ISO 27001:2022 was released earlier this year and supersedes ISO 27001:2013. Our world and technology landscape has changed substantially in the past nine years, and the latest changes to ISO 27001 reflect those external influences. This article provides an overview of what’s new, the rollout and adoption schedule, the scope of the changes, and how organizations can get ready for a successful upgrade to ISO 27001:2022. Related: Guide to ISO 27001
If you’d like to learn more about what ISO 27001 is and the benefits of getting certified, check out our article that covers the basics.
A Changed World
Since the initial release of ISO 27001, the threat actor economy has diversified substantially, with both criminal groups and nation states developing and selling offensive cyber products and cyber surveillance solutions. In response, cybersecurity experts have documented and developed best practices and actionable guidance for organizations to effectively manage their cybersecurity risks.
Although ISO 27001 saw minor wording changes in 2014, 2015, and 2017, these were not widely adopted in all countries and did not adequately document emerging or effective cybersecurity controls. ISO 27001:2022 on the other hand provides a risk-based reference set of information security, cybersecurity, and privacy controls that have been adopted by modern organizations as part of deploying cloud technologies and addressing data protection requirements driven by GDPR.
When You Should Upgrade to ISO 27001:2022
ISO 27001:2022 provides a generous three-year schedule for organizations to complete the required documentation and procedural changes:
- Organizations that are currently seeking certification for ISO 27001:2013 have until April 2024 to complete their certifications.
- All organizations seeking ISO 27001:2022 certification will need to complete their certification by October 2025.
- On November 1, 2025, all ISO 27001:2013 certificates will be withdrawn and considered to be expired regardless of the printed expiration date.
In practical terms, this means that organizations that plan on finishing their ISO 27001:2013 certifications soon should continue on that path while being mindful of the short gap between April 2024 and October 2025 to certify against the new and merged controls in ISO 27001:2022.
How big is the change from ISO 27001:2013 to ISO 27001:2022?
ISO 27001:2022 is still based on the plan-do-check-act cycle to drive continuous improvement initially laid out in ISO 27001:2013. There are minor changes in the main part of the standard and no controls were removed. Changes in Annex A are moderate in scope.
ISO 27001:2022 reduces the number of control domains from fourteen to four control categories or themes – people, technological, organizational, and physical. These changes to the categories make it substantially easier to cross-reference controls with other trustworthy frameworks, such as the NIST Cybersecurity Framework (CSF), and the Center for Internet Security’s Critical Security Controls (CIS-CSC). 75% of the controls in ISO 27001:2022 are either organizational or technological in nature.
Organizations will need to implement most, if not all, of the controls documented in Annex A, including the eleven new controls. The only exceptions will be if the controls are not applicable. For example, if an organization did not perform development activities, the controls specifically related to development could be omitted. Organizations can refer to Annex B of ISO 27001:2022 for a two-way mapping of 2022 to 2013.
5 Steps to Take When Getting Ready to Upgrade to ISO 27001:2022
Other modern cybersecurity frameworks have seen both minor and major improvements in the past decade, and an organization’s prior experiences with these upgrades can provide an easy roadmap for organizations seeking to upgrade their ISO 27001 program. We’ve broken it down into five simple steps:
- Acquire a copy of the new framework
- Conduct a readiness and gap assessment
- Develop a project plan to address the gaps
- Address the gaps
- Conduct an internal review and apply for certification
More on these steps below.
1. Acquire a Copy of the New Framework
ISO 27001:2022 is not available for public distribution and organizations will need to acquire a license for ISO 27001:2022 as part of preparing for their upgrade. Once licensed, organizations should load the new framework as a new program in their existing Governance, Risk, and Compliance (GRC) solution. Organizations should plan on maintaining their existing ISO 27001:2013 program in parallel with their ISO 27001:2022 program until they have attained an updated certification. Ideally, you should have a GRC solution in place that automatically maps the controls and requirements from the older version to the newer version so analysts can focus on what’s new or changed.
2. Conduct a Readiness and Gap Assessment
The next step is for organizations to conduct a readiness or gap assessment. Organizations should expect that there will be gaps, as there are 11 new controls defined in ISO 27001:2022. While organizations may already be performing these controls as part of adhering to another modern cybersecurity framework, they may not have documented them as part of their ISO compliance activities. As such, organizations should plan on reusing relevant controls from other implemented cybersecurity frameworks to satisfy the majority of the new control requirements. For reference, organizations can refer to ISO 27002 to understand the purpose and objectives of new controls, how each control works, and how the controls can be implemented.
3. Develop a Project Plan to Address the Gaps
Once organizations have completed an internal gap assessment, they should develop a project plan to develop and document the changes to existing controls or to support the development and deployment of new controls. Working backwards from their existing ISO 27001:2013 certification expiration date or the October 2025 cut-off date is helpful for planning purposes. Organizations should consider front-loading activities if feasible as there may be a last-minute rush by organizations that delay their certification application until 2025.
4. Address the Gaps
As a part of closing the identified gaps, organizations must update their documentation and deploy new or updated technical controls, as necessary. Although much of the industry focus has been on Annex A, organizations must continue to address clauses 4 through 10. Similarly, organizations must update their risk assessment and risk treatment plans with the new or updated controls, and update their Statement of Applicability (SoA) to reflect new and merged controls.
5. Conduct an Internal Review and Apply for Certification
Finally, we recommend that organizations conduct an internal audit and management review of their entire ISO 27001:2022 program prior to applying for certification. This will reduce the likelihood of material findings that could cause delays or rework. Once any additional changes or documentation improvements identified by the management review are complete, organizations should apply for certification by an accredited ISO audit firm. Depending on when an organization is applying, this may require some patience due to the availability of audit personnel. After a successful audit, organizations will be awarded their updated certification to ISO 27001:2022 and should plan for annual surveillance reviews to show that the organization remains committed to meeting the requirements of the certification.
Automate This Process With Hyperproof
All of the above steps are bound to take some time, but with the right GRC tool, you can automate many of them. Hyperproof automatically maps existing controls from your ISO 27001:2013 program to your ISO 27001:2022 program and includes actionable guidance on how to implement the remaining controls. Hyperproof can save you countless hours compared to clunky solutions like spreadsheets, and the platform helps teams focus on managing upgrade projects successfully instead of worrying about manual processes.
Want to learn more? Get in touch!
Monthly Newsletter