Transition to ISO 27001:2022 – What do we Know so Far?
Due to the constant evolution of the information security environment and the threats faced, the update to ISO 27002 and in turn ISO 27001 is a welcome change which will benefit organisations of all size where implemented.
ISO 27002:2021 replaces ISO 27002:2017 and contains a notable change to the structuring of the Annex A controls. The new control set takes many of the controls from the previous version, consolidating some whilst adding new controls which reflect current information security practices.
4 Key themes have been introduced replacing the 14 clauses. These are 'People' (8 controls), 'Organisational' (37 controls), 'Technological' (34 controls) and 'Physical' (14 controls). The themes allow for controls to overlap into several areas ensuring risks are managed and treated accordingly within a Statement of Applicability.
We understand the title of ISO 27001:2022 will change from “Information technology — Security techniques — Information security management systems — Requirements” to “Information security, cybersecurity and privacy protection — Information security management system – Requirements,” which introduces new elements of cybersecurity and privacy protection into the standard.
Both cybersecurity and privacy protection are key to a secure Information Security Management System. The practice of protecting critical systems and sensitive information from cyber, physical, and blended multi-vector attack links directly into data protection ensuring that the information you would like to keep safe as a company, stays that way. Though this has always been on our minds, certainly in the last few years, this has been more on people’s radars with the acceleration in remote working and a rush to cloud based network and hosting solutions.
We also understand that the notes around clause 6.1.3 are changing to ensure the link to ISO 27002:2021 and clauses 5 to 8 are in line with this. Aside from these highlighted areas, we understand a majority of ISO 27001:2022 will remain like they currently are.
The transition period will allow organisations time to review their Information Security Management System and the expectation is that the risk assessment, risk treatment plan and statement of applicability will be updated in line with the changes. The new and changed controls will need to be factored into your Information Security Management System.
NQA are developing a new training course to support your knowledge of transition which will be available once the standard has been released. If you would like more information on this once this is available, please click here.
Once ISO 27001:2022 has been released, NQA will be in touch with all clients to advise of the transition period. If you are a new client who is implementing ISO 27001:2022 and wish to gain certification to the updated standard, please get in touch to discuss next steps.