Last Updated on January 2, 2024
ISO 27001:2022 updates the global “gold standard” for third-party certified information security frameworks to reflect significant shifts in technology, threats, and operational trends since its last revision in 2013.
All certified organizations must complete the transition from ISO 27001:2013 to ISO 27001:2022 not later than October 31, 2025. The changes are notable and will require planning, training, and resources.
This post overviews what has changed, explains how the changes could impact your ISO 27001 information security management system (ISMS), and shares best practices to prepare for your ISO 27001:2022 certification audit—including when to undergo it.
What is ISO/IEC 27001:2022?
ISO 27001:2022 is the latest version of the ISO/IEC 27001 standard first published in 2005 and updated in 2013. It defines requirements and other guidance that enables organizations to build, certify, maintain, and continuously improve a best-practice information security management system (ISMS).
ISO 27001:2022 is suitable for companies of any size and across all verticals. Compliance with ISO 27001: 2022 means that an organization has put in place a system to manage applicable data security risks.
Why is ISO/IEC 27001:2022 important?
With attacks always on the rise and new threats emerging constantly, many organizations struggle to effectively manage their cyber risk. ISO 27001:2022 requires organizations to leverage risk management and gain the ability to proactively identify and mitigate risks and vulnerabilities.
ISO 27001 takes a holistic approach that includes not just technical controls but also people, policies, and procedures. An ISO 27001 certified ISMS supports cyber-resilience, operational excellence, and greater stakeholder trust—adding up to a competitive edge.
Because it addresses today’s new and increasingly sophisticated cyber-threats, achieving certification against ISO 27001:2022 will help ensure that organizations can continue to protect their sensitive data as well as their competitive advantage.
What are the most significant changes in ISO 27001:2022?
Among the most important changes that ISO 27001:2013 certified businesses will need to incorporate as they move to ISO 27001:2022 include:
- A reduction in the total number of controls from 114 to 93 due to deleting, merging, and revising existing controls along with adding 11 new controls.
- A consolidation of the control structure from 14 areas/subsets to 4—Organizational, People, Physical, and Technological.
- Introducing the concept of attributes to help companies better understand their security postures and identify gaps. The five classes attributes assignable to controls, often written as hashtags, are:
- Control type (#preventive, #detective, #corrective)
- Information security properties (#confidentiality, #integrity, #availability)
- Cybersecurity concepts (#identify, #detect, #respond)
- Operational capabilities (#threat management, #vulnerability management)
- Security domains (#defense, #resilience)
- The new clause 6.3 – Planning of changes, which is about how you manage changes to your ISMS. Clause 6.3 simply states, “When the organization determines the need for changes to the ISMS, the changes shall be carried out in a planned manner.” Generally, this would involve action by your information security management committee (ISMC).
- Greater emphasis on trending security areas like cloud security, threat intelligence, configuration management, and secure coding.
While the overall level of change is substantial, many ISO 27001 certified businesses will have already adapted their ISMSs to cover most of the new control requirements in the 2022 update.
Why do we need an ISO 27001:2022 transition plan?
One of the key steps for any organization moving to ISO 27001:2022 is gap analysis and transition planning. A transition plan is a critical new ISMS artifact that auditors will want to see.
Questions to address in your transition plan include: Which new controls did you deem applicable, and which not? Which of the applicable controls have you operationalized already, and which not? What are your plans and timelines for implementing any missing controls? For operationalized controls, what artifacts do you have that demonstrate their operation and effectiveness for auditors and other stakeholders?
As part of your transition, you’ll also need to update your risk assessment and statement of applicability (SOA) so these reflect the standard’s new control structure and control numbering. Applying the new control attributes within your SOA is also recommended.
As you make changes to your policies and other ISO 27001 artifacts, your mantra should be, “Say what you do and do what you say.”
You can find details on how to document your transition to ISO 27001:2022 in the International Accreditation Forum Mandatory Document MD 26:2022, “Transition Requirements for ISO/IEC 27001:2022.”
What does ISO 27001:2022 require for threat intelligence?
One of the cybersecurity areas that gets increased emphasis with ISO 27001:2022 is threat intelligence. There is considerable buzz about this change and its potential impacts.
Based on experience to date with supporting CBIZ Pivot Point Security client transitions to ISO 27001:2022, most third-party auditors are viewing the new threat intelligence requirements in terms of three control areas:
- Vulnerability management (scanning)
- Patch management
- Alerting and monitoring
Are you proactively managing threats versus reacting when an issue is discovered? Proactive threat intelligence includes not just awareness of known threats, but also the ability to identify or monitor emerging threats. What threats are trending? What attacks are others seeing?
Dark web monitoring is an example of this capability. Another is communication with threat monitoring organizations, including industry peers.
Keep in mind that, while you must take a risk-based approach to your ISMS, ISO 27001 is not prescriptive. If your organization can justify not doing threat monitoring based on its risk assessment and risk management programs, the standard does not require you to implement it.
When should we move to ISO 27001:2022?
Companies that are certified against ISO 27001:2013 must align with ISO 27001:2022 version by October 31, 2025 at the latest. But many firms will want to move sooner, depending on factors like:
- Your recertification cadence. ISO 27001 requires an external recertification audit every three years. The next time you need to recertify, you’ll need to comply with ISO 27001:2022.
- Your customer expectations and other business requirements. Are stakeholders asking about your plans for transitioning? Updating your ISMS to ISO 27001:2022 sooner can boost your competitive differentiation by attesting to compliance with an updated control set.
For more guidance on this topic, listen to Episode 128 of The Virtual CISO Podcast with guests Andrew Frost and Leigh Ronczka from CBIZ Pivot Point Security.