ISO 27001:2013, the international standard for information security management, was recently amended and will soon be replaced by the 2022 version.
Released on 25 October 2022, ISO 27001:2022 includes changes to reflect the evolving challenges and threats companies face today.
If you’re currently ISO 27001:2013 certified or plan to get compliant to this ISO standard, it’s important to understand the changes and what they mean for you. Ensure a smooth transition and minimise disruption by starting the process now – the sooner, the better.
How long do you have to transition to ISO 27001:2022?
Companies certified against the 2013 version have three years to transition to ISO 27001:2022, starting from when the transition period begun on 31 October 2022. By 31 October 2025, businesses must comply with the revised standard to stay certified, as ISO 27001:2013 will no longer be valid.
From 31 October 2023, companies cannot certify against ISO 27001:2013. After this date, all ISO 27001 audits will be conducted based on the 2022 version.
While there’s still plenty of time until the transition cut-off, we recommend making the move well in advance rather than leaving it until the last minute. This ensures you have sufficient time to prepare, implement required changes, train employees and navigate any hurdles.
When companies rush the transition, they’re also more prone to making hasty decisions because of time pressure. Often, this only results in key areas of the standard guidelines being overlooked, delaying the certification process and increasing costs.
Why was ISO 27001:2013 revised?
One of the main reasons that standards such as ISO 27001 are updated is to keep up with advancements.
Technology and information security are far from what they were ten years ago. While these developments have benefited companies greatly, they have also exposed new vulnerabilities as businesses navigate increasingly sophisticated security risks.
Recently, we’ve seen highly publicised cyber attacks on companies such as Optus, Medibank, Telstra and Latitude, resulting in millions of Australians having their data compromised.
Events like these have made it clear that robust systems for mitigating and effectively managing information security threats are essential for companies operating in today’s business landscape.
When a single cyber attack can cause incalculable damage, the risk of inaction is too big for companies to ignore.
The introduction of ISO 27001:2022 prompts businesses to re-evaluate their risk assessments and re-establish their security controls to ensure they are well-equipped to navigate today’s information security threats.
Key changes to ISO 27001:2013
ISO 27001:2022 introduces numerous changes to the 2013 management system and Annex A security controls. However, no significant requirements from ISO 27001:2013 were removed.
The management system was mainly revised to more closely align with other ISO standards, such as ISO 9001 (quality management) and ISO 45001 (health and safety management). These changes included the addition of the following:
- 4.2 c) Determine which of the interested party requirements need to be addressed through the information security management system (ISMS)
- 6.3 Changes to the ISMS need to be done in a planned manner
- 8.1 New requirements for establishing criteria for security processes and for implementing processes according to those criteria
- 9.3.2 c) Inputs from interested parties need to be about their needs and expectations and also relevant to the ISMS
There are 11 new security controls, 57 merged, one split and 23 renamed. The new security controls are:
- A.5.7 Threat intelligence
- A.5.23 Information security for use of cloud services
- A.5.30 ICT readiness for business continuity
- A.7.4 Physical security monitoring
- A.8.9 Configuration management
- A.8.10 Information deletion
- A.8.11 Data masking
- A.8.12 Data leakage prevention
- A.8.16 Monitoring activities
- A.8.23 Web filtering
- A.8.28 Secure coding
Take advantage of the changes to refine your processes, engage employees and align with best practices. A well-planned and executed transition will help your organisation maintain or enhance its ISO compliance and drive continual improvement.
How to transition to ISO 27001:2022
1. Understand the changes
Start by thoroughly reviewing ISO 27001:2022 to identify the key changes, additions or revisions compared to the previous version. Understand the updated requirements and any new concepts introduced. This will help you assess the impact on your current processes and identify the necessary actions.
2. Conduct a gap analysis
Conduct a gap analysis to identify the gaps between your current system and the requirements of ISO 27001:2022. Compare your existing processes, documentation and practices against the updated standard to understand what needs to be addressed and provide a clear roadmap for the transition.
