Evolution to meet the threats
ISO/IEC 27001 was last updated in 2013 and the cyber world and threats to it have dramatically evolved. The standard must follow suit and is malleable to accommodate updates.
February 15, 2022 was a crucial day. ISO/IEC 27002:2022 – Information Security, Cybersecurity and Privacy Protection – Information Security Controls – was published. Due to this, ISO/IEC 27001 Annex A needed updating to align with ISO/IEC 27002:2022’s controls.
The main changes in ISO/IEC 27001:2022
The name is changing to reflect the standard’s true scope. It is ISO/IEC 27001:2022 – Information Security, Cybersecurity and Privacy Protection – Information Security Management Systems – Requirements. This also aligns with ISO/IEC 27002:2022’s new title.
Other changes include clause numbering, new and rearranged text, and Annex A updates, among others.
Supporting your transition
If your organization is already ISO/IEC 27001 compliant, no changes in technology are needed, just updates in the documentation. You might need to revise internal policies, according to the new subclauses and modified requirements. Your risk assessment result and risk treatment plan(s) should also be reviewed and Statement of Applicability (SoA) updated.
The transition period will be three years from when ISO/IEC 27001:2022 is officially published, so you should have ample time to comply. Your ISO/IEC 27001 certificate remains valid until this period ends.
We can help to smooth your transition and have created a suite of services and materials, including transition training and guidance documents: ISO IEC 27001 Information Security Cybersecurity and Privacy Protection or contact us.