ISO 27001:2022: The new standard for information security

Transitioning to ISO 27001:2022 is a significant undertaking, but with the right knowledge and resources, the process becomes simpler.

ISO 27001 is the international standard for information security management systems (ISMS). It provides a framework for managing information security risks and protecting sensitive data.

The latest version of ISO 27001, published in 2022, includes several significant changes. They are designed to make the standard more relevant to the current threat landscape and help organizations improve their information security posture.

Why is it important to transition to ISO 27001:2022?

There are a number of reasons to transition to ISO 27001:2022, such as:

• To comply with the latest international standards for information security

• To protect sensitive data from cyber threats

• To demonstrate to customers, partners, and other stakeholders that the organization is committed to information security

• To improve the organization's overall risk management processes

• To reduce the risk of data breaches and other incidents

• To improve the organization's efficiency and effectiveness

• To further improve the maturity of CIA (Confidentiality, Integrity, and Availability of data)

ISO 27001:2022 transition timeline

The transition period for ISO 27001:2022 began on October 31, 2022, and will end on October 31, 2025. During this time, organizations that are already ISO 27001:2013 certified have three years to adapt to the new standard. 

Here is a detailed timeline of the transition period:

• October 31, 2022: The transition period begins

• May 1, 2024: All first-time certifications should be to the ISO 27001:2022 edition

• July 31, 2025: All transition audits should have been conducted by this date

• October 31, 2025: The transition period ends. Certificates for ISO/IEC 27001:2013 will no longer be valid after this date

Organizations that are already certified to ISO 27001:2013:

• Can continue to operate under their existing certification until October 31, 2025

• Must transition to ISO 27001:2022 until then to maintain their certification

• May need to undergo a transition audit to verify their compliance with the new standard

What are the key changes in ISO 27001:2022?

The new edition of ISO 27001 introduces several significant changes, including:

A focus on risk-based thinking

The new standard emphasizes the importance of understanding information security risks and taking steps to mitigate them. This is a major change from the previous version, which focused on a more prescriptive approach to information security.

A greater emphasis on the importance of people and culture

The new standard recognises that people are a critical element of any information security program. It emphasises the importance of creating a culture of information security within the organisation. This includes things like training employees on information security best practices and promoting a security-minded mindset throughout the organisation.

The introduction of new controls to address emerging threats

The new standard includes a number of new controls to address emerging threats, such as cloud computing, social engineering, and data breaches. These new controls are designed to help organisations stay ahead of the curve and protect their information assets in today's tech landscape.

A new way of breaking down the standard

The new standard changes the layout of the Annex A controls to be broken down into smaller groups. These controls now revolve around what they most protect and thus simplify what was once a more complicated breakdown.

What has changed in ISO 27001:2022?

Here are some of the specific changes in each clause of the standard:

• Context and scope: The scope clause now applies to "relevant" requirements of interested parties and processes. This means that organizations need to consider the needs of all of their stakeholders, not just their customers and suppliers.

• Planning: The planning clause now requires defining information security objectives, and monitoring and review those objectives on a regular basis. This is a change from the previous version, which only required organizations to define their information security policies.

• Support: The support clause now requires organizations to define how they will communicate information security risks and issues to their staff. 

• Operation: To fulfil the operation clause, organizations must control "externally provided processes, products, or services" that are relevant to their ISMS. This is a change from the previous version, which required control only over their own systems.

The new structure of Annex A controls in ISO 27001:2022

The new ISO 27001 edition reorganizes the Annex A controls into four categories: organizational, people, physical, and technological. This is a significant improvement over the previous version, which had 14 control categories. The new structure makes it easier to select and implement the controls that are most relevant to your needs.

• The organizational category has 37 controls that address the overall management of information security. These controls include things like establishing an information security policy, appointing a security manager, and conducting risk assessments.

• The people category features 8 controls that address the role of people in information security. They include things like training employees on information security best practices, conducting background checks on new hires, and managing user access to sensitive information.

