ISO 27002:2022, which provides controls that organizations can apply to improve information security, was updated in February 2022.
As a result of this, the international standard ISO 27001, which determines the requirements of the Information Security Management System (ISMS), was published on October 25, 2022 with its new version.
This new version of the standard includes the controls described in ISO 27002:2022. Thus, organizations have to re-evaluate their risk assessment work and decide whether they need updates.
We have compiled a 10-step guide that will help an ISO 27001 certified organization make a successful transition to ISO/IEC 27001:2022, with the hope that it will be useful to our ISMS teams from the transition process.
ISO 27001:2022 Transition Steps:
- Understanding the Changes
- Assessment of Training Needs
- Performing Gap Analysis Between Existing and New Controls
- Review of Risk Assessment Study
- Updating the Risk Processing Plan
- Updating the Statement of Applicability
- Planning the Transition Control
- Completion of the Audit and Implementation of Changes
- Achieving ISO 27001:2022 Certification
- Focus on Continuous Improvement
1. Understanding the Changes
- More understandable language in controls
- New sub-clauses for compatibility with other management systems
- Change in the name of the standard and the "Cyber security" approach (ISO/IEC 27001:2022 Information Security, Cyber Security and Privacy Protection - Information Security Management Systems - Requirements)
- Removing references to control targets as they no longer exist in Annex A or ISO/IEC 27002
- New requirement to monitor information security targets
- New Article 6.3 - Planning of changes
- New requirement to enable organization to determine how to communicate as part of Clause 7.4
- New requirements for establishing criteria for operational processes and applying control of processes
- Internal audit and management review items consistent with the integrated management approach
- Clause 10.1 Continual Improvement and Clause 10.2 are now non-conformance and corrective action but requirements remain the same
- Change in the number of controls
ISO/IEC 27001:2013 Annex-A – 114 Controls under 14 Title
ISO/IEC 27001:2022 Annex-A – 93 Controls under 4 Titles (11 new, 23 changed, 24 merged)
Organizational, Human, Technological, Physical
11 New Controls
Technological Controls
A.8.9 – Configuration management
A.8.10 – Deletion of information
A.8.11 – Data masking
A.8.12 – Data leakage prevention
A.8.16 – Monitoring activities
A.8.23 – Web filtering
A.8.28 – Secure coding
Organizational Controls
A.5.7 – Threat Intelligence
A.5.23 – Information security for the use of cloud services
A.5.30 – ICT preparation for business continuity
Physical Controls
A.7.4 – Physical security monitoring
2. Assessment Of Training Needs
Training needs that can support a successful transition to ISO/IEC 27001:2022 are identified.
3. Performing Gap Analysis Between Existing and New Controls
A Gap Analysis that will allow you to evaluate your current controls and risk handling work against those that come with ISO/IEC 27001:2022 will assist you with the areas you need to focus on during your transition to ISO/IEC 27001:2022.
ISO/IEC 27002:2022 Annex-B is a good start as it provides a useful comparison with how all controls correspond to the controls in the previous version.
Since the new standard covers all controls under only 4 headings (Organizational, Human, Technological, Physical), it would also be beneficial to establish a team specialized in each area.
4. Review of the Risk Assessment Study
With the new version, you should check that your Risk Assessment work, with its objectives and content, is aligned with your business objectives and risk appetite. If it is not compliant, you can benefit from the international standard ISO 27005, which sets the procedures for information security risk assessment.
5. Updating the Risk Processing Plan
It would be beneficial to update your Risk Processing Plan to reflect your decisions regarding your risk processing actions by making selections from the appropriate controls in ISO/IEC 27001:2022 Annex-A.
6. Update of Statement of Applicability
Updating your Statement of Applicability is important as evidence and justification for the inclusion or exclusion of any control or policy.
You should also indicate whether you have implemented any control in line with your Risk Processing Plan. If so, you should implement a strong internal audit program to evaluate the effectiveness of your activities.
7. Planning the Transition Control
The changes you have made so far will make your management system more powerful. You can plan for your transition audit to ISO/IEC 27001:2022.
8. Completion of the Audit and Implementation of Changes
Your auditor will evaluate the ISMS and whether the evidence documents meet the requirements of ISO/IEC 27001:2022. In particular, it will focus on the controls in Annex-A.
After the completion of the audit, the Audit Report and the auditor's opinions and the findings that need to be corrected before obtaining the certification will be reported.
9. Achieving ISO/IEC 27001:2022 Certification
The certification you will receive demonstrates your commitment to internationally recognized best practices and continuous improvement, and helps you win new business by meeting customer demands.
With the controls and risk processing you implement in the changing threat geography, you can trust that your ISMS is strong and effective.
Focus on Continuous Improvement
Post certification, it is important to maintain the momentum that your ISMS remains effective and well managed. You can achieve this with internal audits and surveillance audits.
