How to Prepare for the new ISO 27001:2022

ISO 27001:2022 has been released and below are some really important steps and information to successfully transition.

What has changed?

One of the key changes that has occurred is the update of Annex A to reflect ISO/IEC 27002:2022. Some of the key changes consist of:

• Category Restructure
• 11 new controls
• 24 merged controls
• 58 updated controls

New Categories:

New Categories of Controls have been compacted previously from 14 to 4
People: If they concern individual people, such as remote working screening, confidentiality or non-disclosure agreement (8 Controls)
Organisational: If they impact on the overall organisation i.e policies for information, return of assets and information security for cloud services (37 Controls)
Technological: If they impact on technology such as secure authentication, information deletion, data leakake prevention, or outsourced development (34 Controls)
Physical: 14 Controls

New Controls Introduced:

The total number of controls have been reduced from 114 to 93. There are 11 new controls including:

• Threat Intelligence
• Information Security for Cloud Services
• ICT Readiness for business continuity
• Physical Security Monitoring
• Monitoring Activities
• Web Filtering
• Secure Coding
• Configuration Management
• Information Deletion
• Data Masking
• Data Leaking Prevention

Timelines to Transition

There is a 3 year transition timeline in place with October 2025 the final deadline.  For Organisations already certified to ISO 27001,

• Until October 2023, audits may be conducted to ISO/IEC 27001:2013 or ISO/IEC 27001:2022 at the organisations request
• Non-Conconformances with the additional requirements in the 2022 edition is to be raised as Areas that need to be addressed
• From October 2023, all audits shall be to ISO/IEC 27001:2022

For those organisations looking to certify to ISO 27001:

• Organisations applying for certification before the date of issue of the 2022 edition to be assessed against their compliance to ISO/IEC 27001:2013
• Organisations applying for certification after the date of issue of the 2022 edition will be assessed against their compliance to ISO/IEC 27001:2022

Please Note: Additional time will be required to perform the upgrade component of the audit, should you go from ISO 27001:2013 to ISO 27001:2022.

How to Prepare for ISO/IEC 27001:2022

Here are the key things to do to complete the transition:

1. Conduct a Gap Analysis
2. Consider Attributes
3. Optimise your Statement of Applicability
4. Consider the resources to transition

For more information regarding the transition process, please contact Sustainable Certification