Last Updated on March 16, 2023
The new ISO 27002:2022 makes significant changes to the control set that your ISO 27001 information security management system (ISMS) is probably based on. What does this mean for the ISO 27001 standard? How much effort will it take to align with the new controls? And how much time do you have to prepare for recertification?
To cover all the changes and impacts from the new ISO 27002:2022, a recent episode of The Virtual CISO Podcast features Danny Manimbo and Ryan Mackie, Principals and ISO certification practice co-leads at Schellman. The show’s host is John Verry, Pivot Point Security CISO and Managing Partner.
Updating ISO 27001
If you’re familiar with ISO 27001, you know that its Annex A will need a refresh to reflect the new control set now described in ISO 27002. ISO 27001 doesn’t require you to use the Annex A controls, but nearly every organization does.
At the time John recorded the podcast with Danny and Ryan (February 11, 2022), it wasn’t yet known whether ISO would amend ISO 27001:2013 or update the standard to ISO 27001:2022. The ramifications for this are significant. Not only would certified organizations need to be recertified, but also the registrars (e.g., Schellman) would all need to be reaccredited before they could perform certification audits against the new version.
We now know that ISO has chosen to release an amendment to ISO 27001:2013. The only change is to replace Annex A with a new version reflecting the 93 controls in ISO 27002:2022. The amendment is now “under development” and in the comment period.
Based on experience, it’s likely that the amendment will become final in about three months, according to Danny.
What is the transition period?
The International Accreditation Forum (IAF) has yet to officially announce a transition plan for certified organizations to move to the amended version of ISO 27001:2013.
But “What we’re hearing is that the IAF is currently drafting what looks to be a two-year transition period,” shares Danny. “Any shorter than that really shortchanges a lot of folks. I don’t think it will be anything less than that.”
Why not shorten the transition to one year? You’d then have 12 months to be certified to the new ISO 27001 version. But, as Danny explains, this would potentially put many orgs in a position of having to undergo two audits just a few months apart.
“Say ISO 27001 is finalized on June 1, 2022,” says Danny. “You have 12 months. Unless your audit’s happening in the month of June or July, you’re probably forced to move right to the new version of the standard. Let’s say your audit is in December, and you say, ‘Okay, I’ll take advantage of the transition window and do it under the old version.’ Well, guess what? By May 31 of the next year, you’ll need to be transitioned to the new version because the 12 months have passed. So now you’re doing two audits in six months. You’d have no transition, effectively.”
But with a two-year transition period, any business can choose to be certified to the “old” ISO 27001 in their first audit following the publication of the final amended version. Then they’d have until the two-year period was up to fully make the transition and be re-audited.
In line with that, John has a money-saving hint: Don’t wait until the last minute to get your audit. Many consulting firms and registrars charge a premium for internal or external audits during the busiest times in the yearly audit cycle, due to bandwidth issues. For example, if the ISO 27001 amendment is finalized in June 2022 with a two-year transition period, that “peak season” for audits would be Q2 2024.
“You’re probably better off trying to manage your transition so it’s not aligned with the actual deadline,” recommends John.
How much effort will the transition take?
While only the controls have changed, significant work will still be involved to align with the amended ISO 27001:2013. You’ll probably need to adapt some systems, revise policies and procedures, remap your controls, budget additional funds, and maybe invest in new technology.
“It’s a pretty achievable transition, assuming your ISMS is up to date, because it’s really just a controls change,” Danny advises. “It’s a lift and shift, right? Nothing’s changing in the clauses. And the control changes are mostly a consolidation and a slight modernization.”
“I suppose potentially some listeners out there might be a little nervous about the transition,” acknowledges Danny. “There’s always some nerves that come with a transition, but I wouldn’t be that nervous. If you haven’t obtained a copy of the ISO 27002:2022 standard, certainly do so. Once you read through it, I think you’ll be pleasantly surprised. Once you sort everything out—and hopefully this podcast will help you do that, you’ll feel like this is a pretty achievable thing. It’s not something to be scared of.”
The full podcast episode is available here.
Want more details on how the upcoming ISO 27001 amendment could impact your organization’s ISMS? John Verry explains what you can expect in this blog post: What the New ISO 27001:2021 Release Will Mean to You