March 5, 2023

Last Updated on January 4, 2024

Benefits of Moving to ISO 27001:2022 ASAP
Businesses that are certified against ISO 27001:2013 need to move to the new ISO 27001:2022 version by October 31, 2025—or in many cases sooner, depending on your recertification cadence. This timeline is defined in the International Accreditation Forum’s Mandatory Document 26 (MD 26).

But should you move before you absolutely must? What are some of the compelling benefits of aligning with ISO 27001:2022 that you might want to start reaping ASAP?

To cover everything your auditor would want you to know about moving to ISO 27001:2022, Schellman principals Danny Manimbo and Ryan Mackie were recent guests on The Virtual CISO Podcast.

More support for risk assessment
ISO 27001:2013 helps drive robust risk assessment, and that only gets better with the new version.

“The actual framework as it deals with risk assessment didn’t really change, as far as what’s contained within the management system clauses 4 through 10,” Danny points out. “But one of the things introduced with ISO 27002:2022 that was released last February was some tools and terminology, if you want to call it that, to assist with the risk assessment process.”

Danny is referring to the new attributes concept, featuring #hashtags. Attributes help teams manage risk primarily by making sure their controls cover all the bases.

ISO 27002:2022 associates five groups of attributes with the control taxonomy, e.g., control type (preventive, detective, corrective) and cybersecurity properties (confidentiality, integrity, availability).

“Now it allows you to assess your whole control inventory and ask things like, ‘Do I have only detective controls in this area?’ or ‘Do I have enough controls around availability?” notes Danny. “I think it provides a little more visibility and less guessing, especially for those who are new to these risk management frameworks, how to use them and where to get started.”

 

A potential competitive edge

For some orgs, moving to ISO 27001:2022 could be a competitive differentiator. The new release is more up to date with current cybersecurity practices and threats, which could yield a more robust information security management system (ISMS). Hence stakeholders could perceive it as a stronger attestation of your security goodness than certification to a standard now 10 years old.

“I think there is going to be a lot of chatter in the market space,” Danny suggests. “I think a lot of questions will start getting asked, whether it’s business partners, suppliers, prospects, or current customers, about ‘What are your plans for transitioning?’”

What’s next?

Ready to listen to this podcast show with Ryan Mackie and Danny Manimbo? Click here.

Here’s more depth on ISO 27002:2022 impacts to your ISMS: The New ISO 27002:2022—What Does It Mean for Your ISO 27001 ISMS?