Adopt ISO/IEC 27001:2022 now, and avoid exposure to unacceptable security risks

  Need help with implementing ISO/IEC 27001 or want to improve your ISMS? — contact IMS-Smart today for a consultancy quotation

Planning your transition to ISO/IEC 27001:2022

ISO/IEC 27001:2022 is the third edition of the ISMS standard. The changes concern a revised Annex A and alignment with the revised ISO Directives. Want to understand more about the changes?

At first view, transition is easy — just update your SOA to align it with the revised Annex A (there are mapping tables in ISO/IEC 27001:2022 — job done!, but why is there a three-year transition period — perhaps it is not so straightforward.

Book cover for An introduction to ISO/IEC 27001:2022 by David Brewer

David Brewer’s book “An introduction to ISO/IEC 27001:2022”, gives a detailed explanation of the whole of ISO/IEC 27001:2022 and includes detailed information on transition. It is available on Amazon in e-book (£36.00) and paperback formats (price £42.00).

Whilst there is very little change to the Information security requirements, one of the most challenging and perplexing aspects of ISO/IEC 27001, is still risk assessment and the SOA, but that can easily be mastered, as can measuring performance, optimising, showcasing and exploiting your ISMS.

The devil is in the detail

Annex A

Comparison of the organisation’s necessary controls with those in the new Annex A has two possible outcomes:

  • The comparison determines that no necessary control has been overlooked.
  • The comparison determines that there is at least one necessary control that has been overlooked or requires change.

In the first case, you have concluded that none of the 11 new controls are necessary. However, you must justify their exclusion in your SOA. This means that the SOA must be updated. There is no requirement to use the same layout as Annex A for your SOA, but if you choose to do that, that is another change.

In the second case, you may have concluded that at least one of the 11 new controls is necessary. You could also have concluded that some of your existing necessary controls must be revised. However these additions and revisions are likely to require:

  • changes to the risk assessment (new controls implies that new risks have been identified)
  • changes to the risk treatment (new and changes controls implies that the treatment has changed)
  • changes to the risk treatment plan (because the risk treatment has changed)
  • implementing the new/changed controls.

There can also be consequential changes, for example to the policy, objectives, measurements, and the internal audit programme. Thus, the change in content of Annex A can bring about significant change in the ISMS.

In conclusion, this transition process is far more complicated than just updating your SOA using the ISO/IEC 27001:2022. Moreover, please be aware that these mapping tables are imprecise. The merging of controls was not always clean cut, and the mapping tables only show the principal mergers.

Harmonised structure (HS)

There is a new clause in ISO/IEC 27001:2022 (6.3) that requires organisations to carry out changes to the ISMS in a planned manner. This means that the changes to the ISMS required for transition must be planned. There are other changes that result from the changes to the core requirements. For properly implemented ISMS these can have no effect and no changes are required, other for the organisation to know what the changes are and how they are already fulfilled by its ISMS.

For example, consider the new requirement that “externally provided processes, products or services that are relevant to the ISMS are controlled”. If failure of such is an acceptable risk, then that process, product or service is not relevant to the intended results of the ISMS and need not be controlled. If failure presents an unacceptable risk, then that risk should have been assessed and treated by virtue of Clauses 6.1.2 and 6.1.3. However, it is advisable to check.

Likewise, the new requirement (4.2 c)): “which of these [interested party] requirements will be addressed through the ISMS”, should be equally benign. If an organisation decides to fulfil an interested party requirement that is relevant to the ISMS, it becomes an organisational requirement and is addressed through the ISMS. If such a requirement presents a risk (e.g., competitors and cybercriminals are interested parties) it does not become an organisational requirement (i.e., it is not fulfilled) but nevertheless it is still addressed through the ISMS by the information controls that the organisation uses to protect itself from the activities of such nefarious actors. Otherwise unfilled requirement are not relevant to the ISMS. However, care must be taken to ensure that certification scope statement does not imply the organisation fulfils some requirement when it does not.


Transition arrangements

The transition arrangements are governed by the International Accreditation Forum (IAF). In brief, from the last day the publication month of ISO/IEC 27001:2022 (i.e., 2022-10-31):

  • accreditation bodies must be ready to assess their certification bodies within 6 months
  • transition of certification bodies must be completed within 12 months
  • transition of certified clients must be completed within 36 months.

It is anticipated that several certification bodies will be ready to perform audits against ISO/IEC 27001:2022 by mid-2023.

When should I transition?

Comparison of necessary controls with the revised Annex A can result in the discovery of missing necessary controls, thereby implying that organisation is exposed to unacceptable information security risk. Since the purpose of an ISMS to manage information security risk, early adoption of ISO/IEC 27001:2022 is recommended.

Transition steps

  • acquire a copy of ISO/IEC 27001:2022 at your earliest convenience
  • compare your existing necessary controls with those in the revised Annex A
  • draw up and implement plans depending on the need for additional/changed necessary controls
  • ensure that you are confident in being able to demonstrate conformance with the HS changes in ISO/IEC 27001:2022
  • liaise with your certification body over the timing of transitioning your ISMS to the new edition of the standard.

Want to know more?

David Brewer’s book “An introduction to ISO/IEC 27001:2022”, gives a detailed explanation of the whole of ISO/IEC 27001:2022 and includes detailed information on transition. It is available on Amazon in e-book (£36.00) and paperback formats (price £42.00).

If you have any question about ISO/IEC 27001:2022, just or use the find facility above. We will be pleased to assist.