The cybersecurity landscape has undergone significant changes since the publication of the original ISO 27001 standard, ISO 27001:2013.
Amid the increased adoption of cloud and automation technologies, the information security management system standard ISO/IEC 27001 was minutely revised multiple times in 2014, 2015, and 2017.
ISO 27001:2022, on the other hand, has introduced major updates since the original version to enhance the information security posture of organizations and align it with the latest best practices.
The revision of this definitive global best practice is in accordance with the rapid digitization, the risks associated, and the improvements required in cybersecurity controls.
With this blog post, you will learn the difference between ISO 27001:2013 and ISO 27001:2022 and how you should prepare your organization for an effective transition.
Demystifying the Updates in ISO/IEC 27001:2022 (Clauses 4 to 10)
Major Updates
ISO 27001:2022 has a similar number of clauses as the ISO 27001:2013 except for some slight changes in the text. The key changes are listed below –
Clause 4.2 Understanding the Requirements of Interested Parties: This newly added subclause says that organizations need to identify which of the interested party requirements will be met by the ISMS.
Clause 4.4 Information Security Management System: The revised standard introduces a new requirement for organizations to identify and document the processes that underpin their information security management system (ISMS). Organizations should consider the interactions between these processes to ensure a smooth and effective overall ISMS.
Clause 6.2: Monitoring Information Security Objectives: This clause includes additional guidance on regularly monitoring and documenting objectives to ensure that they are still relevant and achievable.
Clause 6.3: Planning of Changes: This new clause states that if any changes are required in the ISMS, they should be made with proper planning without disrupting the ISMS.
Clause 8.1: Operational Planning and Control: The revised standard introduces additional guidance for operational planning and control, emphasizing the need for organizations to establish clear criteria for implementing and controlling the actions identified in Clause 6. This enhanced focus on planning and control ensures that information security objectives are translated into actionable steps and that these actions are effectively executed and monitored.
Minor Updates
Clause 5.3 Organizational Roles, Responsibilities, and Authorities: The revised standard introduces a minor update to the language of Clause 5.3. It clarifies that organizations should ensure that the roles relevant to information security are communicated within the organization.
Clause 7.4 Communication: Subclauses a-c remain the same while subclause d (who should communicate) and e (the process by which communication should be affected) are now more simplified and combined into one.
Clause 9.2 Internal Audit: The revised standard combines the requirements for internal auditing previously specified in Clauses 9.2.1 and 9.2.2 into a single section. This consolidation simplifies the standard and makes it easier for organizations to understand and implement the internal audit process.
Clause 9.3 Management Review: A new item was added to clarify that the management review should consider if any changes are required to the needs and expectations of interested parties. This consideration is significant because these changes can impact the scope of the ISMS.
Clause 10 Improvement: This clause was restructured to list Continual Improvement (10.1) first, followed by Nonconformity and Corrective Action (10.2).
Changes to Annex A Control Structure
1. Control groups reorganized into four themes i.e., People, Organizational, Technological, and Physical.
2. Overall controls were reduced from 114 to 93 and 11 new controls were introduced.
3. 57 controls from the 2013 version have been merged.
4. 23 controls have been renamed to be more consistent with the new control structure.
5. controls have been removed from the standard since they are no longer essential.
These changes and new controls will help address the following areas:
Threat Intelligence: The new controls require gathering and analyzing threat intelligence reports to learn more about the risk management and security controls of an organization.
Cloud Security: The new controls emphasize the need for organizations to have strong security controls in place for their cloud-based applications and data.
Data Leakage Prevention: The new controls require organizations to implement preventative measures to the unauthorized disclosure of sensitive data.
Secure Coding: The new controls require organizations to establish secure coding principles within their software development process to reduce the risk of security vulnerabilities.
Essential Steps That Will Prepare You for the ISO 27001:2022 Upgrade
Secure the Latest Framework
Since ISO 27001:2022 isn’t publicly available. Organizations need to acquire a licensed copy of it first and integrate the new framework into the existing Governance, Risk, and Compliance (GRC) solution.
It is recommended to maintain the ISO 27001:2013 program alongside the new one till the time you have received the updated certification. This will enable you to create an improved GRC solution, allow analysts to compare the two versions, and map what’s new and updated.
Assess Readiness and Identify Gaps
ISO 27001:2022 has introduced 11 new controls, which is why it is necessary to conduct an upgrade readiness assessment to avoid creating gaps.
While some organizations might already be practicing these controls under other cybersecurity frameworks, they might not have documented them for ISO compliance.
Therefore, to meet the updated ISO requirements, you can reuse relevant cybersecurity frameworks. ISO 27002 serves as a valuable reference to understand new controls and their objectives.
Craft a Gap Analysis Plan
The internal gap assessment plan is followed by creating a project plan to either update existing controls or introduce new ones. Working backward from your ISO 27001:2013 certification expiration date or the October 2025 deadline will help you plan efficiently.
Organizations should also prefer conducting front-loading activities to avoid a last-minute rush to update the certification before 2025.
Address the Gaps Identified
As part of gap closure, focus on updating documentation and implementing new technical controls wherever needed. While much attention is directed toward Annex A, remember to address clauses 4 through 10.
Accordingly, ensure that you revise your risk assessment plans, incorporate revised controls, and update the Statement of Applicability (SoA).
Internal Review and Certification Application
Prior to seeking certification, conduct an internal audit and management review of your ISO 27001:2022 program. This pre-certification internal review reduces the likelihood of significant findings that could cause unnecessary delays.
Once you’ve addressed improvements, you can apply for the certification with an accredited ISO audit firm. After the audit is successfully done, you will receive your ISO 27001:2022 certification.
You can also conduct annual surveillance reviews to demonstrate that your organization is committed to meeting certification requirements.
To Summarize
ISO 27001:2022 is a crucial update with a three-year schedule rolled out for organizations. Here’s the required documentation and procedural changes:
- For organizations pursuing ISO 27001:2013 certification, they have until April 2024 to finalize the certification process.[i]
- For those aiming to be ISO 27001:2022 certified, the deadline is October 2025.[ii]
- Starting November 1, 2025, all ISO 27001:2013 certificates will be invalidated, regardless of their originally stated expiration dates.[iii]
Considering the timeline and key steps involved in this update, organizations should proactively prepare for the leap.
Ready to Enhance Your Information Security Standards? Contact Us!
Should you have any questions, drop us a line at [email protected] and we’ll take it from there.
References:
[i],[ii],[iii] ISO 27001:2022 Transition