ISO 27001 was first published, in 1999 and it has gone through several changes since then. It has been nine years since ISO/IEC 27001 was last revised (in 2013). Even though ISO 27001:2013 was validated in 2019 — in other words, authorities confirmed that the standard required no changes in the Information Security Management System standard, ISO 27001 still needed improvement to align with current working models and evolving technology landscape.
What was the need for the change?
These changes are being made in response to evolving business practices such as remote working models and “bring your own device” practices, an increased dependency on cloud services, and an increasing focus on data privacy. These changes are focused on improving the efficacy of your ISMS within your organization.
How much has changed?
The changes in the ISO 27001:2022 revision are small to moderate. The main part of the standard, which deals with the Information Security Management System, continues to have 10 clauses. There are minor additions and deletions of requirements in some sub-clauses. However, no significant requirement has been deleted. Prima facie, the second part, or Annex A seems to have undergone a significant change – the number of controls has reduced to 93 from earlier 114, the sections have dropped to 4 from the earlier 14. However, these changes are primarily because of restructuring of controls, and addition of a few controls.
What are the major changes?
- The name of the standard itself has changed to “Information security, cybersecurity and privacy protection – Information security management systems – Requirements” from the earlier version of “Information technology – Security techniques – Information security management systems – Requirements”. This indicates the increasing focus of the standard on cybersecurity and privacy.
- The structure of the ISO 27001 guidelines has undergone moderate changes:
No significant requirements for the ISMS have been deleted from the earlier ISO 27001:2013. Slight modifications have been made to the mandatory clauses 4 to 10, to align with ISO 9001, ISO 14001, Annex SL, and other ISO management standards
- There were 5 additional requirements in the management system:
- Annex A has gone through major structural changes. The number of controls have been reduced from 114 to 93.
- 11 new controls have been added to Annex A security controls.
- The 93 controls have been restructured into four control groups.
- Organizational controls – Clause 5, contains 37 controls
- People controls – Clause 6, contains 8 controls
- Physical controls – Clause 7, contains 14 controls
- Technological controls – Clause 8, contains 34 controls
Frequently Asked Questions (FAQs)
There is sufficient time given to all organizations by the certification and accreditation bodies to migrate to the updated standard. Organizations can choose to certify against the revised ISO 27001:2022 standard from Oct 25, 2022. Organizations that are already certified to ISO 27001:2013 will be given a migration window of 3 years and will need to migrate to the revised standard by Oct 31, 2025.
The changes expected are moderate, with no changes in technology.
Organizations can, and should, start right away and train internal auditors on the revised standards. They can start conducting internal audits as per the new standard before surveillance or recertification audits to ease the transition to the new standard.
For example, they could start learning about the controls of ISO 27002:2022, update their risk treatment procedures to reflect the new controls, update their documents to match, update and improve their Statement of Applicability, and modify specific parts of their current policies and procedures as needed.
There is no need for a new audit for the updated ISO 27001 standard. The migration to the updated standard can be done during surveillance or recertification audits. The certification bodies might spend extra man-days to cover the new standard requirements as part of the migrations.
The control mapping on the platform will be updated in accordance with the revised standard by November 15, 2022. You will be able to check your compliance with the revised ISO 27001 standard without having to do anything.
Our team of security and privacy experts can help you with answers to any questions you might have about the revised standards. Schedule a demo today to understand more about how you can implement the revised standards.