Skip to content
arrow-alt-circle-up icon

Cyber Incident?

arrow-alt-circle-up icon

Call 00800 1744 0000

arrow-alt-circle-up icon

ISO
New ISO 27001:2022 Standard

Certified against the ISO 27001:2013 or 2017? You must make the transition to the new ISO 27001:2022 standard to remain certified. Northwave can help you to effectively transition and to gain the greatest value by implementing the new standard.

Why The New Standard?

Cyber threats are evolving, and companies continuously face security challenges. An important mechanism when it comes to remaining in control of your cyber security posture is an information security management system (ISMS), as outlined in the international ISO 27001 standard. This standard was updated in 2022 to better fit the current risks and security challenges companies face by addressing new elements, such as cyber threat intelligence and cloud security, resulting in the ISO 27001:2022 version.

Why should you make the transition effort within your three-year ISMS cycle? Mainly for pragmatic reasons: the new ISO 27001:2022 standard helps you to manage the current, evolving cyber security landscape more effectively and pragmatically.

Impact On Your Organisation

The official publication of the new standard in October 2022 has been followed by atransition period across industries. From November 1st 2023, certification can only be performed against the new ISO 27001:2022. If you are already ISO 27001:2013 certified, your organisation is required to make the transition to the new standard in the upcoming re-certification audit and to do so no later than end of October 2025.

What is the transition about? A number of changes to the ISMS requirements need to be addressed, mainly at the documentation level.

New ISO:27001:2022 clause

Required changes

Clause 4.2 - Understanding the needs and expectations of interested parties

Paragraph C now clarifies that you need to determine which of the identified requirements will be addressed through the information security management system rather than implying it. This can be as simple as a client requiring you to be certified.

Clause 6.2 - Information security objectives and planning to achieve them

Paragraphs D and G add that information security objectives should be monitored and be available as documented information. This was always implied but has now been made explicit. Make sure that you have documented evidence to demonstrate compliance to this clause.

Clause 6.3 - Planning of changes

When a change to the ISMS is necessary, make sure it is performed in a planned manner. While that is the entire requirement itself, it is good practice

to state in your ISMS documentation that you handle changes in a planned manner and to be able to show this in practice for the new norm transition.

Clause 9.1 - Monitoring, measurement, analysis, and evaluation

This clause has been overhauled and aligned with Clause 6.2. Clause 9.1 provides guidance for monitoring, measurement, analysis, and evaluation methods, as well as defines what a valid result is. An important change is the explicit need for your process and results to be available as documented evidence, including the evaluation of the effectiveness and performance of your ISMS.

 

Minor changes were also made to other clauses, mainly for clarification reasons, making previously implied requirements explicit. Also remember that from now Annex A elements should be referred to as controls instead of control objectives.

Moreover, the biggest changes come forth from the fully overhauled Annex A of the new ISO 27001:2022. With the revamping of Annex A, a new structure has been introduced and controls have been changed, added, or removed–see the figure below for a high-level comparison of the old and the new versions of Annex A.

 

 

‘Old’ 27002 structure – 114 controls

CHANGES:

·     11 new controls

·     24 merged controls

·     58 updated controls

·     16 deleted controls

 

 

 

 

 

 

New 27002 structure – 93 controls:

5.      Information security policies

6.      Organisation of information security

7.      Human resource security

8.      Asset management

9.      Access control

10.    Cryptography

11.    Physical and environmental security

12.    Operations security

13.    Communications security

14.    System acquisition, development, and maintenance

15.    Supplier relationships

16.    Information security incident management

17.    Information security aspects of business continuity management

18.    Compliance

·    Organisational controls

·    People controls

·    Physical controls

·    Technological controls

à OPPhT-layout

11 New controls:

5.7     Threat intelligence

5.23   Information security for use of cloud services

5.30   ICT readiness for business continuity

7.4     Physical security monitoring

8.9     Configuration management

8.10   Information deletion

8.11   Data masking

8.12   Data leakage prevention

8.16   Monitoring activities

8.22   Web filtering

8.28   Secure coding

Globe

The introduction of new controls arose from:

  • the changing landscape of technology use and data protection requirements: threat intelligence, cloud services security, physical security monitoring, and data leakage prevention;
  • the inclusion of sensitive data protection controls: information deletion, data masking;
  • the recognition of the essential role of technology in business resilience: business continuity;
  • much needed updates to keep up with the developments: identity management, user endpoint devices, configuration management, web filtering, and secure coding.

How can you successfully obtain the new ISO 27001:2022 certificate? There are three different scenarios which might apply to your organisation:

  1. Initial certification: certification will be against the new standard by default and no transition is needed.
  2. Re-certification at end of your three-year cycle: a transition audit is needed in addition to your re-certification audit; follow the steps described below to make the transition.
  3. Transition within your three-year cycle: a specific transition audit needs to be conducted. After successful completion, you will receive a new ISO 27001:2022 certificate with the same expiry date as your current certificate. Follow the steps described below.

Where should you start?

Not coincidentally, with a Plan-Do-Check-Act cycle, which is at the heart of almost every ISO standard for management systems.

