The latest version of ISO/IEC 27001:2022, which was published in October 2022, introduces updates to the Information Security Management System (ISMS) framework. This standard helps organizations manage and protect their information assets, ensuring data confidentiality, integrity, and availability.
Certified organisations have until October 2025 to transition to this new version of the standard. InfoShelter can tailor a comprehensive, flexible and affordable package for those companies that are struggling to find time or internal expertise to complete their transition project. We are ideally placed to assist you in making the transition, bringing a combination of:
We have extensive experience in helping clients achieve ISO 27001 certification and supporting them with this transition. We can help identify new risks to your company and enhance your existing ISMS to mitigate them with tried and tested solutions.
We are vendor agnostic and happy to work with existing technical solutions, as well as your IT Managed Service Provider to extend where necessary to fulfil the new controls set out in this version of the standard. Where technical solutions are not already in place, we are happy to provide affordable options from our existing tech stack – all of which have been selected by us with the new version of ISO/IEC 27001 in mind.
You will undoubtedly have to update your existing ISMS documentation to incorporate elements of the new standard. We can work with you to update existing documentation, or start from a clean slate with shiny new templates. As with all of our consultancy – we are happy to be as involved or hands off as you are comfortable with.
ISO standards are regularly reviewed to ensure they remain relevant. The previous ISO 27001 version (2013) was due for an update after almost a decade, as part of the ISO’s routine process of keeping standards aligned with industry trends and real-world practices. The creation of the new version of ISO 27001 was driven by the need to keep up with modern cybersecurity challenges, technological advancements, regulatory changes, and to provide a more streamlined approach to managing information security. The key updates were as follows:
The most significant update is the alignment of Annex A with the updated ISO/IEC 27002:2022, which provides guidance on the implementation of information security controls. The controls have been restructured, with the 114 controls in the previous version now reduced to 93 controls. These are grouped into four themes:
Organisational controls (37 controls)
People controls (8 controls)
Physical controls (14 controls)
Technological controls (34 controls)
The language and structure have been simplified for better clarity, making it easier to implement the controls across various organizations and industries.
The revised controls include new areas that reflect emerging security trends, such as:
There’s an increased emphasis on cybersecurity, particularly in areas such as security in cloud environments, supply chain security, and managing evolving cybersecurity threats.
While the standard continues to emphasize a risk-based approach, the new version places more focus on integrating information security into the overall business strategy and decision-making processes.
Your ISO/IEC 27001 transition project may seem daunting at first. But don’t worry – large tasks are more manageable when broken into smaller, actionable steps. Below we set out our staged approach to transition:
The project should start with a meeting to discuss new requirements, allocate resources and responsibilities – and importantly – raise awareness with key stakeholders.
The next step is to conduct some discovery sessions to ascertain which areas of your existing ISMS need to be developed further and where there are missing elements. This gap analysis should use ISO 27001:2022 and ISO 27002:2022 as the criteria.
Armed with the information from the previous two stages, it’s important to re-run your security risk assessment and map the new controls.
Once a decision has been made about the controls and how they are to be implemented – it’s time to update your ISMS policies and procedures accordingly. It is possible to update and append existing documents, but many organisations prefer to use this as an opportunity to start a new set of ISMS documents with ISO templates developed for the new version of the standard.
Increase the depth of your security posture. Plan, implement, and test any new controls taken from the new version of Annex A.
Once policies and procedures are ready it is time to communicate them to those who need to follow them. A good way of doing this is to get everyone together, order some pizza, and have an in-person session.
After a period of time you need to test that your new processes are being followed and any new tools are working as expected. Internal audit is the most appropriate mechanism for this. It’s worth ensuring that whoever is conducting the internal audit has the correct level of competence to do so (i.e. trained or certified).
Any deficiencies in processes or tools should be documented as corrective actions. Plans should be put in place to ensure significant gaps are prioritised.
Once you have the audit results you can also update any effectiveness metrics you may have set in stage 2. This data will be useful for the next stage.
Gather all of the necessary information used to indicate health, issues, wins, and changes to the ISMS. Then set a meeting up with senior management and brief them.
Organise a transition audit with your UKAS accredited Certification Body so they can rubber stamp your new updated ISMS with a new ISO 27001:2022 certificate.
Now you have your updated ISMS and new certificate, you want to make sure you keep it. You will need to regularly review your ISMS to check that processes are followed, records are generated, the ISMS is meeting its objectives. Don’t leave this until the last minute before the next audit.