ISO standards are updated every few years to better fit every organization’s needs. With the rise and advancement of cyber threats and malware, there was a need to update the ISO/IEC 27001:2013 as well.
5 key changes to the ISO/IEC 27001:2022 standard
- The title of the standard has been changed to be in line with ISO/IEC 27002:2022. The new ISO/IEC 27001:2022 title is Information Security, Cybersecurity and Privacy Protection –Information Security Management Systems – Requirements.
- The title of Annex A has also changed from Reference control objectives and controls to Information security controls reference.
- Annex A is linked to the controls in ISO/IEC 27002:2022. The new Annex A now has 93 controls and includes information on control title and control.
- There are minor adjustments to the vocabulary, sentence, and clause structure in clauses 4 through 10, particularly, in clauses 4.2, 6.1.3, 6.2, 6.3, 8.1, 9.2, 9.3 and 10.
- In Clause 6.1.3 c), the notes have been revised. The word “control” has been replaced with “Information security control” and the control objectives have been deleted. Moreover, in Clause 6.1.3 d), the wording has been reorganized to avoid ambiguity.
4 steps that organizations need to follow to transition to the
ISO/IEC 27001:2022 version
The transition audit shall not only rely on the document review, especially for reviewing the technological controls. It shall include these four main steps, but is not limited to:
- Gap analysis of ISO/IEC 27001:2022 version and adapt the changes to their ISMS.
- Update of the statement of applicability (SoA).
- Ensure that their organization’s risk treatment plan is updated.
- Effective implementation of the new controls.
2 important dates for organizations regarding ISO/IEC 27001:2022
There is a timetable that is set by ISO for organizations to follow when management system standards are updated. These are the two main dates that are very important in the transition to ISO/IEC 27001:2022:
- April 30, 2024 – As of April 30th, 2024, all Initial (for new MSECB Clients) and Recertification Audits (for existing ISO/IEC 27001:2013 MSECB Certified Clients) shall be conducted against ISO/IEC 27001:2022 and MSECB Auditors must be provided with the management system documentation addressing the requirements as per ISO/IEC 27001:2022.
- October 31, 2025 – All ISO/IEC 27001:2013 certificates issued after October 31, 2022, will expire on October 31, 2025.
MSECB will be able to conduct the transition audit in conjunction with the surveillance audit, recertification audit or through a separate audit, which may be conducted remotely.
Furthermore, MSECB Certified Clients that have not demonstrated full conformity with ISO/IEC 27001:2022 by October 31st, 2025, are subject to certification withdrawal.
2 important notes for organizations about ISO/IEC 27001:2022
Organizations that show conformity with the requirements of ISO/IEC 27001:2022 will be issued a certificate with the new version of the standard.
However, it is important to know that to confirm the transition, during a surveillance audit or a separate audit, a minimum of one (1) audit day shall be included. When the transition audit is conducted in conjunction with the recertification audit a minimum of half (0.5) audit day shall be included.
1 requirement for MSECB Auditors
ISO/IEC 27001:2022 will obviously affect management system auditors as well. Thus, at MSECB, all MS auditors approved to conduct ISO/IEC 27001:2013 audits will be asked to demonstrate competence on the new version of the standard prior to conducting any audits for ISO/IEC 27001:2022.
We will accept Foundation, Transition, or Lead Training Courses offered by accredited personnel certification bodies, which shall include, amongst others, a detailed overview of ISO/IEC 27001:2022 so that auditors will be able to answer clients’ questions.
Why you should transition to ISO/IEC 27001:2022
According to ISO, organizations that implement cyber resilience quickly emerge as industry leaders. Thus, the importance of ISO/IEC 27001 is non-negotiable. It provides a list of controls that help organizations combat any kind of malware.
The new ISO/IEC 27001 standard assists organizations in securing information in all formats, by:
- Increasing resilience to cyberattacks,
- Establishing a centralized point for managing information security,
- Ensuring organization-wide protection rather than just technology-based protection,
- Preparing for evolving security threats,
- Lowering defensive technology costs, and
- Protecting the integrity, confidentiality, and availability of data.
To benefit from all these, an organization should keep their management system updated and transition to the new version, ISO/IEC 27001:2022.