ISO/IEC 27001:2022 Version Launched
ISO 27001 has been updated for the first time in almost a decade, reflecting the rapidly evolving changes that threaten information security and the need for information management systems to remain effective and relevant.
The latest version of the standard, ISO 27001:2022, was published by ISO on 25th October 2022. This update includes a revised structure for Annex A, aligning it with ISO/IEC 27002:2022 needs, and introduces new control categories, such as threat intelligence, information security for cloud services and ICT readiness for business continuity. Certain outdated controls have been removed or merged to streamline the implementation process.
What are the main changes in ISO 27001:2022?
The overall structure of ISO 27001’s Annex SL clauses has not changed. These clauses include:
- Clause 4 – Context of the organisation
- Clause 5 – Leadership
- Clause 6 – Planning
- Clause 7 – Support
- Clause 8 – Operation
- Clause 9 – Performance evaluation
- Clause 10 – Improvement
The clauses have, however, undergone some changes, including wording, the structure of sentences and some additional new content.
Annex A has had the most significant changes, with the number of controls being reduced from 114 in ISO/IEC 27001:2013 to 93 in ISO/IEC 27001:2022. These controls have been restructured and merged to align into 4 control sections, instead of the previous 14 sections.
What does it mean for me and my business?
Once a business is certified to ISO 27001, it demonstrates that they have implemented a management system to identify, manage and mitigate information security risks.
Cyber attacks are more common than ever, and this updated version of the standard offers confidence and assurance that the organisation has a systematic approach in place to manage information security risks, including those posed by cyber attacks.
It also demonstrates to customers and stakeholders that your organisation takes information security seriously and has structured measures in place to address potential risks.
If you received ISO 27001 certification before October 25th 2022, you will need to adjust your actions moving forward so your organisation is compliant with the new standard requirements.
What are the timescales for transitioning to ISO 27001:2022?
If your business is currently certified to ISO/IEC 27001:2013, you will need to transition to the new standard before the Transition Period Deadline.
A transition audit can be completed at the same time as a surveillance audit or a recertification audit, and may require additional audit time.
This transition period is 36 months, and you have until 31st October 2025 to complete the transition.