this all sounds a bit too stressful for you, then reach out to SAMEC today and we can guide your transition the way that suits you and your organisation.
In conclusion, this article supplies a comprehensive understanding of the key changes in ISO 27001:2022 and offers guidance on the transition process, ensuring organisations are well-equipped to navigate the evolving landscape of information security.