ISO 27001:2022 amendment – what you need to know now

ISO/IEC 27001:2022 has now been released. You can read updated advice following the release here.

Following the release of the official ISO 27002:2022 supporting standard revision on 15th February, there’s been a heightened interest in what updates will follow for the ISO 27001:2022 main standard amendment. So we sat down with our Head of Compliance, Kerry Jones, to get more information on what changes are being predicted in the amendment and what customers need to be doing now in view of these changes.  

The key change to ISO 27002 controls was a reduction from 114 controls to a more consolidated 93, including 11 new controls being added. While there isn’t an official amendment to ISO 27001 released at the time of writing, the supporting standard updates give some insight into how the main standard will align, which is what we’ll share here so you can be prepared and plan your ISO implementation accordingly.  

The good news is that the main parts of ISO 27001 – clauses 4-10 – are not changing. These clauses include the scope, interested parties, context, Information Security Policy, risk management, resources, training and awareness, communication, documentation control, monitoring and measurement, internal audit, management review, and corrective actions. The main change concerns updates to Annex A, which will bring the main standard in line with the changes to ISO 27002. In general, it looks like the changes are for the purpose of making implementation simpler. For anyone more familiar with the specifics of the ISO 27001 standard, the guidance here is that it’s predicted you’ll need to follow the requirements of 6.1.2 and 6.1.3 and update the Statement of Applicability (SOA) to justify inclusion or exclusion.  

From discussions with BSI, it’s expected that the ISO 27001:2022 amendment will be released in Q2-Q3 2022. If you’re in the middle of an ISO 27001 implementation, then you should continue to use the existing controls. As this is an amendment and not a full revision, the changes will be moderate, and you’ll have time to be able to transition your documentation to the new controls. It’s been predicted that there will be a period of 2 years to comply with the new changes. If you’re currently considering ISO 27001 then you should also continue with the implementation or start your implementation as planned, using the existing controls. You’ll have the same transition period to update documentation and no new audits will need to be scheduled. The certification organisation will ensure you’ve transitioned to the new controls and documentation requirements as part of their usual regular surveillance audits from certification.  

Kerry and team are keeping in close contact with BSI and are staying abreast of developments and release dates for the ISO 27001:2022 amendment. We understand that updates and amendments to controls can cause additional and unexpected workload for your team. If you need any support with your existing ISO 27001 maintenance or with a new ISO 27001 implementation, then we can provide you with a fully managed service, taking you step-by-step through the entire implementation process through to certification. This includes an initial gap analysis and implementation, right up to the certification stage 2 audit. Not only that but once you’ve achieved your certification, Kerry and her team will continue to provide support and advice, ensuring you remain compliant and meet the new ISO 27001 amendment requirements. Get in contact if you need any support.