ISO 27001 is the Information Security Management Standard that provides a framework for organisations to manage the risks associated with information security threats. Published by the International Organisation for Standardisation (ISO), the Standard includes a framework for information security guidelines and requirements that are aimed at protecting a business's data through the implementation of an Information Security Management System.
Put simply, the goal of ISO 27001 is to protect the confidentiality, integrity and availability of an organisations information security data. The ISO 27001:2013 Standard was re-released in October with ISO 27001:2022, replacing the previous version. This article will discuss the changes and what it means for your information security management system.
ISO 27001 changes – 2013 vs 2022
In October 2022, ISO 27001:2022 was published and while not a fully revised addition, it does include a number of changes that organizations will need to comply with. These changes include:
- A category restructure – decreasing from 14 to 4 categories – now just People, Organisational, Technological and Physical
- A decrease in the controls listed in Annex A, from 114 to 93 including:
- 11 new controls
- 24 merged controls
- 58 updated controls
- Wording changes in Clause 6.1.3 to remove potential ambiguity.
What does it mean if your business is already certified to ISO 27001?
If you’re currently certified to ISO 27001:2013 you will need to upgrade your management systems to meet the requirements of the new version of the Standard before you’re audited against ISO 27001:2022. Your Certification Body can begin auditing against ISO 27001:2022 from 1 November 2022 and the transition must be completed by 30 October 2025 to avoid losing your certification and having to re-do stage 1 and 2 audits.
To help prepare for the transition you may wish to take some of the following steps:
- Enroll your ISMS manager on an ISO 27001 Transition Awareness Seminar with JLB to gain a detailed understanding of the changes and how they will impact your management system
- Review the new Standard, including the revised controls listed in Annex A - Information security controls reference
- Identify which of your current controls have been impacted by the revision
- Formulate a plan to transition your documentation to meet the requirements of the revised standard
- Speak to one of JLB’s ISMS Consultants to assist in your transition.
Interested in the ISO 27001 certification for your business?
An Information Security Management System certified to ISO 27001 is a great way to mitigate information security risk. An ISMS is essentially a structured framework of polices and controls that systematically manage information security risk. While every business is exposed to privacy and security threats, it is essential that businesses ensure their processes and policies reduce this risk where possible. This is achieved through an Information Security Management System focused on Risk Assessment, Risk Control and Risk Management.
If you’re currently working towards Information Security Management Systems certification, we recommend implementing a system that meets the requirements of ISO 27001:2022. If you would like to talk through the process, call our friendly team today on 08 8347 2933.
Transitioning to ISO 27001:2022
In summary, the long overdue release of the 2022 version of ISO 27001 has brought a number of changes. The changes to the main part of the Standard are relatively minor with only a few small amendments in the documentation and processes. The changes to the controls, listed in Annex A, are slightly more extensive; while the overall number has decreased, there are a number of new, merged and updated controls and documentation will need to be amended accordingly.
JLB will be running numerous ISO 27001:2022 Transition Seminars to help bring organisations up to speed with the changes – look out for confirmed dates coming soon. If you would like to discuss your ISMS further, please call our friendly team today!