In this post, I will show you what to expect from the newly updated ISO 27001: 2022.
ISO 27001:2013 is a standard of information security that is globally recognized, allowing businesses to protect their information using a clear and universally accepted framework.
However, data privacy and information protection laws have changed over time, resulting in the need for an update. ISO 27001:2022 is that update, and it is expected to be released later this year.
The new update will provide some vital amendments and updates to the current standard. Here’s what to expect:
Table of Contents
What’s Changing With The ISO 27001: 2022?
One of the essential things to note is that while you can earn certification in ISO 27001:2013, you cannot do the same in ISO 27001: 2022.
ISO 27001:2013 will remain the main standard, and ISO 27001: 2022 will become a supporting control and provide guidance on how to best to utilize the main standard.
What Will Be Different Once The Update Is Released?
The new standard itself is significantly longer than the previous version, with many changes to the controls. A number of them have been reordered, updated, merged and some removed.
ISO 27001:2022 lists 93 controls rather than the previous 114, but these have been updated to best reflect the standard.
The controls are grouped into 4 ‘themes’ rather than 14 clauses. These are:
- People (8 controls)
- Organizational (37 controls)
- Technological (34 controls)
- Physical (14 controls)
Controls that didn’t previously exist are:
- Threat intelligence
- Information security for the use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
The new controls have been given five ‘attributes’ to make them easier to categorize:
- Control type (preventive, detective, corrective)
- Cybersecurity concepts (identify, protect, detect, respond, recover)
- Information security properties (confidentiality, integrity, availability)
- Operational capabilities (governance, asset management, etc.)
- Security domains (governance and ecosystem, protection, defense, resilience)
Other changes include the removal of terms such as ‘Control Objectives’ and ‘Code of Practice.’
When Will The New Changes Happen?
ISO 27001:2022 was released on February 15th, 2022, and the updates to ISO 27001:2013 are expected to be published in October, though this could be subject to change.
Companies currently in the process of implementing ISO 27001:2013 are advised to continue to do so and then wait for the update later this year. Your organization will still have to align with the current ISO 27001:2013 standards, so if certification is not urgent for your business, you should wait until the update is released and then commence the certification requirements.
What Does This Mean For Certification?
As mentioned, ISO 27001:2013 is a standard that companies are certified against, while ISO 27001:2022 is a reference guiding the implementation and use of the new update.
Accreditation bodies will give companies sufficient time to implement the new update, engage with ISO 27001 consultants where necessary, and make relevant changes in their practice. The expected transition time is around 12 months, so there will be ample time to introduce the new update and apply for accreditation.
It is suspected that there may be a cut-off for issuing ISO 27001:2013 by the end of 2023, therefore businesses still trying to achieve this accreditation, they are recommended to do so as early as possible.
What Are The Benefits Of Achieving ISO 20071 Accreditation?
Achieving accreditation is recommended due to ISO 27001 being the globally recognized standard. Having this certification gives you the confidence that your business is protected securely with recognized controls.
Other benefits include lowered IT expenses, improved business coherence, and competitiveness over other organizations. Having these benefits will gain your customer confidence and promote relationships with other businesses.