ISO 27001:2013 was updated to ISO 27001:2022 at the end of October. Let’s figure out what your business should do with ISO 27001 updates
On October 2022, ISO 27001 was updated in response to emerging cybersecurity challenges.
ISO 27001 is an internationally recognized certification standard that assures your clients that you have a mature information security program. It also boosts your company’s reputation and gives it a competitive advantage.
The new ISO 27001 version has some new controls in approaching information management. Let’s try to dig deeper into the ISO updates.
ISO/IEC 27001 is one of the world’s most reputable standards for managing an organization’s Information Security Management Systems (ISMS). The standard details requirements for establishing, implementing, maintaining, and continually improving ISMS.
ISO 27001 was initially published in 2005, then revised in 2013, and again most recently, at the end of 2022. The main purpose of the last standard’s updates was to align it to ISO 27002:2022, published earlier. [NOTE: ISO 27002 isn’t a certification standard but a companion to ISO 27001 that provides guidance and explains the purpose, design, and implementation of each control in greater detail.] The other reason was to make the standard more manager-oriented rather than IT specialists oriented.
ISO 27001 consists of ISMS requirements and Annex A controls. The ISMS part of the standard outlines the required components and activities within the program management. Annex A lists security controls that must be selected and implemented based on a security risk assessment.
ISO 27001 certification is valid for three years. However, certified companies must conduct annual surveillance audits to maintain the certification status.
ISO Clauses 4 – 10 – the building blocks for the certification process – and Annex A, which serves as the primary tool for managing information security risks, have undergone major changes. These changes will affect your certification process, so let’s see exactly how.
The Clauses were slightly modified to align ISO 27001 with other ISO management standards. The most substantial changes revolve around planning and defining process criteria, as well as monitoring standards. Overall, the updates in the Clauses include minor wording and structural changes. For example, ambiguity and outdated language were removed from Clause 6: Planning. Changes to Clause 4. Understanding the Needs and Expectations of Interested Parties, in addition to identifying interested parties, requires organizations to define the interested parties’ requirements and identify how those requirements are met. The 2022 version also introduces a new Clause 6.3: Planning for Changes.
Annex A, in turn, underwent more significant changes. Namely, now it has security controls – mechanisms used to prevent, detect and mitigate cyber threats – grouped differently. Previously, ISO 27001 had 114 controls organized into 14 domains or simply control families. These control families ranged from Information Security Policies to Supplier Relationships. Such an amount of controls was too complicated and confusing.
So, some of the controls were added, some merged, some renamed, and some – removed. Now there are 93 controls grouped into four main themes, very similar to the HIPAA structure:
Overall updates promote a better understanding of how Annex A controls help secure information assets as they are written in plain language. In other words, it is written to be easier interpreted by non-technical management.
We suggest focusing the main attention on the controls added to Annex A, as they can change your approach to ISMS and ISO certification as a whole. The 11 new controls added to Annex A include:
The updates to ISO 27001 don’t impact your existing certification, at least until 2025. Furthermore, you may pursue certification against ISO 27001:2013 until October 31, 2023. However, you will need to prepare for the new ISO certification sooner or later. October 31, 2025, is the deadline for certification against ISO 27001:2022. It means you shouldn’t waste time and start updating controls and processes to comply with the new requirements.
Companies that are only planning certification must undergo the certification process for the first time should review our previous article How to obtain ISO 27001 Certification?
Those who have the certification should update already existing processes and documents. Your next steps may look like this:
We recommend you start with updating your Statement of Applicability (SOA) to match the new ISO structure. The document identifies applicable security controls and provides a rationale when controls are not applicable.
You can implement all the missing controls during this stage. When shifting to ISO 27001:2022, you need to map your existing controls to the newly revised standard and determine what changes your company should make to achieve the certification. Gaps remediation is the most resource-intensive and time-consuming stage of the process that requires sufficient commitment and resources.
Be ready to conduct an audit against the new standard as early as 2024, well before the ISO deadline of October 31, 2025. Also, remember that only an accredited certification body can perform the certification audit. The audit process consists of two phases – reviewing the organization’s ISMS and focusing on the implemented controls (Annex A). When both stages are completed, and without any non-conformities, the organization receives the ISO 27001 certification.
Planet 9 has consulting experience helping clients become and remain compliant. Our experienced Chief Information Security Officers and compliance managers have years of experience working with the ISO 27001 standard.
Depending on your internal resources’ expertise and availability, Planet 9 can completely or partially assist with the following:
Contact our Planet 9 team for more details. We’ll be happy to assist!