ISO 27001:2022 TRANSITION Update

Why you may need to prioritize the 2022 update from 2013!

As of 30th April 2024, certification bodies can longer offer certification or recertification to the 2013 version of ISO 27001.

We therefore have to ponder on the following 3 key questions:

Q1.) If your organization has recently completed implementation under the 2013 version and was preparing for certification, what does this mean?

You will need to transition the ISMS to version 2022 for you to get certification. No initial certification will be done against version 2013.

Q2.) What if your ISMS is due for the 1st or 2nd surveillance audit under the 2013 version?

Surveillance audits under the 2013 version will remain possible until October 2025. You have until this deadline to complete the transition to the 2022 version.

Q3.) What if your ISMS is due for recertification after the surveillance audits?

You must transition your ISMS to the 2022 version before the recertification audit, even if it is scheduled for this year, 2024. Certification bodies will not recertify ISMS against the 2013 version.

Therefore, we strongly recommend starting the adoption of the 2022 Standard as soon as possible.

Significant changes you should expect during the transition

  • Clause 4.2 Understanding the Needs and Expectations of Interested Parties: A new sub clause was introduced mandating an assessment of which interested party requirements will be addressed via the ISMS.
  • Clause 4.4 Information Security Management System: Added language now necessitates that organizations identify essential processes and their interactions within the ISMS. Essentially, the ISMS must encompass the foundational processes supporting it, beyond those explicitly mentioned in the Standard.
  • Clause 6.2 Information Security Objectives and Planning to Achieve Them: The updated version now provides extra guidance regarding information security objectives, offering clearer directives on their regular monitoring and formal documentation.
  • Clause 5.3 Organizational Roles, Responsibilities, and Authorities: A minor revision in the wording provided clarification that communication of roles relevant to information security are to be communicated within the organization.
  • Clause 7.4 Communication: Subclauses a-c remain the same. But subclauses d (who should communicate) and e (the process by which communication should be affected) have been simplified and combined into a newly renamed subclause d (how to communicate).
  • Clause 9.2 Internal Audit: This clause was changed, but not materially. It essentially just combined what already existed between Clause 9.2.1 and 9.2.2 into one section.
  • Clause 9.3 Management Review: A new item was added to clarify that the organization’s management review shall include consideration of any changes to the needs and expectations of interested parties. It’s important to note any changes, as they are instrumental to the scope of the ISMS that’s determined in Clause 4 (and based on those needs and expectations). For example, if an organization’s Board of Directors wants to go public, organizations must consider how the change in priorities would impact the ISMS.
  • Clause 10 Improvement: Structural changes to this clause now list Continual Improvement (10.1) first, and Nonconformity and Corrective Action (10.2) second.

Changes in the structure of Annex A

Coming from the 144 controls in Annex A of version 2013, version 2022 has 93 controls spread across these themes:

  • People controls (8 controls)
  • Organizational controls (37 controls)
  • Technological controls (34 controls)
  • Physical controls (14 controls)

There are 11 new controls introduced to the Annex A that the organisation will need to implement accordingly.

In summary, transition to ISO27001 version 2022 will entail the following:

  • Review and update of the management system documentation to address the changes in the new standard
  • Competence and awareness on the new requirements
  • Risk assessment and implementation of the new controls (Annex A), where applicable.
  • Update of the statement of applicability
  • Conduct a management review of the ISMS
  • Conduct an audit against the new version

What therefore is the best Way Forward?

As organizations embark on the journey towards transitioning from the 2013 to the 2022 version of ISO 27001, proactive steps are imperative to ensure compliance and resilience in the face of evolving security challenges. By comprehending the implications, embracing the transition, and taking decisive action, organizations can fortify their information security management systems for the future. Embracing the 2022 Standard today is not just about meeting regulatory requirements; it’s about safeguarding the integrity and security of your organization’s data assets.

As organizations embark on the journey towards transitioning from the 2013 to the 2022 version of ISO 27001, proactive steps are imperative to ensure compliance and resilience in the face of evolving security challenges. By comprehending the implications, embracing the transition, and taking decisive action, organizations can fortify their information security management systems for the future. Embracing the 2022 Standard today is not just about meeting regulatory requirements; it’s about safeguarding the integrity and security of your organization’s data assets.

Written by Mueni Faith, Head of Projects at Sentinel Africa Consulting.

Donload the PDF Article below – ISO 27001:2022 TRANSITION Update

Key-Update-on-ISO-270012022-Transition-2Download

No comments yet

Latest Posts

×

Hello, Thank you for contacting Sentinel Africa. How may i assist you?

Sentinel Africa Consulting

× WhatsApp