Last Updated on August 20, 2024
When Should You Move to ISO 27001:2022?
The new ISO 27001:2022 information security standard was finalized in October 2022, and businesses that are pursuing or maintaining an ISO 27001 certification will need to conform to the new version. What is the ideal timeline for updating your information security management system (ISMS) based on your (re)certification cadence and other key deadlines? What are best practices for moving to ISO 27001:2022 and what common problems should you be aware of?
Danny Manimbo and Ryan Mackie, principals at Schellman, cover all the angles around when and how to move to ISO 27001:2022.
Join us as we discuss:
- The vital importance of risk assessment and risk management for ISO 27001:2022 certification
- Major areas that auditors will focus on during ISO 27001:2022 recertification and surveillance audits
- Why you may not want to wait until the last minute to update your ISMS to align with ISO 27001:2022
When will auditors be ready to certify you?
Now that ISO 27001:2022 is available, all the players in the ISO 27001 ecosystem, including the certification bodies that perform audits, need to make changes to align with the new guidance.
The accreditation bodies that assess certification bodies like Schellman have until April 2023 to prepare. In parallel with that process, certification bodies have until October 2023 to complete their transition to the ISO 27001:2022 audit format.
Meanwhile, orgs seeking certification against the new ISO 27001 version need to make that happen by October 31, 2025, if not sooner based on their recertification cadence. After that date, ISO 27001:2013 certifications will be invalid.
What about firms seeking their initial ISO 27001 certification?
If you’re working towards an ISO 27001 certification today, chances are you’ve been aligning with the 2013 version of the standard while keeping one eye on the new version. But which version should you get certified on?
“The recommendation is that even if you started with the 2013 version, transition right now before your certification audit so you don’t have to go through a transition audit after you get certified,” Ryan recommends. “Regardless of when your Stage 1 or Stage 2 audit will be, start that process now to really get on that 2022 version.”
“The recommendation is that even if you started with the 2013 version, transition right now before your certification audit so you don’t have to go through a transition audit after you get certified.”—Ryan Mackie
How does ISO 27001:2022 impact related standards?
All the standards in the ISO 27000 “family,” including the ISO 27701 privacy extension and the ISO 27017 cloud services controls, reference ISO 27001’s Annex A controls. Therefore, ISO 27001:2022, as well as the updated ISO 27002:2022 control guidance, have various impacts on these related ISO standards.
Changes to control mappings and potentally other areas in non-ISO cybersecurity frameworks that reference ISO 27001, such as CSA STARS and SOC 2, may also be planned or underway.
“Without those standards subsequently being updated, they’re basically pointing back to what will eventually be a standard that has been superseded by ISO 27001:2022,” Danny notes.
“Without those standards subsequently being updated, they’re basically pointing back to what will eventually be a standard that has been superseded by ISO 27001:2022.”—Danny Manimbo
Reasons to move to ISO 27001:2022 sooner
Companies that are certified against ISO 27001:2013 must align with ISO 27001:2022 version by October 31, 2025 at the absolute latest. Many orgs will need to move sooner, depending on their recertification cadence.
But why wait? There are several compelling reasons to update your ISMS, including:
- Enhanced built-in support for risk assessment via the “attributes” concept in ISO 27002:2022
- Potential competitive differentiation and a stronger security attestation for stakeholders, based on implementing the updated control set
- A stronger security posture driven not only by updated controls but also the process of reexamining your ISMS
“I think there is going to be a lot of chatter in the market space,” asserts Danny. “I think a lot of questions will start getting asked, whether it’s business partners, suppliers, prospects, or current customers, about ‘What are your plans for transitioning?’”
“I think a lot of questions will start getting asked, whether it’s business partners, suppliers, prospects, or current customers, about ‘What are your plans for transitioning?’”—Danny Manimbo
Key areas of focus for auditors
Companies preparing for a certification, recertification, or surveillance audit against ISO 27001:2022 should be prepared for new points of emphasis in the audit process.
One key area will be your risk assessment and how this follows through across your ISMS, including your Statement of Applicability (SOA), internal audit results, and other key documentation.
“One of the things obviously that we’re looking for in any audit is how somebody might have incorporated changes within their certified management system,” explains Ryan, “So, if they move from on-prem to the cloud or whatever it might be, can they demonstrate that their risk assessment scaled accordingly?”
For firms that are updating an existing ISO 27001:2013 certification to ISO 27001:2022, changes based on the new control set will be another focal point.
“At a minimum we would be looking at those 11 net new controls [in Annex A],” Danny describes. “Whether you’re doing a surveillance or recertification audit, I think there’s a lot of ‘nerves’ out there that when that transition occurs, we’re going to be auditing 100% of the controls. … But that is not the case.”
“Whether you’re doing a surveillance or recertification audit, I think there’s a lot of ‘nerves’ out there that when that transition occurs, we’re going to be auditing 100% of the controls. But that is not the case.”—Danny Manimbo
Pitfalls to watch out for
As companies conform to ISO 27001:2022, they may stumble upon a few “gotchas” along the way.
A common issue that Ryan and Danny have noted with clients is a tendency to make a snap judgement about whether a new control is applicable to them based just on the control name. It’s better to “keep calm” and review the complete guidance for the control in ISO 27002:2022 before deciding what’s applicable.
“Data loss prevention is one that I’ve had more than one client tell me immediately is not going to be applicable to them,” Ryan recounts. “And when I ask them why, they say it’s because they have to implement a DLP [solution]. Because that’s the only way they can demonstrate compliance. … But if you read the implementation guidance in ISO 27002, it’s paragraphs and paragraphs. If there was one thing that you needed, it would just say that.”
Inadequate transition planning is another area of concern. It’s helpful for businesses moving to ISO 27001:2022 get a copy of Mandatory Document 26 (MD 26), a free publication from the International Accreditation Forum (IAF) that explains the transition process for ISO 27001 certification bodies like Schellman. MD 26 includes guidance on what external auditors will focus on, such as an organization’s gap assessment process and their overall transition plan.
“I would definitely recommend to anybody that’s listening to this to understand, what is the delta [between the 2013 and 2022 ISO versions]?” Danny emphasizes. “Then, what is relevant to your management system? And then what’s your timeline? What’s your plan to transition? Do you have the right people? Have you gone through the right steps?”
“I would definitely recommend to anybody that’s listening to this to understand, what is the delta [between the 2013 and 2022 ISO versions]? Then, what is relevant to your management system? And then what’s your timeline? What’s your plan to transition? Do you have the right people? Have you gone through the right steps?”—Danny Manimbo
What’s next?
Learn more about the ISO 27001:2022 transition in our Podcast with Ryan Mackie and Danny Manimbo, click here.
How will the recent update to the ISO 27001 control set impact your cybersecurity program? The New ISO 27002:2022—What Does It Mean for Your ISO 27001 ISMS?