Everything you need to know about ISO 27001:2022
Download your pdf here.The transition to ISO 27001:2022. What is changing and what does it mean for your organization?
Why an ISO 27001 certificate?
Within the ISO standards world, it is customary to assess every five years whether a standard should be revised. The ISO 27001 standard, considered the standard for information security, was last updated in terms of content in 2013. The time for an update has finally come, and we will tell you all about the new ISO 27001.
De ISO 27001:2013, as we know ’em
ISO 27001 is one of the most highly regarded and globally used standards for information security. It is an international standard that describes the requirements for an Information Security Management System (ISMS). An ISMS is a structured framework of policies, procedures, processes and systems used to manage and protect information security.
The now outdated version, ISO/IEC 27001:2013, has special requirements that an ISMS must meet. These include identifying information security risks, establishing security measures and monitoring performances. By complying with the ISO/IEC 27001:2013 standard, organizations can improve their
information security processes, ensure data security and increase customer confidence. The standard applies to all types of organizations, regardless of size, location or industry.
The new ISO 27001 standard
As developments in the field of security continue at a rapid pace, it is customary to update security standards every few years. It’s therefore
striking that the current version of the ISO 27001 standard dates from 2013 and has not been updated for ten years. But, now exactly ten years later, a new update has been announced. Meet the ISO 27001:2022.
The new ISO 27001 standard
As developments in the field of security continue at a rapid pace, it is customary to update security standards every few years. It’s therefore
striking that the current version of the ISO 27001 standard dates from 2013 and has not been updated for ten years. But, now exactly ten years later, a new update has been announced. Meet the ISO 27001:2022.
The main changes in ISO 27001
The new version of ISO/IEC 27001:2022 addresses the new challenges facing organizations. The changes are mainly found in Annex A, in anticipation of the publication of ISO/IEC 27002. In this Annex A, security controls have been added, removed or merged. The changes now include cybersecurity and privacy issues, while control terms have been refreshed and additional guidance has been added. This will help organizations manage risk and ensure nothing is overlooked, ensuring proper follow-up. Considering the last version dates back to 2013, there have been quite a few changes to the security controls. 11 new, 58 updated and 24 merged controls to be exact. A few examples of changing scenarios being addressed:
- The adoption of digital technologies, such as cloud and automation.
- A recent and increased adoption of these technologies.
- The recognition of cybersecurity and privacy risks.
- Reflecting the changing threat landscape, for example, with new types of malware and ransomware.
- Aligning with other best practices, such as NIST, COBIT, etc.
- Updating control language and adding additional guidance.
The key areas affected by these changes are:
- Leadership
- Business security
- IT function
- Delivery
Transition period ISO/IEC 27001:2022
In short, with the new changes going into effect with the advent of ISO/IEC 27001:2022, organizations must re-evaluate their risk assessments and reset security measures. What does that mean for your organization?
On Oct. 25, 2022, the new version of ISO/IEC 27001 was released. During the 3-year transition period, existing certificates must be transitioned to the new version by Nov. 1, 2025. After October 2023, you cannot recertify for the 2013 version. From then on, the transition audit must take place during the next scheduled audit, but can also be performed earlier as a special transition audit.
Does your organization need to re-evaluate risk assessments and re-establish security controls? If so, you have a transition period of 3 years. The transition to ISO 27001:2022 can be done either at recertification or at the annual follow-up or control audit. At OpenSight, we are happy to help you certify for the new standards.
5 steps you can take to transition to ISO/IEC 27001:2022
- Become familiar with the content and requirements of the new version:
It is critical that you familiarize yourself with the new version of ISO/IEC 27001 and understand what the changes are and mean in content from the previous version. Does your organization already have the 2013 ISO 27001 version? Then you should focus mainly on the changes that the revision brings. These are mainly in ISO 27002, or ISO 27001 Annex A. - Train your staff:
We can’t say it often enough. Make sure all employees in your organization are trained and understand the key changes and requirements. This will ensure that the entire team is up to speed on the new guidelines and practices. - Peform a GAP analysis:
To meet the new requirements, it is important to use a GAP analysis to identify where your organization is already meeting them and where adjustments or additions are needed. - Establish an implementation plan:
Based on the findings from Step 3, you can create a plan to meet the new requirements. Do set concrete actions and make clear deadlines for implementing these actions. Talk the talk, walk the walk. - Update your management system:
After implementing the actions laid out in the new action plan, update your management system to meet the new requirements. This may mean modifying existing processes or implementing new ones. Make sure you properly document and communicate these changes within your organization.
To make the transition to the new ISO as smooth as possible, it is very important to start preparing on time. By following these steps you ensure that you meet the new requirements and that your certification is renewed on time. In doing so, the experts at OpenSight are always ready to help you with questions or for advice.
OpenSight
Calling in a specialist is the wisest choice and saves a lot of time. The knowledge and experience of a specialist ensure a worry-free process. Moreover, an
independent auditor should be appointed. By taking OpenSight as a partner, you can be sure that the knowledge and experience is there to ensure the best possible process. Because of the specialized knowledge and experience in cybersecurity, you are guaranteed to obtain the ISO 27001 certificate.
Knowledge
OpenSight has been dealing with cybersecurity for companies for years. Originated out of an interest, developed into a passion and eventually formed into a company with helping services.
Experience
Numerous companies have previously partnered with OpenSight and as a result have achieved great successes regarding cybersecurity. From improved business processes to certifications and from consulting to implementations.
Documentation
Clear and accurate documentation is the foundation of cybersecurity. From the plan of action to checkpoints to recording calamities that have occurred and been resolved. In fact, most documentation is necessary for achieving and maintaining certifications. It also increases visibility into the progress and status of the management system.
Time Saving
With compliance software and help from OpenSight, you can minimize the pressure on the organization which saves an enormous amount of time. Consider, for example, the scheduling
of regular tasks that happen automatically according to the set frequency and other automations.
Integrations
Integrations with Microsoft Teams or Slack are frequently requested options. This allows tasks arising from management to be distributed within the organization. From our experience, many organizations benefit from using such integrations and maintaining, for example, their ISO 27001 management system. OpenSight can provide this.
Download the ISO 27001:2022 transition brochure
In short, with OpenSight’s service you can easily complete your certification or transition to ISO 27001:2022. You get access to experienced experts, independent advice and practical support in implementing security measures and management systems. Fill in your details below to download the brochure and find out how our ISO service can help your organization.