Adopt ISO/IEC 27001:2022 now, and avoid exposure to unacceptable security risks
Planning your transition to ISO/IEC 27001:2022
ISO/IEC 27001:2022 is the third edition of the ISMS standard. The changes concern a revised Annex A and alignment with the revised ISO Directives. Want to understand more about the changes?
At first view, transition is easy — just update your SOA to align it with the revised Annex A (there are mapping tables in ISO/IEC 27001:2022 — job done!, but why is there a three-year transition period — perhaps it is not so straightforward.
Whilst there is very little change to the Information security requirements, one of the most challenging and perplexing aspects of ISO/IEC 27001, is still risk assessment and the SOA, but that can easily be mastered, as can measuring performance, optimising, showcasing and exploiting your ISMS.
The devil is in the detail
Comparison of the organisation’s necessary controls with those in the new Annex A has two possible outcomes:
In the first case, you have concluded that none of the 11 new controls are necessary. However, you must justify their exclusion in your SOA. This means that the SOA must be updated. There is no requirement to use the same layout as Annex A for your SOA, but if you choose to do that, that is another change.
In the second case, you may have concluded that at least one of the 11 new controls is necessary. You could also have concluded that some of your existing necessary controls must be revised. However these additions and revisions are likely to require:
There can also be consequential changes, for example to the policy, objectives, measurements, and the internal audit programme. Thus, the change in content of Annex A can bring about significant change in the ISMS.
In conclusion, this transition process is far more complicated than just updating your SOA using the ISO/IEC 27001:2022. Moreover, please be aware that these mapping tables are imprecise. The merging of controls was not always clean cut, and the mapping tables only show the principal mergers.
Harmonised structure (HS)
There is a new clause in ISO/IEC 27001:2022 (6.3) that requires organisations to carry out changes to the ISMS in a planned manner. This means that the changes to the ISMS required for transition must be planned. There are other changes that result from the changes to the core requirements. For properly implemented ISMS these can have no effect and no changes are required, other for the organisation to know what the changes are and how they are already fulfilled by its ISMS.
For example, consider the new requirement that “externally provided processes, products or services that are relevant to the ISMS are controlled”. If failure of such is an acceptable risk, then that process, product or service is not relevant to the intended results of the ISMS and need not be controlled. If failure presents an unacceptable risk, then that risk should have been assessed and treated by virtue of Clauses 6.1.2 and 6.1.3. However, it is advisable to check.
Likewise, the new requirement (4.2 c)): “which of these [interested party] requirements will be addressed through the ISMS”, should be equally benign. If an organisation decides to fulfil an interested party requirement that is relevant to the ISMS, it becomes an organisational requirement and is addressed through the ISMS. If such a requirement presents a risk (e.g., competitors and cybercriminals are interested parties) it does not become an organisational requirement (i.e., it is not fulfilled) but nevertheless it is still addressed through the ISMS by the information controls that the organisation uses to protect itself from the activities of such nefarious actors. Otherwise unfilled requirement are not relevant to the ISMS. However, care must be taken to ensure that certification scope statement does not imply the organisation fulfils some requirement when it does not.
The transition arrangements are governed by the International Accreditation Forum (IAF). In brief, from the last day the publication month of ISO/IEC 27001:2022 (i.e., 2022-10-31):
It is anticipated that several certification bodies will be ready to perform audits against ISO/IEC 27001:2022 by mid-2023.
When should I transition?
Comparison of necessary controls with the revised Annex A can result in the discovery of missing necessary controls, thereby implying that organisation is exposed to unacceptable information security risk. Since the purpose of an ISMS to manage information security risk, early adoption of ISO/IEC 27001:2022 is recommended.
Want to know more?
David Brewer’s book “An introduction to ISO/IEC 27001:2022”, gives a detailed explanation of the whole of ISO/IEC 27001:2022 and includes detailed information on transition. It is available on Amazon in e-book (£36.00) and paperback formats (price £42.00).
If you have any question about ISO/IEC 27001:2022, just or use the find facility above. We will be pleased to assist.
you consent to that site setting authentication session cookies
|© IMS-Smart Limited, 2022-23|
|Page last updated: February 27, 2023|