On 25th October 2022, a new updated version of ISO/IEC 27001 was released. The main reasons for this update were to acknowledge the evolution of remote working, to recognise the increasing need for certain types of organisations to acquire “threat intelligence” to thwart cyber-attacks, and to create a simpler structure for the controls in Annex A. The shape of an ISO 27001 audit is changing – ensure you don’t get left behind!
We’ve created a helpful 8-page document detailing all the changes between ISO/IEC 27001:2013 and ISO/IEC 27001:2022 – please click here to request your FREE copy.
What does this mean for ISO/IEC 27001 audits?
Organisations applying for a 27001 certificate for the first time
This is straightforward – from 1st May 2024, all initial certification audits are conducted against the new ISO/IEC 27001:2022 Standard.
Organisations with an existing 27001 certificate
This will depend on where you are in the three-year certification cycle:
For organisations who have had two prior surveillance audits – from 1st May 2024, re-certification audits are conducted against the new ISO/IEC 27001:2022 version.
For organisations whose next audit is a surveillance audit, there may be an opportunity to change the cycle for the next audit to be a re-certification audit. This would need to be agreed and approved by your certification body. Alternatively, the existing cycle can be completed providing the expiry date has not passed. All ISO/IEC 27001:2013 certificates will expire on 31st October 2025.
Will your organisation be ready?
If not, how will the relationship with your clients be affected if you don’t meet the deadline? The implication of the change is that you will need to demonstrate to your certification body that the changes have been fully considered and integrated into your ISO/IEC 27001 ISMS. Risk assessments, treatment plans, internal audits and management reviews are very likely to be affected. The biggest challenge will be in updating your Statement of Applicability and related documents. The updates should help you to facilitate continual improvement which will be of great benefit to your organisation.
What are the main changes to ISO/IEC 27001?
It was an update that the ISO information security community had waited nine years for. Then again, they were used to waiting this long as the update from 2005 to 2013 was a meagre eight years. The wait, however, was worthwhile. In the previous edition, there were 14 categories containing 114 controls. Now there are 93 controls (including 11 new controls) grouped neatly into 4 “themes”:
- Organizational controls
- People Controls
- Physical Controls
- Technological Controls
The technical controls – which were previously spread across Annex A – were grouped nicely into one “technological” theme. However, users need to appreciate that the interaction of controls across the four themes is prevalent, and this can make implementation and auditing much more efficient. Although it might be tempting to have a policy and procedure for each control, this approach would miss the opportunity of recognising the dynamic links between processes and general activities. If the themes were reversed, then the “organizational” theme would be a catch-all for any control that is not included in the previous three.
There were subtle changes in some of the clauses, most of which were adding extra clarity. Clause 6.3 Planning of changes was added which brought it more in line with ISO 9001:2015 which uses the same clause number. An agenda item was added to the management review – 9.3.2c changes in the needs and expectations of interested parties.
- “Why do the Annex A control numbers start at 5 in ISO/IEC 27001?”
The control numbers align with the clause numbers in the ISO/IEC 27002:2022 guidance Standard.
- “Do we have to use the ISO/IEC 27002:2022 guidance Standard?”
It is not mandatory, but it provides very useful information about the controls in Annex A.
- “Does Artificial Intelligence feature in the updated ISO/IEC 27001 Standard?”
ISO/IEC 27002:2022 refers to how AI can be used to monitor systems and improve security.
- “Is climate change now a part of the ISO/IEC 27001:2022 standard?”
Yes, in Feb 2024 it was added to all ISO Management System Standards that follow the 10-clause structure.
- “ISO/IEC 27001:2013 now obsolete?”
Yes, officially this version is obsolete, and these old certificates will expire on 31st October 2025.
- “How do we transition from ISO/IEC 27001:2013 to ISO/IEC 27001:2022, and what should we do first in updating our ISMS?”
It may be useful to discuss the transition with your certification body. The logical first step would be to update the Statement of Applicability; then adjust or add policies and procedures that covered controls in the previous standard; internal audit programmes will need to consider the changes in controls and clauses – e.g. adding clauses 6.3 and 9.3.2c to audit checklists. Climate change must be included in the programme, the time allocated will depend on how big an issue it is for the organisation. Care should be taken if multiple standards are being followed – for instance, clause 10 in ISO/IEC 27001 has two parts to it, whereas there are three parts to clause 10 in ISO 9001, ISO 14001 & ISO 45001.
- “Will our auditors need to go on a new ISO/IEC 27001 training course?”
Existing ISO/IEC 27001:2013 auditors
In terms of clauses 4 to 10, that will not be necessary, just read through the changes. We’ve created an 8-page document detailing the changes between ISO/IEC 27001:2013 and ISO/IEC 27001:2022 – click here to request your FREE copy..
The changes in Annex A are significant and the person responsible for ensuring the ISMS conforms to the Standard will need to ensure that relevant personnel and documents are updated.
Your organisation (or a supplier) may request that you be trained in the new ISO/IEC 27001:2022 Standard, or you may want to ensure that your personal development and qualifications are up-to-date – in this instance, please view our ISO/IEC 27001:2022 training courses.
New ISO/IEC 27001:2022 auditors
Anyone new to ISO 27001:2022 who needs to gain an understanding of the Standard should attend an entry-level ISO/IEC 27001:2022 Foundation course. Those looking to progress to auditor level should attend an ISO/IEC 27001:2022 Internal Auditor course, ISO/IEC 27001:2022 Lead Auditor course or an ISO/IEC 27001:2022 Auditor Conversion course.