The information security management system standard ISO/IEC 27001 provides companies with a framework to manage risks and protect against threats to keep information assets secure, from financial information and intellectual property to employee details and more.
Today, information security is rising on most every company agenda. With new scenarios urgency is changing. Between increased adoption of Cloud and automation technologies, cybersecurity, privacy, malware and ransomware alone, companies are forced reassess their context, main risks and threats, and relevant stakeholders in a structured and trusted way.
With the last version released in 2013, a new version was necessary to help companies navigate new scenarios and make sure current security controls are in place.
The revised ISO/IEC 27001:2022
The new ISO/IEC 27001:2022 version addresses the new scenarios companies must tackle. Changes are mainly in Annex A, anticipated by the publication of ISO/IEC 27002, where security controls have been added, deleted or merged. The changes extend to include cyber security and privacy aspects and the control language is refreshed and additional guidance added. This helps companies manage risks, make sure nothing is missed and duly follow up.
The last version was issued in 2013. Not surprisingly, the security control changes are quite significant with 11 new, 58 updated and 24 merged. The changing scenarios being addressed in particular are:
- Introduction of digital technologies like Cloud and automation;
- Recent, increased adoption of such technologies;
- Recognizing cybersecurity and privacy risks;
- Reflecting the changing threat landscape, e.g. new types of malware and ransomware;
- Aligning with other best practices, e.g. NIST, COBIT, etc.
- Refreshing the control language and adding additional guidance
The main areas impacted by the changes are:
- leadership;
- corporate security;
- IT Function;
- other support functions;
- delivery (for service providers).
To be compliant, organisations must re-evaluate their risk assessments and re-establish their security controls.
In addition to the changes in the controls, the 2022-edition is also re-aligned with the latest updates of ISO’s High Level Structure (HLS). These changes are based on the latest version of Annex SL of the ISO/IEC Directives Part 1 (2022). However, these changes are considered minor, as the 2013-edition was one of the first standards to adopt the HLS.
Transition timeline
The new version of ISO/IEC 27001 was released on October 25 2022. The transition timeline is set to be 3 years. Current 2013-certificates therefore need to be transitioned to the new version by 31 October 2025.
The transition audit can be carried out during any scheduled audit during the 3-year transition period but can also be performed as special transition audit.
Preparing for implementation
We recommend you start preparing for the transition as early as possible and plan properly to incorporate needed changes into your management system.
Recommended steps for the transition:
- Get to know the contents and requirements of the new standard. Focus on the changes implied by the revised standard.
- Ensure that relevant personnel in your organization are trained and understand the requirements and key changes.
- Identify gaps which need to be addressed to meet the new requirements and establish an implementation plan.
- Implement actions and update your management system to meet the new requirements.
How we can support
Whether you are currently certified to ISO/IEC 27001 or new to the standard, DNV can support your information security management system certification and transition. As a world leading certification body, we are working with small and large companies for their information security and privacy needs around the world.
If you are getting ready to transition from version 2013 to version 2022, we can support you with:
- Training where you learn about the revision and get a basic overview of key changes and the transition process.
- Online self-assessment tools and onsite/off site gap assessments to measure how well your management system meets the new requirements.
- Transition audit to move your certification in line with the new version of the standard.
We can support you every step of the way.
Exploring certification to ISO/IEC 27001 for the first time? Please visit our information security management system service page to learn more about its feature, benefits and road to certification