Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

Transitioning to ISO 27001:2022

The new version of the ISO27001 standard is out, and we’re now into the transition period to move across to the latest requirements and controls. But before we look at how to do this, let’s recap on what’s changed.

So, what’s new in the 2022 standard?

It’s fair to say that this update has been driven almost exclusively by two forces; a desire to make the management system requirements match up with the latest Annex SL structure and wording, and the need to align Annex A of the standard with the 2022 version of the ISO27002 guidance.

Image showing transitioning to ISO27001:2022

Wording changes

Firstly, there are some wording changes in the following clauses:

  • 4.2 Understanding the needs and expectations of interested parties
    • A third bullet is added to specify “which of these requirements will be addressed through the information security management system”.
  • 4.4 Information security management system
    • The phrase “including the processes needed and their interactions” is added, requiring more definition of the processes of the ISMS.
  • 5.3 Organizational roles, responsibilities and authorities
    • The phrase “within the organization” is added at the end of the first sentence.
  • 6.1.3 Information security risk treatment
    • The notes are replaced.
  • 6.2 Information security objectives and planning to achieve them
    • The need to monitor objectives is added to the list.
  • 7.4 Communication
    • The current wording about communication processes has been replaced with a simple “how to communicate”.
  • 8.1 Operational planning and control
    • The need to establish criteria for the processes of the ISMS has been added.

Clause changes

There’s a new sub-clause 6.3 Planning of changes which deals with changes to the management system and requires any changes to be considered from the point of view of their purpose and consequences, the integrity of the ISMS, the resources available, and whether any changes to responsibilities and authorities are involved. This will require a simple planning process to be in place, with evidence that these areas have been considered.

Within Clause 9 (Performance evaluation) sub-clauses 9.2 (Internal audit) and 9.3 (Management review) have been further subdivided into 9.2.1 General, 9.2.2 Internal audit program, 9.3.1 General, 9.3.2 Management review inputs and 9.3.3 Management review results respectively. The two sub-headings in Clause 10 have been swapped around. This is mainly to aid readability and to match the latest definition of Annex SL (also known as the “Harmonized Structure”).

The new Annex A controls

But the main change in the 2022 version of ISO/IEC 27001 is the adoption of a new control set from the ISO/IEC 27002 guidance standard. This is included as Annex A of ISO/IEC 27001. Annex A in its new form consists of a total of ninety-three controls (there were previously 114), of which eleven are stated to be additions to the previous control set. Many controls from the previous version have been merged together, hence why there are now fewer controls than before, and yet also some new ones.

The number of control categories has been reduced from fourteen down to just four, which are:

  • A.5. Organizational controls (37 controls)
  • A.6. People controls (8 controls)
  • A.7. Physical controls (14 controls)
  • A.8. Technological controls (34 controls)

If you need to understand how the old and new sets of controls relate to each other, this information is included at the back of the ISO/IEC 27002 guidance standard. But if you’re starting afresh with the 2022 version of ISO/IEC 27001, you probably won’t need to know this.

Transitioning from ISO/IEC 27001:2013 to 2022

If your organization is currently certified to the 2013 version of the ISO/IEC 27001 standard or you’re working toward that using a previous version of the CertiKit Toolkit, you have a number of options.

For the first 18 months of the three year transition period for ISO/IEC 27001:2022 you could still become certified to the 2013 version of the standard, especially if you’ve already put a lot of work in towards that. You would then need to move over to the 2022 version before the end of the transition period.

If you’d rather go straight for certification to ISO/IEC 27001:2022 then (as well as ensuring you address the relatively minor changes to the management system requirements) you’ll need to map your documentation across to the new Annex A controls. Helpfully, there is a mapping both ways included in the Annexes of the ISO/IEC 27002:2022 guidance standard and that is what we have used in migrating our toolkit across from the 2013 to the 2022 set of controls. This is really another reason to invest in a copy of ISO/IEC 27002:2022 for your organization.

Another main area that will need some attention is Clause 6. Planning which covers risk assessment and the statement of applicability. You may need to update your risk assessment if it makes reference to specific Annex A controls, and your statement of applicability will need to list the new 2022 control set rather than the one from the 2013 version of the standard.

If your document referencing scheme includes the Annex A control areas in its structure you may need to consider amending that so that it remains consistent.

Lastly, the list of policies referenced by your Information Security Policy may need updating with the additional policies required for the new controls in Annex A of ISO/IEC 27001:2022.

This transition is a good opportunity to check through all of your ISMS documentation to find any other references you may have made to specific Annex A controls, and which will need to be amended.

Once you can satisfy your auditor that your ISMS has moved across to the 2022 set of controls, your certification is ready to be updated to ISO/IEC 27001:2022.


More ISO27001 resources

CertiKit are a provider of ISO toolkits, consultancy and internal auditing services, and have helped more than 4000 organizations worldwide with their compliance.

For more guidance on implementing the ISO27001:2022 standard, we’ve put together a list of our best free resources including video guides, blogs and downloadable documents.

Free ISO27001 Resources

We’ve helped more than 7000 businesses with their compliance

Testimonials

I like the fact that the documents are very comprehensive and more than sufficient for compliance.

Infoslips
South Africa

View all Testimonials