Last Updated on February 23, 2024
ISO 27001:2022—What is the Level of Transition Effort?
How much work will it take to transition an information security management system (ISMS) certified to ISO 27001:2013 to the new ISO 27001:2022 guidance?
Organizations that have robust security postures today are probably already accounting in some way for many of the 11 new Annex A controls. Thus, the new standard could be more of a “documentation/formalization exercise” than a significant change to how you conduct operations.
Expect widespread policy changes
Especially if you have reference sections in your policies, many will need at least a few changes to accommodate the 11 new controls. In the case of configuration management, you might need to overhaul the associated policy or policies (e.g., secure development, network management) completely.
Also, you’ll need to update your Statement of Applicability (SOA) to align it with the new Annex A controls.
But remember that the ISO 27001 Annex A and ISO 27002 guidance is just that—guidance. It’s not intended to be prescriptive even though it sometimes reads that way. It’s something to consider, not instructions. Nevertheless, you’ll need to rationalize your thought process with your auditor around why you did or didn’t implement a control. If you think your argument would convince a knowledgeable colleague, you should be fine at audit time.
Transition planning
What’s the most efficient and effective path to achieve your ISO 27001:2022 transition?
Pivot Point Security is recommending one of two approaches for most clients:
- Expand the scope of your ISMS internal audit by one-half to one day to add a third-party gap assessment against the 11 new controls. Then create a separate transition plan describing what needs to change in your environment, which you can use with or without consulting services to implement the transition.
- Leverage consulting services to undertake a comprehensive gap assessment plus a refresh of your risk assessment, which in turn will help update your policies.
Another area of transitional focus will likely be risk management. To that end, ISO 27005, Information technology – cybersecurity and privacy protection – Guidance on managing information security risks was also updated in 2022. This 62-page document describes best practices for information security risk management in support of the concepts and constructs in ISO 27001. Its purpose is to help ISO 27001 certified companies comply with the standard regarding activities to address risk.
What’s next?
For more guidance on this topic, listen to Episode 118 of The Virtual CISO Podcast with guest Andrew Frost from Pivot Point Security.