The new version of the ISO27001 standard is out, and we’re now into the transition period to move across to the latest requirements and controls. But before we look at how to do this, let’s recap on what’s changed.
So, what’s new in the 2022 standard?
It’s fair to say that this update has been driven almost exclusively by two forces; a desire to make the management system requirements match up with the latest Annex SL structure and wording, and the need to align Annex A of the standard with the 2022 version of the ISO27002 guidance.
Wording changes
Firstly, there are some wording changes in the following clauses:
4.2 Understanding the needs and expectations of interested parties
A third bullet is added to specify “which of these requirements will be addressed through the information security management system”.
4.4 Information security management system
The phrase “including the processes needed and their interactions” is added, requiring more definition of the processes of the ISMS.
5.3 Organisational roles, responsibilities and authorities
The phrase “within the organisation” is added at the end of the first sentence.
6.1.3 Information security risk treatment
The notes are replaced.
6.2 Information security objectives and planning to achieve them
The need to monitor objectives is added to the list.
7.4 Communication
The current wording about communication processes has been replaced with a simple “how to communicate”.
8.1 Operational planning and control
The need to establish criteria for the processes of the ISMS has been added.
Clause changes
There’s a new sub-clause 6.3 Planning of changes which deals with changes to the management system and requires any changes to be considered from the point of view of their purpose and consequences, the integrity of the ISMS, the resources available, and whether any changes to responsibilities and authorities are involved. This will require a simple planning process to be in place, with evidence that these areas have been considered.
Within Clause 9 (Performance evaluation) sub-clauses 9.2 (Internal audit) and 9.3 (Management review) have been further subdivided into 9.2.1 General, 9.2.2 Internal audit program, 9.3.1 General, 9.3.2 Management review inputs and 9.3.3 Management review results respectively. The two sub-headings in Clause 10 have been swapped around. This is mainly to aid readability and to match the latest definition of Annex SL (also known as the “Harmonised Structure”).
The new Annex A controls
But the main change in the 2022 version of ISO/IEC 27001 is the adoption of a new control set from the ISO/IEC 27002 guidance standard. This is included as Annex A of ISO/IEC 27001. Annex A in its new form consists of a total of ninety-three controls (there were previously 114), of which eleven are stated to be additions to the previous control set. Many controls from the previous version have been merged together, hence why there are now fewer controls than before, and yet also some new ones.
The number of control categories has been reduced from fourteen down to just four, which are:
A.5. Organisational controls (37 controls)
A.6. People controls (8 controls)
A.7. Physical controls (14 controls)
A.8. Technological controls (34 controls)
If you need to understand how the old and new sets of controls relate to each other, this information is included at the back of the ISO/IEC 27002 guidance standard. But if you’re starting afresh with the 2022 version of ISO/IEC 27001, you probably won’t need to know this.
Transitioning from ISO/IEC 27001:2013 to 2022
Organisations currently certified under ISO/IEC 27001:2013 have until October 31, 2025, to transition to the 2022 version. After this date, certificates issued under the 2013 standard will no longer be valid.
To ensure a smooth transition, we would advise the following:
Obtain a copy of the new standard: You can buy a copy from the ISO website, or alternatively use our ISO27001:2022 Enhanced Gap Assessment.
Conducting a gap analysis: Compare your current management system with the updated requirements to identify areas needing improvement. (Try our free transitioning checklist to get started).
Developing an action plan: Create a timeline to address identified gaps and complete necessary update.
Engaging with your certification body: Contact your certification body to schedule assessment and transition visits, ensuring completion deadline.
