Corporations invest a great deal of resources in gaining and maintaining ISO certification.

They do this certainly to ensure regulatory compliance, but also to reduce risk, increase quality and marketplace competitiveness. The audit process is essential as it verifies to management that the systems and processes that are in place, are being used as directed, and are achieving the desired results. 

To address these cybersecurity challenges, ISO/IEC 27001:2022 has been updated to meet the latest security threats and technologies.

ISO/IEC 27001:2022 has some major updates to Annex A i.e. ISO/IEC 27002:2022 which  provides InfoSec Controls implementation & guidance information.

Amendment to ISO/IEC 27001/2022 & ISO 27002:2022 

Category restructure 

  • 11 new controls 24 merged controls 
  • 58 updated controls 

New ISO/IEC 27002:2022 domain 

The new categories of controls have been consolidated from 14 to 4. 

  • People (8 controls) – if they concern individual people, such as remote working, screening, confidentiality, or non-disclosure agreements. 
  • Organisational (37 controls) – if they concern the organisation, such as policies for information, return of assets, information security for use of cloud services. Technological (34 controls) – if they concern technology, such as secure authentication, information deletion, data leakage prevention, or outsourced development. 
  • Physical (14 controls) – if they concern physical objects, such as storage media, equipment maintenance, physical security monitoring, or securing offices, rooms, and facilities. 

New Controls

While the total number of controls have been cut down from 114 to 93, there are 11 new controls including: 

  1. Threat intelligence 
  2. Information security for use of cloud services 
  3. ICT readiness for business continuity 
  4. Physical security monitoring 
  5. Monitoring activities 
  6. Web filtering 
  7. Secure coding 
  8. Configuration management 
  9. Information deletion 
  10. Data masking 
  11. Data leakage prevention 

Timeline to Transition 

There is a three-year transition period from the publication date of ISO 27001:2022, so organisations will have to be compliant with the updated Standard by October 2025. 

Organisations Already Certified to ISO 27001: 

Until October 2023, audits may be conducted to ISO/IEC 27001:2013 or ISO/IEC 27001:2022 at the organisations request.  Non-compliances with the additional requirements in the 2022 edition will be raised as Areas of Concerns and will need to be closed before the transition period.  From October 2023, all audits shall be to ISO/IEC 27001:2022. 

Organisations Looking to Certify to ISO 27001: 

  • Organisations applying for certification before the date of issue of the 2022 edition will be assessed against their compliance to ISO/IEC 27001:2013 
  • Organisations applying for certification after the date of issue of the 2022 edition will be assessed against their compliance to ISO/IEC 27001:2022 

Please Note: Additional time will be required to perform the upgrade component of the audit, should you go from ISO 27001:2013 to ISO 27001:2022. 

How To Prepare For ISO/IEC 27001:2022 

We advise you to begin transition planning as soon as possible and to make sure your management system is appropriately updated. In order to ensure smooth transitions and minimize interruption, organizations should start preparing now for the introduction of the new ISO/IEC 27001:2022 in October. For the transition, the following crucial tasks must to be taken into account: 

  • Build out education program for those involved in the ISMS operation. 

  • Familiarise yourself with the 93 Controls in ISO 27002:2022 

  • Identify which controls that have been implemented into your organisation are affected. 

  • Prepare your documentation for transition. 

  • Conduct a Gap Analysis 

Businesses have the chance to examine their current information security management systems, including their risk register and risk assessments, to decide whether they are appropriate and applicable for their operations. Although no controls were added or removed between the ISO 27001 standard versions of 2013 and 2022, how you manage your present controls will change as a result of the merger, updates, and new controls that were added. 

You may determine how your ISMS will be impacted and what needs to be changed to be in compliance with the standard once it is published by doing a gap analysis between your current system and the ISO 27002:2022 controls. You can use this gap analysis to help you decide whether and how the new controls will aid in risk management. 

Consider Attributes 

With the inclusion of attributes in the ISO 27002:2022 standard, organizations can now apply attributes through the review process. The advantage of attributes is the ability to categorize or create several views of controls from various angles or themes.  You could, for instance, look at your controls from the standpoint of control types (preventative, detective, or corrective controls), different security properties (confidentiality, integrity, availability), different operational capabilities (governance, identity, and access management, legal, and compliance), etc. 

Optimise your Statement of Applicability 

Organizations should think about developing a parallel Statement of Applicability based on the controls in the 2022 version, including the controls that have been renamed, merged, and new controls, when undertaking this review. This is because of the transition schedule. Audits performed before your transition audit will still need to comply with the 2013 version, therefore they must make reference to those particular requirements. 

Consider the Resources to Transition 

While ISO 27001:2022's standards remain the same, organizations must now examine how they will implement the updated controls mentioned in Annex A.  To make sure they comprehend the requirements and how to assist the organization in filling any gaps, your ISMS internal auditors must receive training. To measure the impact on the organizations' risk assessments and treatments, it is also necessary to incorporate the control owners in the education program.  

How we can support 

BearingPoint can assist with the certification and transition of your information security management system, whether you are already certified to ISO/IEC 27001 or are new to the standard. We assist both small and large businesses worldwide with their information security and privacy demands as a leading global consulting organization.  If you are getting ready to transition from version 2013 to version 2022, we can support you with: 

  • Training where you learn about the revision and get a basic overview of key changes and the transition process. 
  • Online self-assessment tools and onsite/off site gap assessments to measure how well your management system meets the new requirements. 
  • Transition audit to move your certification in line with the new version of the standard. 

We can support you every step of the way. For more information please contact Shashank Awadhut