ISO/IEC 27001 was last updated in 2013 and the cyber world and threats to it have dramatically evolved. The standard must follow suit and is malleable to accommodate updates.
February 15, 2022 was a crucial day. ISO/IEC 27002:2022 – Information Security, Cybersecurity and Privacy Protection – Information Security Controls – was published. Due to this, ISO/IEC 27001 Annex A needed updating to align with ISO/IEC 27002:2022’s controls.
The name is changing to reflect the standard’s true scope. It is ISO/IEC 27001:2022 – Information Security, Cybersecurity and Privacy Protection – Information Security Management Systems – Requirements. This also aligns with ISO/IEC 27002:2022’s new title.
Other changes include clause numbering, new and rearranged text, and Annex A updates, among others.
If your organization is already ISO/IEC 27001 compliant, no changes in technology are needed, just updates in the documentation. You might need to revise internal policies, according to the new subclauses and modified requirements. Your risk assessment result and risk treatment plan(s) should also be reviewed and Statement of Applicability (SoA) updated.
The transition period will be three years from when ISO/IEC 27001:2022 is officially published, so you should have ample time to comply. Your ISO/IEC 27001 certificate remains valid until this period ends.
We can help to smooth your transition and have created a suite of services and materials, including transition training and guidance documents.
Visit our ISO/IEC 27001 Certification – Information Security, Cybersecurity and Privacy Protection page or contact us for more information.
ISO usually updates its standards every few years. ISO/IEC 27001 was last updated in 2013 and the cyber world and threats to it have evolved. The standard must follow suit and is malleable to accommodate updates.
ISO/IEC 27002:2022 was also published in February 2022 and ISO/IEC 27001 must be updated to reflect certain changes in its sister standard.
For our comprehensive round-up of ISO/IEC 27001, read our Comparing ISO/IEC 27001:2022 to ISO/IEC 27001:2013. What are the changes? guidance document, but we have a summary below.
The title
The name has been changed to reflect the standard’s true scope. It is ISO/IEC 27001:2022 – Information Security, Cybersecurity and Privacy Protection – Information Security Management Systems – Requirements. This also aligns with ISO/IEC 27002:2022’s new title.
Clause numbering
New subclauses have been introduced to further harmonize the document’s structure with other management system standards, such as ISO 9001 and ISO 22301. Two subclauses – 10.1 and 10.2 – have also been interchanged. 10.1 is Continual Improvement while 10.2 is Nonconformity and Corrective Action. There are no changes in their requirements.
New text
Although new text has been added and some rearranged, these changes only clarify the requirements and do not add new ones to the standard.
Annex A
Annex A’s title is now Information Security Controls Reference and the controls have been revised to align with ISO/IEC 27002:2022. In the 2013 edition, only the descriptions of the controls are derived from ISO/IEC 27002.
Other changes
There have been some updates to several clauses.
February 15, 2022 was a crucial day. ISO/IEC 27002:2022 – Information Security, Cybersecurity and Privacy Protection – Information Security Controls – was published. Due to this, ISO/IEC 27001 Annex A needed updating to align with ISO/IEC 27002:2022’s controls.
For further details, read our Key Changes in the ISO/IEC 27002:2022 white paper.
Although 2022’s updates make the documentation and guidelines heftier, and add more responsibilities, there are clear and detailed explanations of each control.
As expected, the most significant change is Annex A’s revisions to align with ISO/IEC 27002:2022 security controls.
Changes to Clauses 4–10 are minor editorial changes to further harmonize the structure with other management system standards.
If your organization is already ISO/IEC 27001 compliant, no changes in technology are needed, just updates in the documentation. You might need to revise internal policies, according to the new subclauses and modified requirements. Your risk assessment result and risk treatment plan(s) should also be reviewed and your Statement of Applicability (SoA) updated.
After a three-year transition period, ending October 31, 2025, all ISO/IEC 27001:2013 certifications will expire or should be withdrawn. We will not conduct initial or recertification audits to the old standard after April 30, 2024.
Certificates issued or reissued against ISO/IEC 27001:2013 during the transition period (November 1, 2022 to October 31, 2025) will have October 31, 2025 as their expiration date and not the usual three-year validity. After the transition period an organization with an expired ISO/IEC 27001:2013 certification will be treated as a new client, subject to a full initial audit.
Yes. But this will take time, so do not wait for the new versions. Just go for the current version and upgrade later. This is the best option considering the threat landscape.
As the transition period is three years from the official publication of the new edition, you can go by region or country, but you must completely cover all sites.
We can help to smooth your transition and have created a suite of services and materials, including transition training and guidance documents.
We can ensure that you have adapted the documentation within the transition period. Therefore, no new audit(s) need to be scheduled because this will take place during your regular surveillance audits.
Furthermore, additional time to assess the successful transition will be required as per the International Accreditation Forum’s (IAF) MD 26:2022 document.
However, when you renew your certification during the transition period, you could work to the new controls to avoid leaving it until the eleventh hour.
For more information, speak with your SGS contact.