New ISO/IEC 27001:2022 version released
The new and improved version of the ISO/IEC 27001 main standard has now been published. The 2022 updates to the internationally recognised standard have been designed to “address global cyber security challenges and improve digital trust”, as stated by ISO (International Organization for Standardization) themselves.
With the global landscape changing, with new business practices such as remote working and BYOD (Bring Your Own Device), and cyberattacks at an all-time high, it’s essential that companies are ensuring that their data and assets are secure.
To do this, organisations must enhance their resilience with threat mitigation efforts. The holistic nature of the ISO 27001:2022 standard, which covers the entire organisation and not just the IT function, means people, process and technology are considered as a whole. This ensures organisation-wide protection against evolving security threats.
As predicted following the release of the ISO 27001:2022 supporting standard revision, the most significant change to the Standard is to Annex A. The key changes seen in the ISO 27001:2022 version of the information security standard – now titled ‘Information Security, Cybersecurity and Privacy Protection’ – is a reduction in controls, from 144 to a more consolidated 93. This has seen some controls removed and others merged. There are also 11 new controls as expected. The controls have also now been organised into four categories – organisational controls, people controls, physical controls and technological controls.
The main part of the ISO 27001 information security controls remain the same. This applies to clauses 4-10 which include: scope, interested parties, context, Information Security Policy, risk management, resources, training and awareness, communication, documentation control, monitoring and measurement, internal audit, management review, and corrective actions,
The good news is that the changes to the ISO 27001 standard look to make implementation of the information security management system (ISMS) more simple. This will remove obstacles around ISO 27001 certification for any organisation yet to start their ISO implementation journey.
We have advice from DigitalXRAID’s own Head of Compliance, Kerry Jones, for any organisations that are in the middle of an ISO 27001 implementation and certification, or anyone looking to start their ISO journey to certification now.
Organisations with existing ISO 27001:2013 certification will have up to three years to transition and comply with the new standard.
For anyone who in the middle of an ISO implementation, you have time to transition to the new controls. The changes are an amendment to the ISO 27001 controls rather than a full revision so the impact of the transition should only be moderate. If you are close to certification then our advice is to continue with your existing controls. You will still have up to 3 years to transition your documentation to comply with the new controls. Your certification organisation will be able to monitor your transition to the new controls as part of their regular surveillance audits following certification.
We understand that any updates to controls are cause for concern as they can bring additional workload for your team. If you need support in your transition, then DigitalXRAID can provide a fully managed ISO 27001 service to take you step-by-step through the changes.
If you’re looking at a new ISO 27001 implementation, then DigitalXRAID’s fully managed ISO 27001 certification service will take the pain away, guiding you through the new controls and taking you step-by-step through the entire implementation process through to certification. The managed service includes an initial gap analysis and implementation, right up to the certification stage 2 audit. Not only that, but once certification has been achieved, Kerry and team will continue to provide support and advice, ensuring you remain compliant with ISO 27001 requirements into the future.
Get in contact if we can be of any help.