January 25, 2022

Last Updated on January 4, 2024

Like The Who sang back in the day, “The change it had to come. We knew it all along.” A change to the longstanding ISO 27001 control framework that was announced in 2018 has finally arrived (almost), and it is substantial. If your organization is ISO 27001:2013 certified, working toward ISO 27001 certification or considering it, you need to know about the updates and their impacts.

What does ISO 27001:2022 mean for certification?

First, let’s clarify what’s in play. ISO 27001 and ISO 27002 are both changing. ISO 27001 is the framework companies are certified against, while ISO 27002 is a reference standard to guide control selection, implementation, and management. Most of the changes are in ISO 27002, as well as ISO 27001’s Annex A that references/summarizes ISO 27002.

You won’t need to undergo certification against ISO 27001:2022 right away. Assuming this change follows the typical pattern, accreditation bodies will grant a 12- to 24-month grace period so you can update your processes and documentation, train your employees, etc. If the grace period is 12 months, that would mean that any ISO 27001 certification or surveillance audit taking place after March 2023 will use ISO 27001:2022.

What if your business is working towards ISO 27001 certification but you aren’t quite “there” yet? You’ll have the option to choose which version of the standard you are certified against. If you choose to be certified against ISO 27001:2013, you will have an unannounced period (possibly up to two years) to transition your certification to ISO 27001:2022. At some point, most likely sometime in 2023, there will be a cutoff beyond which no certifications against ISO 27001:2013 will be issued.

When will the new editions “go live”?

As it says on ISO’s webpage for ISO 27002, that standard is “under development” and its publication date will be “2022-02.” All expectations are that the new edition will be available in February 2022.

It’s not 100% clear when ISO 27001:2022 will be formally available, but it’s likely to be very soon after ISO 27002:2022 is released.

How is ISO 27002 changing?

If you are operating an ISO 27001 certified information security management system (ISMS) today, rest assured that the great majority of your current controls will be unaffected by the new edition. Many of the coming changes relate to the new organization and classification of the Annex A controls. One reason for this is that the 2013 update to ISO 27001 focused on revising the management clauses to align them with other ISO standards.

The new version rationalizes the 114 controls formerly categorized by “domains” down to 93 controls grouped into 4 simple themes:

  1. Organizational controls (37 controls)
  2. Technological controls (34 controls)
  3. Physical controls (14 controls)
  4. People controls (8 controls)

The 93 controls include 12 new controls that were added in response to major shifts in both technology and threats since 2013. Several controls were also consolidated . It appears that only one control, “Removal of assets,” has been eliminated from the new edition altogether.

Overall, the emphasis of the control changes seems to be on cyber-attack prevention, detection, and response, as well as better protecting sensitive data.

How is ISO 27001 changing?

Besides the changes to Annex A relating to the above, many of the ISO 27001 changes are anticipated to be refinements and clarifications. For example, “mobile devices” are now “user end point devices” and “password management” is now “identity and authentication management.”

But some other revisions will have wider impacts. In particular, ISO 27001:2013 requires you to maintain an inventory of assets that relate to cybersecurity. In the coming update, your data itself must be considered an asset. This will require you to create a data inventory so you can relate controls to different data types. This substantial new requirement aligns ISO 27001 with GDPR and other privacy regulations that mandate data mapping exercises.

Another change intended to help align the standard with other cybersecurity guidance, while also improving its usability, is the addition of a #hashtag taxonomy. Five #hashtags relate to each control, one for each of five control attributes:

  1. Control Type (e.g., #corrective, #detective, #corrective)
  2. Cybersecurity Concept (#detect, #identify, #protect, #respond, #recover)—these tags align specifically with the 5 “functions” in the NIST Cybersecurity Framework, making these tags a benefit to the growing number of firms that need to align with both ISO 27001 and NIST 800-171.
  3. Information Security Properties (#confidentiality, #integrity, #availability)
  4. Operational Capabilities (e.g., #asset_management, #application_security, #governance)
  5. Security Domains (#protection, #defence, #resilience, #governance_and_ecosystem)

You can use these #hashtags to create custom views of the entire control set or subsets of related controls. This should make it easier to understand and reference the control changes.

How will the new edition change our current ISMS?

Because the control changes will propagate logically across your entire ISMS, the “lift” required to move from ISO 27001:2013 to ISO 27001:2022 will be nontrivial. Here are some of the most significant changes you should plan for:

  • Gap-assess your current controls against the new control set
  • Update your risk assessment since you’ll be updating your controls
  • Revise your Statement of Applicability based on your new risk assessment and new controls
  • Update your security metrics per your new risk assessment and controls
  • Carefully review and update all your standards, policies and procedures as needed per changes in your environment
  • Evaluate and possibly adapt third-party security tools (e.g., your SIEM or GRC platform) to ensure the artifacts you’re using to demonstrate compliance support the new requirements

What’s next?

While aligning a “legacy” ISMS with ISO 27001:2022 will take some work, it will be well worth the effort. Implementing appropriate new controls to address the current risk landscape will make your security and privacy program more effective and better protect your business, your data and your clients.

To get started now with gauging ISO 27001:2022’s impact on your environment and the effort involved to meet the updated requirements, contact Pivot Point Security to arrange a consultative session.

You might also be interested this related blog post: How (Not) to Perfect Your ISO 27001 Information Security Management System in Only 3 Years – Pivot Point Security