When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.
You may well be aware that a new version of the ISO27002 guidance standard was published in February 2022. This replaces the previous 2013 version and now lists a total of 93 controls grouped into four themes, namely Organizational, People, Physical and Technological. There are eleven new controls and the concept of using attributes has been introduced to allow varying views of the controls to be achieved according to your needs.
All well and good. But the main interest of many people in the industry has been around when the ISO27001 requirements standard will be updated to use the new set of controls within its Annex A. The expectation was that we would be seeing a correspondingly new version of ISO27001 during this year, presumably called ISO/IEC 27001:2022.
But it’s now clear that this is not the case. The team that manages the standard within ISO and IEC (Joint Technical Committee 1, Sub-Committee 27 if you’re interested) has decided that an Amendment to the existing standard will do the job instead. It’s worth explaining what this means as it’s likely to cause confusion further down the line.
If a change to an existing standard is relatively minor then ISO can simply publish an amendment, which will henceforth be known as “AMD1”, as in “ISO/IEC 27001:2013-AMD1”. The rules say that they can only do this twice, so there could be an Amendment 2 in the future, but not a 3. We can get a pretty good idea of what will be included in this amendment because a draft is available for purchase from the ISO website for the princely sum of CHF 16 (Swiss Francs).
To save you looking down the back of the sofa for sixteen Swiss Francs we’ve purchased the draft for you and can therefore tell you what it contains. It’s a fifteen-page document which basically has two parts of interest; firstly two of the notes accompanying Clause 6.1.3 have been updated slightly, and secondly the contents of Annex A are replaced with a (landscape for some strange reason) table showing the new list of controls from the updated ISO27002:2022.
And that’s it. But remember it’s a draft and voting has closed recently so there could be changes made, but we’re not holding our breath.
Those of you expecting a fully revamped ISO/IEC 27001:2022 are allowed to be a bit disappointed, it’s ok. The impression I have is that ISO is pretty happy with the Annex SL high level structure format and doesn’t want to mess about with it unnecessarily. So the changes are basically limited to Annex A of ISO27001 for now. However given that the ISO27001 standard is still dated 2013 (if we ignore the minor corrections in 2014 and 2015 and the European version in 2017 which is the 2013 standard plus the corrections, just to confuse everybody) and standards are intended to be reviewed by ISO every five years, it would seem that ISO27001 is overdue for a review, wouldn’t it? Well, you may have missed it, but ISO conducted a review in 2019 and confirmed the standard as is, so we probably have to wait until 2025 before they give it their full attention once more.
What does this mean for organizations that are already certified to ISO27001 and those who are just starting out? Well it means that when the amendment is published an organization will then be able to become certified to the ISO/IEC 27001:2013 standard, plus the amendment, possibly written “ISO/IEC 27001:2013 + AMD1:2022” or similar. There will almost certainly be a transition period during which certification to just ISO/IEC 27001:2013 will remain valid.
Technically, an organization could continue to use the old set of controls as long as they map them to the new set and explain any discrepancies, but since they would probably still have to implement the eleven new controls in ISO27002:2022 this may be of debateable usefulness.
To be fair, ISO has never stated that there would be a new version of ISO27001, so all of the above makes perfect sense if you have a reasonable understanding of the standards maintenance process which of course the vast majority of us don’t. Some might say that SC27 could be a bit better at communication and head off any confusion in matters such as these, maybe via the odd helpful blog article on the ISO website. Just a thought.
CertiKit is a provider of ISO toolkits, consultancy and internal auditing services, and has helped more than 4000 organizations worldwide with their compliance.
For more guidance on implementing the ISO27001:2022 standard, we’ve put together a list of our best free resources including video guides, blogs and downloadable documents.