3. Establish a transition plan
Develop a detailed transition plan that outlines the steps, timelines, responsibilities and resources required for the transition. Break down the tasks into manageable phases and allocate resources accordingly.
4. Update documentation
Update existing documentation, including policies, procedures, work instructions and other relevant documents, to align with the requirements of ISO 27001:2022 and to reflect changes to processes and practices. Communicate these changes to employees and provide necessary training to ensure a smooth transition.
5. Implementation of changes
Implement the necessary changes identified during the gap analysis phase. This may involve updating processes, modifying workflows, redefining roles and responsibilities, or introducing new practices. Ensure that the changes are effectively communicated to employees, and provide training or awareness programs to facilitate understanding and compliance.
6. Internal audits
Conduct internal audits to verify the effectiveness of the implemented changes and ensure compliance with the new version of the ISO standard. Evaluate whether the updated processes function as intended and identify any non-conformities or areas for further improvement. Address any issues identified and take corrective actions as required.
7. External certification or recertification
Engage with your certification body to understand their requirements and timeline for transition. Prepare for the external audit or recertification process according to their guidelines. Ensure that you meet the criteria and provide the required evidence to demonstrate compliance with ISO 27001:2022.
8. Monitor ongoing performance
Establish a process for continuously assessing and evaluating your performance against the requirements of ISO 27001:2022. This step is crucial for maintaining compliance and driving continual improvement.
How an ISO consultant can help
An ISO consultant brings expertise, experience and a systematic approach to help your organisation successfully navigate the transition to ISO 27001:2022. They can provide the following to help ensure an efficient and seamless transition:
- Expert knowledge: ISO 27001 consultants work with the standard day in and out, and this in-depth understanding of the requirements and updated version are invaluable for companies wanting to get and stay compliant. A consultant can provide insights into how the changes will impact you and best practices for information security management.
- Gap analysis and readiness assessment: This is a comprehensive review of your existing processes, documentation and practices to determine areas that need to be addressed for ISO 27001:2022 compliance.
- Transition planning and roadmap: Based on the gap analysis, an ISO consultant can help you develop a tailored transition plan and roadmap, including clear objectives, milestones and timelines.
- Documentation updates and development: ISO standards require proper documentation to demonstrate compliance. An ISO consultant can support you in updating and developing the necessary documentation for a smooth transition, including policies, procedures and forms.
- Training and awareness programs: An ISO consultant can develop customised training materials, conduct workshops and provide guidance on the changes and their implications to help to ensure that employees are well-equipped to implement the new requirements effectively.
- Process improvement and optimisation: During the transition, an ISO consultant can help you streamline workflows, eliminate bottlenecks and enhance efficiency.
- Internal audits and corrective actions: After the required changes are implemented, a consultant can complete an assessment to identify non-conformities and determine any necessary corrective actions from an objective perspective.
Stay ISO 27001:2022 compliant with these strategies
After transitioning to ISO 27001:2022, avoid “setting and forgetting” systems to be well-positioned to maintain compliance over time.
Continual improvement is a fundamental requirement for ISO compliance, and it also leaves your business in a great position when your next system audit comes around, as you’ve already been taking steps to enhance processes in the lead-up.
After all the work you put into getting compliant, it’s well worth taking proactive steps to avoid non-compliance, and subsequently, stay certified.
To maintain your compliance to ISO 27001:2022, make sure to:
- Regularly audit your information security system;
- Make ISO 27001 a part of “the way things are done” at your business;
- Monitor how ISO 27001 fits into your overall security efforts;
- Document all relevant actions or changes and keep documentation up-to-date;
- Correct any issues and non-conformances when they appear;
- Keep senior management informed and engaged with information security systems;
- Continue to communicate regularly with employees about any issues, opportunities or improvements.
For a closer look at these tips, see our article on maintaining ISO 27001 compliance.
Contact us about ISO 27001:2022 compliance
Get in touch with our team of consultants across Australia for assistance getting ISO 27001:2022 compliant, whether you haven’t been certified with this standard before or need to transition from the 2013 version. We help businesses in a wide range of industries develop lean, low-burden systems.