Make a PLAN

First, determine the steps you need to take to implement the new ISO 27001:2022 standard. If you are ISO 27001:2013 certified, you already have the ISMS foundation present within your organisation. Gain a good understanding of the new ISO standard and the relevant changes to the ISMS and Annex A controls. Perform a gap analysis to identify the gaps between the status in your organisation and the new ISO 27001:2022 standard requirements.

Second, create a plan of approach to implement the required, identified changes in the ISMS and for the relevant Annex A controls.

Execute the plan (DO)

Finally, after determining and planning the required changes, schedule and execute the implementation of these changes into your ISMS to incorporate the new requirements. Parallel to the changes in your ISMS, you can implement the changes forthcoming from the updated Annex A and update the Statement of Applicability.

CHECK the implementation

Perform the regular internal audit, but now for the first time on the new ISO 27001:2022, to verify the effectiveness of the changes to your ISMS and controls. This audit needs to include the full scope of the applicable controls as part of the certification.

ACT upon the evaluation

Formally evaluate whether the result of the transition to the new ISO 27001:2022 has been effective up until that moment. This can be done as part of a management review or in any other kind of meeting with the relevant leadership involved. In our own experience, it is best to do this prior to the external transition audit.

Transition audit

If your organisation is already ISO 27001 certified, you can either choose to make the transition within your three-year audit cycle or at the beginning of a new cycle. Your regular external audit will be extended to ensure enough time for the auditor to focus on the changes which were made in your transition to ISO 27001:2022. This includes, among other things, meeting any additionally defined requirements, ensuring that your internal audit plan was made based on ISO 27001:2022, and checking that any references in your existing ISMS now point to the new version. Furthermore, newly added or revised Annex A controls are reviewed.

If the external audit is successful, the granting of the new ISO 27001:2022 certificate will be the jewel in the crown of your work and a formal confirmation of the successful execution of your scheduled change. The final step in the transition is the celebration of your success and communication about your new ISO 27001:2022 certificate!

What Can Northwave Do For You?

We can help you in the transition to the new ISO 27001:2022 standard with all above-described components and more! This can be done using individual components or the combination of a workshop, gap assessment, and ISMS-transition support track.

Workshop

We can organise an engaging workshop for you to take the most important stakeholders within your organisation along on the changes in the ISO 27001:2022 standard so they know what to expect in the transition period, can create a joint plan of approach, and can discuss potential opportunities for improvement to follow-up during the transition.

Gap assessment

We can perform a gap assessment to provide insight into your current state of compliance/security compared to the new ISO 27001:2022 standard. Based on the findings, you can schedule the necessary changes for the transition to the new standard.

ISMS transition support track

The transition to the new ISO 27001:2022 needs to be effectively incorporated into the various steps within your ISMS. We focus on including the transition aspects, but also serve as your trusted adviser to when it comes to improving certain fundamental elements of your ISMS. We can support you regarding:

  1. the determination of your ISMS’s context;
  2. adjustments to and improvements in policies and procedures;
  3. your risk assessment on information security and the risk management process;
  4. the implementation of new controls and improvement of existing controls;
  5. the performance of the internal audit to evaluate the effectiveness of the ISMS and the control measures in accordance with the ISO 27001:2022;
  6. the management review of your ISMS.

 

Frequently Encountered Challenges And Best Practices

Do we need a formal evaluation of the transition before or after the external audit?

While the new certificate is officially the crowning glory of your work, we recommend discussing the end result of the ISO 27001:2022 implementation prior to your external audit. This could be done as part of the management review, for example. By doing so, you demonstrate the process of continuous improvement.

How does that ‘planning of changes’ work?

While the standard requires that you plan your changes, it technically does not require you to have a documented plan or that all changes be documented. What you should document is your organisation’s approach to planning changes. It is still good practice to follow the best practices for the planning of changes, such as those of the ISO 9001 standard.

I find it a challenge to make a pragmatic internal audit plan!

The new Annex A looks really different; we understand you may find it a challenge to make a pragmatic internal audit plan and to estimate the time needed for the interviews.

At first glance, how the Annex A controls can be bundled to make your internal audit plan time efficient and well organised is indeed not so straightforward. Luckily, we have a few tips for you!

  • Consider who you will interview for a certain (group of) element(s).
  • Use the operational capabilities attribute assigned in the new ISO 27002:2022 standard to organise all controls into more manageable groups.
  • Compare your plan to previous internal audit plans to estimate the amount of time needed and account a little bit for the newly added controls.

Alternatively, you can always ask us to support you with your internal audit!

 

Closing

We hope that these tips and tricks will help you on your way towards a successful transition to ISO 27001:2022. An effective ISMS should provide you with the mechanism to be in control of changes and the information security risks for your organisation in the current, rapidly evolving cyber threat landscape. Yet the transition to ISO 27001:2022 requires some specific actions, and we would be happy to help you with any of those steps. Click here to read more about our ISO 27001 FastTrack.

 

We are here for you

Need help with getting your organisation ready for NIS2 or wondering far along you your business currently is?
Get in touch and we will guide you with your next steps.