ISO 27001 is an internationally accepted standard specifically focused on your organization’s information security management system (ISMS). Following ISO 27002 guidelines, ISO 27001 is used to help manage the security of your services, leveraging your overall security posture against one of the most in-depth standards out there.
All ISO standards are officially reviewed at least once every five years to remain current and reflect new and evolving security challenges. ISO 27001:2013 was the latest version, and this year the standard was updated, adding a few new changes and controls.
Let’s take an in-depth look at what you can expect from ISO 27001:2022 and how your organization can best transition with the recent updates.
Important Updates for ISO 27001:2022
Most updates to ISO 27001:2022 are minor, which means you can rest assured your organization won’t need to go through a major overhaul with your security program. Main ISO 27001:2022 changes can be broken down into two parts:
- Changes to the management system clauses, and
- Changes to the Annex A controls.
Management System Clauses
For the 2022 version, there’s been a small change to ISO 27001 management system clauses which address clauses 4.4 and 8.1.
- Clause 4.4 adds to the context of the organization, including the requirement to identify necessary processes and their interactions within your ISMS.
- Clause 8.1 adds a requirement to define process criteria.
Additionally, minor clarifications and specifications have been made to a handful of other management system clauses.
Annex A Controls
Annex A controls updates are moderate and have been derived from ISO 27002:2022, which was released earlier this year. Organizationally, the former 14 families of Annex A are now focused on four themes: organizational, people, physical, and technological.
Most controls have stayed the same or been renamed, and another group of controls were merged to reduce the total number of controls. However, the requirements within those controls are almost all the same.
The biggest change has been the addition of 11 new controls, added to reflect new and evolving security areas. Specifically, the control categories are as follows:
- Threat intelligence
- Information security for the use of cloud services
- Information and communications technology for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
For further details and descriptions of these controls, we recommend purchasing the ISO 27001 and 27002 standard and reviewing those documents with your team.
Transitioning to ISO 27001:2022
When conforming to the newly updated ISO 27001:2022 standard, there’s a three year transition period for all organizations. ISO 27001:2013 certificates will expire or be withdrawn no later than October 31, 2025. For organizations working toward a certification, companies are eligible to certify against the 2013 version up until October 31, 2023.
If your organization obtains an active certification, don’t worry—there’s plenty of time to make the necessary changes.
A few tips for transitioning your certification to the updated ISO standard include:
- Start by reviewing the standards and updating your ISMS and statement of applicability to align with the revised requirements;
- Incorporate these changes into your risk assessment and management review so that key parties at your organization are on board with the changes; and,
- Reach out to BARR for guidance on the logistics of the transition. We’re happy to help!
For organizations working toward certification, start incorporating the new standards into your preparations today. Certification bodies will require you to be ready to certify against the new standard by April 30 of 2023, though most will be ready to certify prior.
Standard updates and the associated transition process can sometimes feel a bit daunting, but BARR is here to walk your teams through the process and reduce some of the burden.
Interested in learning more about how ISO 27001:2022 can benefit your organization? Contact us for a free consultation.