ADL Consulting supporting businesses to transition to the new ISO 27001:2022

LEICESTER, LEICESTERSHIRE, UNITED KINGDOM, October 31: For those who haven’t heard yet - the new version of ISO 27001 has just been released (25th October 2022). The ISMS standard was first published in 2005, updated in 2013, and has undergone a revamp this year with significant changes to the technical controls described in Annex A. Practically, this means that: - Organisations working towards becoming ISO 27001 certified will (from the release of the new version) be expected to certify to the new version. - Those already ISO 27001 certified will have a 2 year transition window to update their ISMS to meet the requirements of the new version of the Standard. What is ISO 27001? ISO 27001 is an information security standard that sets the bar for developing and maintaining an ISMS. It is an internationally recognised standard that helps companies to protect the confidentiality, integrity and availability of their information. ISO 27001 is made up of 2 parts: - Management Clauses (4-10); and - Annex A technical controls ISO 27001 Annex A only lists the security controls, it does not explain how to implement them into an ISMS. BUT, fear not! Annex A comes with a sexy sidepiece: ISO 27002 - which basically explains in detail what all the controls in Annex A mean. 27002 provides extensive guidance on HOW the controls can be implemented into an organisation - think Appendix - but not WHAT controls need implementing (again this is ISO 27001). To be clear though, ISO 27001 is the main standard. Organisations can get certified against ISO 27001, but not against ISO 27002. What do ISO 27001:2022 changes look like? We know that the Annex A controls have changed, because ISO 27002:2022 has already been released (remember the sexy sidepiece). From ISO 27002:2022 we can draw a good image of what those controls look like by translating them from ISO 27002:2013 to ISO 27001:2022. The main changes that have taken place so far are: - Security controls in Annex A have been revised - The number of the controls has been reduced from 114 to 93 - Controls have been combined into just 4 sections, rather than the prior 14 - Controls have been merged - rather than deleted - There are 11 new controls The management clauses 4 to 10 remain more or less the same. This is because the clauses 4-10 are more or less the same for all the ISO standards and none of the other ISO standards have undergone revisions. But Annex A is unique to ISO 27001 - it is the only one of the ISO standards with an additional guide attached (ISO 27002). The Clauses 4-10 cover: - Clause 4 - context of organisation - Clause 5 - leadership - Clause 6 - planning - Clause 7 - support - Clause 8 - operation - Clause 9 - performance evaluation - Clause 10 - continued improvement The changes to the Clauses part are minor - they intend to simplify ISO 27001 implementation, making life easier for users - and auditors! What work is required? As described previously, the changes to the standards predominantly concern controls (breathe a sigh of relief!). To begin to prepare for your compliance with these changes, organisations can: - Build a new statement of Applicability based on the new ISO 27002:2022 - Start to map controls from the old Annex A ISO 27002:2013, to the ones that line up with the new Annex A ISO 27002:2022 controls - Notice and keep note of the gaps - as we said before, some of the controls have merged, and there are 11 new ones When does this change need to happen? Those already certified to ISO 27001 will have 2 years from the date of their next audit to complete the transition. There is no reason, however, as to why organisations shouldn’t start this process now. Don’t worry, there is plenty of time to make the required changes. How can ADL Consulting help with the transition to the new and improved ISO 27001? ADL Consulting specialise in ISO 27001 and would be more than happy to help organisations looking for a helping hand with this process or some support in the changeover to ensure a seamless transition from ISO 27001:2013 to ISO 27001:2022.