Transitioning to ISO 27001:2022
Following on from our previous blog where we outlined what is new in ISO 27001:2022, in this blog we will discuss when, how and what organisations need to do to transition to the new Standard.
Organisations that are already certified to ISO 27001:2013 have until 31 October 2025 to transition to ISO 27001:2022. This means if you have a surveillance visit scheduled after the 31st October 2025 then you will need to transition to the new Standard.
Certification bodies will stop offering certification to the 2013 version of the Standard by 30 April 2024. Bear in mind that even if your organisation’s ISMS is recertified to ISO 27001:2013 by 30 April 2024, your certificate will expire on 31 October 2025, versus the usual 3-year duration of the ISO certification.
If your certification expires in September 2025, then you don’t want to leave it until the last minute because certification bodies are bound to be very busy, and you don’t want to be in a position where your certification will expire just because you can’t get an audit scheduled before the expiry date.
The new Standard is more up to date with the inclusions of controls that cover cloud services and threat intelligence, and the updated ISO 27002:2022 provides better guidance on control selection and implementation than the 2013 version.
In a nutshell whether you have an existing 27001 certification, or if you are starting from scratch, we advise you to start adopting the 2022 Standard as soon as you can.
Why has ISO27001 Changed?
The Standard has been updated to reflect the new threat landscape and new technologies which have evolved considerably since the last update ten years ago.
The latest revision (2022) provides a more straightforward structure that can be applied throughout an organisation and to broaden the scope of its information security controls.
What are the key Steps to Update to the new Version of the Standard?
Obtain a copy of the new Standard. Do some research to get to know what the key changes are and how they will impact your organisation.
Do some training. We are in the process of developing a training course and it’s going live very soon so watch this space.
Obtain commitment and funding from the senior management team / board if you have not already done so.
Get a cross functional project team together. If you are on your own or you don’t have the resources, then list the help of an external consultant. We are more than happy to discuss your project requirements.
Conduct a gap analysis to see exactly what you are up against and where you need to focus. This will help you to identify the areas where your current information security management system (ISMS) needs to be updated to meet the requirements of the new Standard. Heads up if you are transitioning to the new Standard there are not a huge amount of changes in the clause sections of the Standard. We have highlighted the clause section changes in our previous blog. Your main focus of attention is the new Annex A control section and the 11 new controls.
Update your risk assessment. You can use the new controls to mitigate the risks that you identify.
Update your ISMS documentation. You will need to pay particular attention to the SoA (statement of applicability) as the control sections now have 4 categories and 93 controls in Annex A and this needs to be reflected in your SoA.
Training for all staff to bring everyone up to speed with the changes, how it might impact them, any controls that might need to be implemented, timelines and updated documentation.
Once you have completed your risk assessment and updated your documentation you need to conduct an internal audit to make sure that you have dotted all your i’s and crossed all your t’s.
Conduct and document a management review. Ensure you have updated your agenda to include the new requirements.
Get your audit booked in before the rush.
On paper it looks easy but if you are struggling with your transition then give us a call.
In our next blog we will have a look at the new controls in detail.
For further information visit our services page or contact us today to speak to an ISO 27001 expert.