• The physical category contains 14 controls that address the physical security of information assets. Example measures include securing buildings and facilities, protecting computer rooms, and managing the disposal of sensitive information.

• The technological category contains 34 controls that address the technological aspects of information security. These controls cover things like implementing firewalls and antivirus software, encrypting data, and managing access to information systems.

The new structure of Annex A controls is a significant improvement over the previous version. It makes it easier for organisations to implement an effective information security management system and protect their information assets from a wide range of threats.

In addition to the new structure, ISO 27001:2022 also includes 11 new controls. These are designed to address emerging threats, such as cloud computing, social engineering, and data breaches. The new controls are also designed to improve the effectiveness of information security management systems by providing more options for mitigating risks.

The new controls are:

• Threat intelligence: This involves the collection and analysis of information about potential threats to an organization's information security.

• Information security for the use of cloud services: Assessing and managing the risks associated with the use of cloud services.

• ICT readiness for business continuity: Ensuring that information and communications technology (ICT) systems remain resilient and operational in disaster scenarios.

• Physical security monitoring: Continually monitoring the physical security systems to promptly identify and respond to incidents.

• Configuration management: Managing the configuration of information systems to ensure that they are continuously secure.

• Information deletion: Securely deleting sensitive information when it is no longer needed.

• Data masking: Masking sensitive information to prevent unauthorized access.

• Data leakage prevention: Preventing sensitive information from being leaked (intentionally or otherwise) outside the organization.

• Monitoring activities: Monitoring information security activities to ensure that they are effective.

• Web filtering: Filtering web traffic to prevent access to malicious websites.

• Secure coding: Developing and using secure code to protect information systems.

Through these new Annex A controls, you may have to implement 20+ new documents, policies, and procedures into your ISMS based on scope and requirements. 

Your roadmap to transition to ISO 27001:2022

The transition to ISO 27001:2022 can seem like a daunting task, but it is important to remember that it is a journey, not a destination. By following a structured roadmap, you can make the transition smoother and more effective.

Here are the key steps in your roadmap to transition:

• Raise awareness: The first step is to raise awareness of the transition within your organization. This includes communicating the benefits of the new standard, as well as the timeline and relevant requirements.

• Conduct a change analysis and gap assessment: Once you have raised awareness, you need to conduct a change analysis and gap assessment. This will help you identify the areas where your current information security management system (ISMS) needs to be updated to meet the requirements of ISO 27001:2022.

• Review and update documentation: Once you have identified the gaps, you need to review and update your ISMS documentation. This includes your policies, procedures, and work instructions.

• Perform an internal audit: Once your documentation is updated, you need to perform an internal audit to ensure that your ISMS is compliant with the new standard.

• Conduct a transition gap assessment: After the internal audit, you need to conduct a transition gap assessment. This will help you identify any remaining gaps that need to be addressed before you can fully transition to ISO 27001:2022.

• Undergo a transition audit: Once you have addressed all of the gaps, you need to undergo a transition audit. This is a final check to ensure that your ISMS is compliant with the new standard.

• Maintain continuous improvement: Once you have transitioned to ISO 27001:2022, it is important to maintain continuous improvement. This means regularly reviewing your ISMS to ensure that it is still effective in protecting your information assets.

In addition to these key steps, there are a few other things you can do to make the transition to ISO 27001:2022 smoother and more successful. These include (and are not limited to):

• Get buy-in from senior management

• Use a certified transition partner

• Set realistic goals and milestones

• Communicate regularly with stakeholders

• Use the transition as an opportunity to improve your overall information security posture and risk management capabilities

• Consider using the transition as a way to consolidate or streamline your ISMS processes

• Use the transition to communicate the importance of information security to your employees and other stakeholders

By taking a proactive approach to the transition, you can make it a valuable asset to your organization.

Your practical steps to getting ISO 27001 certified

ISO 27001:2022 provides a comprehensive approach to securing your information systems and data. It's more than just a checkmark in a to-do list; it bolsters the security and confidentiality of your data. Contact our experts today, and we'll guide you through it.