The ISO 27001:2022 update was released in October 2022, after a revised version of ISO 27002:2022 “Information security, cybersecurity and privacy protection — Information security controls” was published with some significant changes in February 2022.
In the updated version, the Annex A controls have been replaced by the ISO 27002 set, but contain no significant changes to the Clause 4 to 10 framework.
This has resulted in a fairly major update to existing Information Security Management Systems (ISMS).
So, should you delay implementing ISO 27001:2022 or start working on the transition now? This will be discussed further below.
See More: What has Changed in ISO 27002:2022?
Should I use the ISO 27001:2022 framework straight away if getting ISO 27001 Certified?
If you are not yet certified to the ISO 27001 standard you may be considering if you should adhere to the ISO 27001:2022 or ISO 27001:2013 framework.
As noted above, we do not expect any major changes to the framework of the management system. This follows Annex SL and includes requirements for risk assessment, risk treatment and other core themes that are unlikely to change.
It is also important to remember the time frame ISO Certification Bodies work to when a new standard is published. It is unlikely Certification Bodies will immediately begin auditing to the new standard. This is because they need to ensure correct understanding of the standard, auditor competence, UKAS and IAF directives and other practicalities. They will also have to create a transition pathway, discussed more below.
So with that in mind, we would recommend all new projects to be ISO 27001:2022, so that your company is ready when the Certification Bodies are.
During that time your organisation could have been benefiting from the current information security management system standard to manage your information security risks, and getting the benefits of promoting your ISO 27001 Certification.
Although ISO 27002, the control set for the standard, has been updated, Assent’s consultants have been working hard to map the control sets, understand the new themes, structures and controls within the standard, and plan simple ways for their clients to implement the changes when they need to.
So why wait for ISO 27001 Certification? Contact Assent’s consultants to get started!
Should I Transition to ISO 27001:2022 Now?
All current ISO 27001:2013 certificates remain valid and we expect, as usual when a new standard is published, there will be a transition period in order to make the change.
So there is no rush to update documents and processes.
However, you may be keen to be an early adopters of the new standard, particularly as the new control set has improved the way it addresses the risks in Cloud Services, and other areas, making it more comprehensive.
With that in mind, Assent’s consultants are ready to help you update your existing framework, map current controls to new ones, and implement newly required policies and procedures.
As mentioned earlier, there are not any significant changes to the clause 4 to 10 framework, so the majority of the changes will be through the risk management process, including the SOA and any supporting policies and procedures.
Contact Assent today to start implementing the new requirements of ISO 27002:2022.
How Can Assent Help Me with ISO 27001:2022 and ISO 27002:2022?
Since ISO 27002:2022 was published in February, Assent have held several workshops with the team and their network of associate consultants to break apart the new controls of ISO 27002, and work to fully understand them both on paper and in the real world.
They have developed new documentation to fully address the new requirements, created Awareness Training materials AND updated their trusted ISO 27001 Implementation Project Plan on our cloud-based project tool used by consultants and clients.
They are now also running ISO 27001:2022 workshops to ensure their consultants are up to date with changes in the updated standard and they can help their clients to quickly implement new requirements and make the transition!
Assent also has strong links with the accredited certification bodies, so they can guide you through the transition audit process.
Assent are also now working on ISO 27001:2022 templates and documentation to add to the FREE Knowledge Database on Resilify.io.
Now that ISO 27001:2022 has been published, it is the perfect time to start implementing ISO 27001.
The new control set is more suited to modern information security risks and therefore organisations who adopt them early will benefit from increased cyber resilience.
However, from an ISO Certification perspective, Certification Bodies will not be able to certify to the new version just yet, and there is currently a transition period to allow organisations to make the relevant changes.
Not sure how to proceed? Contact Assent for a free discussion.