Since its introduction in October 2005, the international standard on information security, ISO, has been updated several times. The latest update, ISO 27001:2022, was published in October 2022 and represents a response to the fast-changing technology industry, the increasing sophistication of cyberattacks, and the audacity of cyber criminals.
Do you need to take action?
One of the questions we encounter the most is – why do I need to move to ISO 27001:2022? Currently there is a transition period during which your organisation can continue to be certified against ISO 27001:2013. However, by the cut-off date of October 2025, you can only be certified against the new 2022 version. It means that you need to start acting now, if you haven’t already, to remain certified to the standard.
Key differences between ISO 27001:2013 and ISO 27001:2022
The new version – ISO 27001:2022 – is an improved and modernised standard that is also more flexible. The changes make it easier to adapt to and customise for different businesses based on their processes and operations.
The actual changes within the accreditation are moderate – language and terminology changes to clauses 4 to 10 and the introduction of a few clauses and subclauses. There have been major changes to Annex A. This includes the addition of 11 new controls and the restructure of existing controls.
There are now 93 (versus 114 in ISO 27001: 2013) that have been grouped into four control sections:
The new controls that have been added include:
The implementation guidance for each control has been revised to reflect the world as it is today, bringing in new and advanced security ideas and concepts.
Steps to move from ISO 27001:2013 to ISO 27001:2022
Between now and Oct 2025 you will need to:
Key dates to remember when moving to ISO 27001:2022 certification
- 25 October 2022 – new version released
- 31 October 2022 – transition period of three years begins
- 01 May 2024 – Organisations undergoing ISO27001 certification for the first time will be using ISO 27001:2022
- 31 July 2025 – All transition audits must be conducted
- 31 October 2025 – End of transition period and ISO 27001:2013 accreditation no longer valid
What is a transition audit?
As upgrading to the new standard involves a change in scope, your certification body will conduct a transition audit.
The transition audit is to give the certification body assurance that you have effectively implemented the new controls and that your organisation is compliant with the requirements of the new standard.
This will be in addition to your annual surveillance audits and 3-year recertification audits.
Some certification bodies offer a pre-audit. This is not required if you have already conducted an internal gap assessment and an internal audit.
The number of days for the transition audit will depend on each certification body’s internal processes, but usually, it is one day. We would strongly advise getting in touch with your certification body and scheduling it now, as they will get extremely busy nearer to the cut-off date of 25th July 2025.
What’s next for your information security?
As with any new standard, there is bound to be a measure of uncertainty or confusion. There is also the perception that the deadline is a long time away. But as with any deadline, it creeps up more quickly than you anticipate, so the best thing is to make a start as soon as you can. Keep in mind, that the move from ISO 27001:2013 to ISO 27001:2022 certification is a necessary one, and one that can only benefit your business.
Also keep in mind that you don’t need to make the transition alone – at RightCue we have the experience and expertise to get you through your accreditation journey, whether you’re starting at the very beginning, or need help in moving to the new standard.
Specifically with the transition to new standard, we can help you do a gap analysis not only against the new controls, but overall against the new guidance covering the new standard (ISO 27002:2022).
Being an external party, we bring in a fresh perspective, coupled with our knowledge of current security tools and techniques. We support you with implementation based on work we have already done on the new standard and which many of our clients have already adopted. As we are not auditing our own work, we are independent and impartial, and can help you capture the resource requirement for such a transition more objectively.