IT security, cybersecurity and privacy protection are vital for companies and organizations today.  

ISO/IEC 27001 is the world’s best-known standard for information security management systems (ISMS) and their requirements which  along with other standards and guidelines in the ISO/IEC 27000 family help organisations keep safe.

The first edition of the information security standard, ISO/IEC 27001, was published in 2005 and a second edition published in 2013.  The third edition was published on October 25, 2022.

With the dynamic nature of cyberthreats, we should expect that future revisions will be done more frequently to ensure the standard remains current.

What are the changes to the Standard?

1. Title of the Standard

The title of the standard has been changed to be in line with ISO/IEC 27002:2022. The new ISO/IEC 27001:2022 title is Information Security, Cybersecurity and Privacy Protection –Information Security Management Systems – Requirements. 

2. Title of Annex A

The title of Annex A has also changed from Reference control objectives and controls to Information security controls reference.

3. Link between Annex A and controls in ISO 27002:2022

Annex A is linked to the controls in ISO/IEC 27002:2022. The new Annex A now has 93 controls and includes information on control title and control. 

4. Adjustments to vocabulary, sentence, and clause structure 

There are minor adjustments to the vocabulary, sentence, and clause structure in clauses 4 through 10, particularly, in clauses 4.2, 6.1.3, 6.2, 6.3, 8.1, 9.2, 9.3 and 10.

5. Adjustments to Clause 6.1.3

In Clause 6.1.3 c, the notes have been revised. The word “control” has been replaced with “Information security control” and the control objectives have been deleted. Moreover, in Clause 6.1.3 d), the wording has been reorganized to avoid ambiguity.

6. Mandatory Clauses

• 4 (Information security management system) – The new clause requires that processes and their interactions are identified. These interactions can be designed as part of diagrams and flow chats.
• Several clauses and notes indicate that the Annex A controls are not exhaustive and so should be used baselines. Each organization should evaluate their environments to identify specific necessary control, risks, etc. that are relevant to the organisation.
• 2 (Information Security objectives) – Objectives must be documented and available for all stakeholders. 
• 3 (Planning of changes) – All changes now require documented planning.
• 1 (Operational planning and control) – Organizations must define a criteria for operational processes. However, a criteria can be a broad term, from a security requirement to a business need or customer request. 
• 9 (Performance evaluation) – Methods to evaluate and monitor controls should produce comparable results to enable trends to be assessed. 
• 2 (Internal audits) – Internal assessments must cover all organizations’ requirements, not only ISO 27001. This may be a broader attempt to be more comprehensive as a Management System. 

7. Annex A

Annex A of the updated version Standard has been completely restructured and revised with the number of controls decreased from 114 to 93. The security controls are also now divided into four sections instead of the previous fourteen.  

8. New Sections and Controls of ISO 27002:2022

• Section 5: Organizational (37 controls) 
• Section 6: People (8 controls) 
• Section 7: Physical (14 controls) 
• Section 8: Technology (34 controls) 

35 controls are unchanged, 23 controls renamed while 57 controls were merged to form 24 controls, and 11 new controls were added: 

• 23 Information security for use of cloud services 
• 30 ICT readiness for business continuity 
• 7 Threat Intelligence 
• 4 Physical security monitoring 
• 1 Data masking 
• 9 Configuration management 
• 10 Information deletion 
• 12 Data leakage prevention 
• 16 Monitoring activities 
• 23 Web filtering 
• 28 Secure coding 

Steps to follow to transition to ISO/IEC 27001:2022  

1. Review and update documentation, including policies and procedures, to meet the new control requirements.
2. Revise the Statement of Applicability (SoA) to align with the updated Annex A.
3. Review the risk register and ensure that applied risk treatment aligns with the revised standard.
4. Implement the new controls introduced in the new version of the standard.
5. Get audited against the new version of the standard.

Showing conformity to ISO/IEC 27001:2022

• An audit specifically to confirm conformity to the new version of the standard is required for organisations earlier certified to the 2013 version of the Standard.
• During a surveillance audit or a separate audit, a minimum of one (1) audit dayshall be included. 
• Where the transition audit is conducted along with a recertification audit a minimum of half (0.5) audit dayis included.
• Organizations that show conformity with the requirements of ISO/IEC 27001:2022 will be issued a certificate with the new version of the standard. 

Important dates to note

• October 31, 2023 

From October 31, 2023 , all fresh (initial) implementations shall be audited against ISO/IEC 27001:2022. Organisations seeking certification must provide the external auditors with management system documentation addressing requirements for ISO/IEC 27001:2022.

• April 30, 2024 

Organizations that are currently seeking certification for ISO 27001:2013 have until April 30, 2024, to complete their certifications. 

From May 1, 2024, all Initial (or for clients moving from another certification body) and Recertification Audits (for existing ISO/IEC 27001:2013 Certified Clients) shall be conducted against ISO/IEC 27001:2022 and the external auditors must be provided with the management system documentation addressing the requirements as per ISO/IEC 27001:2022.

• October 31, 2025 

All organizations seeking ISO 27001:2022 certification will need to complete their certification by October 2025 as all ISO/IEC 27001:2013 certificates issued after October 31, 2022, will expire on October 31, 2025.

• November 1, 2025

On November 1, 2025, all ISO 27001:2013 certificates will be withdrawn and considered to be expired regardless of the printed expiration date. 

Why you should transition to ISO/IEC 27001:2022

Given the dynamic nature of cyber-risks, it is important that organisations implement controls to mitigate these risks.  ISO/IEC 27001 provides a list of controls that help organizations combat current cyber-risks. 

The new standard assists organizations in securing information of all types and formats, by:

• Increasing resilience to cyberattacks, 
• Establishing a centralized point for managing information security,
• Ensuring organization-wide protection rather than just technology-based protection, 
• Preparing for evolving security threats, 
• Lowering defensive technology costs, and
• Protecting the integrity, confidentiality, and availability of data.
• The new standard has 93 controls as against 114 controls from the former version, thereby reducing the documentation required and making it easier and cheaper to implement.

Organisations implementing the new version before October 2023 gain a competitive advantage over others yet to implement.

How can Digital Jewels Africa help you implement an ISO 27001-compliant ISMS

Digital Jewels has supported many organisations implement and certify to best-practice standards and frameworks for about 15 years.

We are available to support you in either transitioning to or implementing the new version of the Standard.

For more information about ISO 27001 and how we can help you, get in touch with us at info@digitaljewels.net