ISO standards are updated every few years to better fit every organization’s needs. With the rise and advancement of cyber threats and malware, there was a need to update the ISO/IEC 27001:2013 as well.
5 key changes to the ISO/IEC 27001:2022 standard
- The title of the standard has been changed to be in line with ISO/IEC 27002:2022. The new ISO/IEC 27001:2022 title is Information Security, Cybersecurity and Privacy Protection –Information Security Management Systems – Requirements.
- The title of Annex A has also changed from Reference control objectives and controls to Information security controls reference.
- Annex A is linked to the controls in ISO/IEC 27002:2022. The new Annex A now has 93 controls and includes information on control title and control.
- There are minor adjustments to the vocabulary, sentence structure, and clause structure in clauses 4 through 10, particularly, in clauses 4.2, 6.2, 6.3, and 8.1.
- In Clause 6.1.3 c), the notes have been revised. The word “control” has been replaced with “Information security control” and the control objectives have been deleted. Moreover, in Clause 6.1.3 d), the wording has been reorganized to avoid ambiguity.
4 steps that organizations need to follow to transition to the
ISO/IEC 27001:2022 version
There are four main steps that ISO/IEC 27001:2013 certified organizations need to follow to transition to ISO/IEC 27001:2022:
- Gap analysis of ISO/IEC 27001:2022 version and adapt the changes to their ISMS.
- Update of the statement of applicability (SoA).
- Ensure that their organization’s risk treatment plan is updated.
- Effective implementation of the new controls
3 important dates for organizations regarding ISO/IEC 27001:2022
There is a timetable that is set by ISO for organizations to follow when management system standards are updated. These are the three main dates that are very important in the transition to ISO/IEC 27001:2022:
- October 31, 2023 – All new MSECB clients shall be audited against ISO/IEC 27001:2022 and must provide MSECB Auditors with management system documentation addressing requirements as per ISO/IEC 27001:2022.
- April 30, 2024 – All existing ISO/IEC 27001:2013 MSECB Certified Clients shall be audited (recertification audits) against ISO/IEC 27001:2022 and must provide MSECB Auditors with the management system documentation addressing requirements as per ISO/IEC 27001:2022.
- October 31, 2025 – All ISO/IEC 27001:2013 certificates issued after October 31, 2022, will expire on October 31, 2025.
Furthermore, MSECB Certified Clients that have not demonstrated full conformity with ISO/IEC 27001:2022 by October 31st, 2025, are subject to certification withdrawal.
2 important notes for organizations about ISO/IEC 27001:2022
Organizations that show conformity with the requirements of ISO/IEC 27001:2022 will be issued a certificate with the new version of the standard.
However, it is important to know that to confirm the transition, during a surveillance audit or a separate audit, a minimum of half (0.5) of an audit day shall be included.
1 requirement for MSECB Auditors
ISO/IEC 27001:2022 will obviously affect management system auditors as well. Thus, at MSECB, all MS auditors approved to conduct ISO/IEC 27001:2013 audits will be asked to demonstrate competence on the new version of the standard prior to conducting any audits for ISO/IEC 27001:2022.
We will accept Foundation, Transition, or Lead Training Courses offered by accredited personnel certification bodies, which shall include, amongst others, a detailed overview of ISO/IEC 27001:2022 so that auditors will be able to answer clients’ questions.
Why you should transition to ISO/IEC 27001:2022
According to ISO, organizations that implement cyber resilience quickly emerge as industry leaders. Thus, the importance of ISO/IEC 27001 is non-negotiable. It provides a list of controls that help organizations combat any kind of malware.
The new ISO/IEC 27001 standard assists organizations in securing information in all formats, by:
- Increasing resilience to cyberattacks,
- Establishing a centralized point for managing information security,
- Ensuring organization-wide protection rather than just technology-based protection,
- Preparing for evolving security threats,
- Lowering defensive technology costs, and
- Protecting the integrity, confidentiality, and availability of data.