The ISO 27001 information security update: What to know about compliance and transitioning to the 2022 requirements

In October 2022, the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) released a long-anticipated update to the 27001 standard. The update replaces the 2013 framework; whether your company is currently ISO 27001-certified or you’re considering certification for the first time, you’ll need to be aware of the changes.

Whether your company is currently ISO 27001-certified or you’re considering certification for the first time, you’ll need to be aware of the changes.

Protecting your organization’s Information Security Management System

The ISO 27001 framework is a set of internationally recognized standards for organizations’ Information Security Management Systems (ISMS). This refers to a company’s written policy and controls matrix covering people, processes, and technology; the ISMS is put in place to protect customer and proprietary internal information in support of business objectives.

Companies are certified against the ISO 27001 standard, while an additional standard, ISO 27002, provides implementation guidance for designing controls. We’re often asked about the difference between the two. To put it simply, 27002 is meant to be used as a checklist of sorts; the guidance in ISO 27002 is not all required but should be used in conjunction with ISO 27001.

Certification against ISO 27001 occurs on a three-year cycle, with the actual certification audit, consisting of a Stage 1 and Stage 2 audit, occurring in the first year. Surveillance audits in years two and three ensure the ISMS hasn’t substantially changed since the certification and controls are operating effectively as designed. All three audits — the two-stage certification audit as well as the two surveillance audits — must be performed by an ISO 27001-certified third-party auditor.

Cybersecurity in the spotlight

The way in which controls are categorized in the 2022 update places greater emphasis on cybersecurity, including concepts from the ISO TS 27110 framework, information technology, cybersecurity, and privacy protection. The updated 28001 framework also focuses more heavily on the protection of personally identifiable information and standards for organizations’ use of cloud services.

ISO 27001 themes, consolidation, & new controls

With the 2022 update, many controls have been consolidated into four thematic areas, replacing the 2013 framework’s “Annex A” controls A5 to A18. Control themes are now categorized as: Organizational (37 controls); People (8); Physical (14); and Technological (34); totaling 93 controls. This is down from 114 in the 2013 version. At the same time, 11 new controls are included in the 2022 updated 27001 standard. In addition, clauses 4 through 10 covering scoping and context of the organization, leadership oversight, risk assessment procedures, internal audit and corrective actions, and management review, haven’t changed significantly.

Two areas stand out among the new controls: cloud services, which most businesses today likely use in some form, and data privacy – data masking, data leakage prevention, web filtering, and others. Organizations planning to seek certification, or recertification, should ensure they have controls in place in these areas if they haven’t already done so, so they are successfully set up for the transition from 2013 to the 2022 version and further protect information assets.

Two areas stand out among the new controls: cloud services, which most businesses today likely use in some form, and data privacy.

Implementation timing for ISO 27001

For companies currently ISO 27001-certified, there will be a three-year transition from the 2013 version to the updated standard, and the transition needs to be completed by October 2025. The transition can take place with the next surveillance audit or the next recertification audit. Companies should be sure to update their Statement of Applicability to conform to the new 2022 standard — and ensure their controls address the 11 new additions to the framework.

Companies should be sure to update their Statement of Applicability to conform to the new 2022 standard.

Organizations considering certification but not currently certified should be sure to use the updated 2022 framework when designing and assessing controls for their ISMS, so that it conforms to the new standard.

For both new and current ISO-certified organizations, it’s important to perform your risk assessment, internal audit, show evidence of continual improvement, and perform — at least annually — your management review prior to the certification, surveillance, and recertification audits to avoid a nonconformity.

Benefits to ISO 27001 certification

The ISO 27001 standard and certification provides a systematic, prescriptive, industry-agnostic framework for ISMS security and reliability that can provide structure and focus concerning information security risk responsibilities. Certification can benefit small, midsize, and large companies alike, particularly businesses with an international footprint or clientele . As a globally recognized “gold standard,” ISO 27001 certification supports customer confidence and can decrease the need for on-site customer assessments. Certification also can help businesses prepare for other ISO certifications or attestations, such as SOC examinations or HITRUST certifications, which can prove more resource-intensive to pursue.

Next steps

As you consider whether to become certified or when to transition your currently certified business to the new standard, take a look at which controls you have in place and which you don’t. Are you able to meet the requirements of the 27001 update? Develop a plan of attack for your gap, or readiness, assessment to prepare for certification, recertification, or a surveillance audit.