You may be aware that ISO recently published a new version of the ISO27002 guidance for information security and the big question was when and how they would update the ISO27001 requirements standard to match it.
We blogged on this previously and the rather surprising plan was for ISO to issue an Amendment to the ISO27001 standard, rather than publishing a new version. We wondered what this meant for people wanting to work towards certification; presumably they would need to buy the 2013 version of the ISO27001 standard and then Amendment 1 also and use the combination of the two documents to understand what was required? When certified, the assumption was that the certificate would state ISO/IEC 27001:2013 plus Amendment 1:2022 which seems a bit of a mouthful.
Anyway it turns out we weren’t the only ones to feel this would confuse people (we assume); as of 30 May 2022 the project to produce Amendment 1 has been deleted on the ISO website and replaced with a final draft (an FDIS) of the full ISO/IEC 27001 standard.
So we will have an ISO/IEC 27001:2022 after all it seems.
When? Our guess is somewhere between July and September which we freely admit is suitably vague given the lack of information from ISO.
Is this an embarrassing climb-down on the part of ISO? Well, technically and procedurally the Amendment route was probably the correct way to go based on the nature of the changes involved, but it adds a layer of complexity that would fox many people and who needs that kind of confusion? We feel the ISO has listened to the concerns that were most likely expressed as part of the consultation and has been brave enough to do the right thing. So well done ISO we say.
Watch this space for further updates, gossip and rumours about the new standard as they happen.