There are several moderate but important changes happening to ISO 27001 in 2022. Find out what they are and what the next steps are for your certification.
Overview: Changes to ISO 2700
- There are no changes to ISO 27001 clauses 4 to 10
- The security controls listed in ISO 27001 Annex A are the only aspect being updated
- 114 controls will be condensed to 93
- There will be 11 new controls
- No controls will be deleted
- Some controls have been merged
- The 14 existing control sections will be reduced to 4 control sections
What aspects of ISO 27001 are changing?
The main body of ISO 27001 will remain the same, i.e. clauses 4-10. The only aspect of the ISO 27001 standard that is changing are the security controls listed under Annex A which will be updated in line with changes to ISO 27002 made in early 2022. Some controls will be modified and condensed with some new controls added in as well.
What specific changes will be made to the ISO 27001 controls?
Changes to ISO 27002 were rolled out in February 2022. It’s expected that the changes to ISO 27001 will mirror those of ISO 27002. These changes include a simplification of SO 27001’s controls, with the reduction of control sections from 14 down to 4 and additional attributes for easier categorisation.
ISO 27001 controls can now be categorised with five different ‘attribute’ types. The purpose of these attributes is to make control categorisation easier.
- Control type (preventive, detective, corrective)
- Information security properties (confidentiality, integrity, availability)
- Cybersecurity concepts (identify, protect, detect, respond, recover)
- Operational capabilities (governance, asset management, etc.)
- Security domains (governance and ecosystem, protection, defence, resilience)
Why were these changes made to ISO 27001?
These relatively minor changes are being made to ISO 27001 to simplify the implementation process. Some controls were merged for the sake of efficiency or because they were deemed as smaller steps in a larger process. Additionally, some controls were renamed to help maintain focus on the information security-specific aspects of the business’s activities and processes and to make information security management system implementation simpler.
When will changes to ISO 27001 come into effect?
Updates to ISO 27001 Annex A are expected to be published in October 2022, however, an official publication date is yet to be released.
I want to implement ISO 27001, should I wait until after the changes are made?
The short answer is no, there’s no reason to delay implementing ISO 27001. Implementing an information security management system that’s compliant with ISO 27001:2013 will help to protect you from information security issues whereas waiting months for the ISO 27001:2022 standard to be published will leave you open to risks.
Your ISO 27001 consultant can help you be as prepared as possible for the new standard during the implementation of your ISMS and can help you transition to the new standard when required.
I’ve already implemented ISO 27001, do I have to update my certification?
The short answer is yes, but there’s no immediate rush, as long as you update your information security management system within two years of the new ISO 27001:2022 changes being rolled out. To update your system you will need to update your risk treatment process with the new controls listed above, update your statement of applicability, and update appropriate sections of your current policies and procedures. An ISO 27001 consultant can help you transition to the new standard.
How long do I have to comply with the new ISO 27001 changes?
There is typically a 2 year transition period for new ISO standards, including ISO 27001. This two year period will begin from the official ISO 27001:2022 start date. The transition period is the same for any businesses certified prior to the update.
Need help with ISO 27001? Talk to us
At BusinessBasics our experienced ISO 27001 specialists can ensure your business is ISO 27001 compliant. We can help you develop and implement an ISO 27001 compliant information security management system and make all necessary changes to keep your compliance up to date.