Preparing for ISO 27001:2022. What You Need to Do.

With a new ISO 27001 standard moving to draft status, we know an updated version is imminent for publication, which means if you already operate an information security management system, a number of documents will need updating, and some new policies may be needed.

The Resilify.io team have been preparing new documentation templates and policies since the release of ISO 27002:2022 back in February 2022, in anticipation for an update to the main certified standard.

What has Changed?

Here are the mean changes:

  • New title for ISO 27002: “Information security, cybersecurity and privacy protection — Information security controls”.
  • Control set has been revised down from 114 to 93 controls.
  • Just 4 Control categories, consisting of organisational, people, physical and technological.
  • 24 Merged Controls.
  • 11 New Controls.

What needs to be updated?

Any references to Annex A control numbers will need to be updated for consistency across your ISMS.  The main documents that need updating are:

  • Statement of Applicability,
  • Risk Assessment & Treatment Plans.

In addition, the following new controls may need documentation, such as a policy:

  • Threat Intelligence
  • Information Security for Use of Cloud Services
  • ICT Readiness for Business Continuity
  • Physical Security Monitoring
  • Configuration management
  • Information Deletion
  • Data Masking
  • Data Leakage Prevention
  • Monitoring Activities
  • Web Filtering
  • Secure Coding

How to make the Transition to ISO 27001:2022?

As with any new standard, we expect the certification bodies to allow a three-year transition window, which means you have time to update your information security management system.

  1. Map 2013 Controls to 2022 Controls.
  2. Implement the 11 new controls.
  3. Update References throughout the system.
  4. Conduct an impartial internal audit.
  5. Hold a Management Review.

While this can be done in house, we recommend contacting our ISO Consultants, Assent Risk Management for help and support, particularly with the impartial internal audits.

When will Resilify.io Publish Resources for ISO 27001:2022?

While we have draft documentation ready to go, we will not be publishing this on resilify.io until ISO 27001:2022 has been published, just in case, there are any unplanned changes that come out in the final version.

When we do release new resources we will keep you informed. 
Make sure you are subscribed to the Resilify.io Mailing List!

Leave a Reply