Reduced from 114 in ISO 27001:2013
Controls are now grouped under themes rather than clauses
Controls have 5 attributes for easier categorisation
For organisations to transition to ISO 27001:2022
2022 has been one of the most critical years for global cybersecurity. Services at several centres of the UK’s NHS were affected by a cyber attack on a supplier. One of Australia’s leading medical insurance providers was hit by an attack that compromised intimate personal information of nearly all its customers.
Ransomware attacks were at an all-time high. And in a first for the industry, the former CISO of a listed company, was convicted for the organisational response to a data breach.
If anyone needed any reminders about handling sensitive information with utmost caution or improving their security operations, this year has definitely taken care of that.
The Information Security Management Standard (ISMS) ISO 27001 and its accompanying ISO 27002 standards were originally published in 2005. They were published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
The goal was to enable organisations to implement a stronger cybersecurity framework. This could improve risk management and better protect critical infrastructure and sensitive data.
The ISO 27001 certification is a demonstration of the fact that the business’s information security management system (ISMS) is aligned with global best practices.
Being ISO 27001 certified also lays a foundation for other compliance requirements with laws like the EU GDPR and the NIS Directive. This is not only important for your business reputation and credibility. It can also save compliance costs in case you are breached and/or attacked.
ISO 27001 defines the requirements for building the foundation of an ISMS (Information Security Management System). ISO 27002 provides guidance & details on implementation of Annex A controls.
ISO 27001 was first published in 2005 and it was later revised in 2013. The information security management standard has been updated again in 2022. It is now being commonly referred to as ISO 27001:2022.
First off, let’s address the elephant in the room - Why have the standards been updated?
The answer lies pretty much in your news headlines. Just take a look at this list of cyber- attacks in October 2022. You’ll get a pretty good idea of how dangerous the cyber landscape is getting every day.
Cyber criminals are always working on new tactics and techniques to attack your business, your data and your crown jewels. As we shift more and more to the digital world, the threat landscape increases by the minute. Add the anonymity that cryptocurrency offers to ransomware criminals and you have a cybersecurity disaster brewing every day.
And no, this is not fear mongering - it’s the truth!
The ISO 27001 standard and its code of practice the ISO 27002 have been updated to address this new ominous reality. The update is intended to ensure that businesses evolve their cyber postures and update technologies in sync with the escalating information security risks.
Are you already working on getting your ISO 27001:2013 certification? Don’t stress over the fact that all the work you’ve done so far has been wasted.
In fact, certification bodies are unlikely to give ISO 27001:2022 certifications for at least 6 months from October, 2022.
Also, ISO 27001:2013 will not be fully retired for at least three years so you’re good for now.
Organisations which are already certified with the ISO 27001:2013 standard will be given a three-year transition period to upgrade their Information Security Management system. You can upgrade during your upcoming surveillance or re-certification audit.
It is important to keep an eye out for when the new certifications begin and then you might want to expedite your transition. Our Virtual Cyber Assistants can help you update or align your security processes to accommodate the new compliance requirements and revised controls quickly and conveniently.
Essentially, there’s no point in rushing to upgrade/transition to the new standard. But it is advisable to start thinking about it immediately. Start evaluating how you can better integrate your security processes with the ISO 27001:2022 standard.
However, on September 29, 2025, all existing ISO 27001 certificates issued under the 2013 revision will expire regardless of the expiration date on the certificate.
Simply put - the approach should be methodical and not haphazard. There is still time for the ISO IEC 27001:2013 standard to fully retire.
Start by conducting Gap/Readiness assessments for your business. Then, familiarise yourself with the new controls as well as the categorisation attributes. This can help you focus on your implementations better.
Here are some of first few steps you’ll have to look at while transitioning:
Our Virtual Cyber Assistants can support you at all phases of the certification and/or transition. Our Virtual Cyber Assistants can:
|ISO/IEC 27001:2022||Changes in ISO 27001:2022|
|New Changes in ISO 27001||ISO/IEC 27001:2022 PDF|
|ISO/IEC 27002:2022 Standard||ISO 27002:2022 PDF|
|ISO/IEC 27002:2022||ISO/IEC 27005:2022|
|Learn more about ISO/IEC 27001:2022|
|Revision 5 Control Mappings to ISO/IEC 27001|
|SC27 STANDING DOCUMENT SD11: 2022 (2)|
|SC27 STANDING DOCUMENT SD11: 2022 (2)|
Why not find out more about our highly cost-effective & remote Virtual Cyber Assistant & Virtual Cyber Consultant services and see if they fit your requirements?