Find out why Strike Graph is the right choice for your organization. What can you expect?
Find out why Strike Graph is the right choice for your organization. What can you expect?
In October of 2022, ISO 27001 was updated from ISO 27001: 2013 to ISO 27001: 2022.
Why the change? Like all compliance frameworks, ISO 27001 is regularly updated to ensure that all security requirements meet the most recent industry standards, are in line with the latest technological advancements, and can stand up against constantly changing cyber threats.
In fact, all ISO standards are reviewed at least once every five years. ISO 27001 was revised in 2013, 2017, and 2019, but the changes were minor. This means that ISO 27001: 2022 is the biggest overhaul of the standard we’ve seen since the original ISO 27001: 2013 version.
So what’s the difference between ISO 27001: 2013 and ISO 27001: 2022, what’s staying the same, and when do you need to start making the transition to ISO 27001: 2022? Let’s take a look at those questions now.
First and foremost, the new version’s official title is ISO/IEC 27001:2022 Information Security, Cybersecurity, and Privacy Protection, and the main changes have to do with Annex A controls and domains and a few of the ISO 27001 clauses.
The biggest change can be found in the Annex A controls and domains. As a quick refresher, the number of controls has been reduced from 114 to 93, and the 14 “domains” have been replaced by four “themes” — people, organizational, technological, and physical. Additionally, some controls have been removed, 57 have been merged, one has been split, 23 have been renamed, 35 have stayed the same, and 11 have been added.
The 11 new controls are:
The new version’s controls are more specific and can be applied more flexibly according to how they relate to your organization’s scope. Furthermore, you may be required to implement new controls depending on the scope of your ISMS, so make sure you carefully review all of the 93 ISO 27001: 2022 controls.
ISO 27001 Clauses 4 to 10 are:
While the title and order of clauses 4 to 10 remain the same, minor changes have been made to the terminology, clause structure, and sentence structure. Additionally, new information has been sprinkled throughout the standard, so it is best to be attentive. For example, clause 6.3 adds a requirement that when the organization determines an internal and external change to the ISMS, the changes must be well planned.
Clauses are still the main focus of the standard, and these always-applicable clauses must be implemented regardless of organization type or the type of data you’re handling. Also, it’s important to note that no significant requirements from ISO 27001: 2013 were deleted.
Don’t worry, there’s no need to panic — if your organization was assessed against ISO 27001: 2013 before October 2022, then you have between 18 to 36 months to transition from the old version. In other words, since the certification audit is on a three-year cycle, you’ll need to plan to transition to the 2022 version prior to your next ISO 27001 audit.
After the transition period, the ISO 27001: 2013 certificates will be withdrawn and considered expired, regardless of the certificate’s listed expiry date, so don’t delay! We recommend that you start revising your management system to ensure it’s in compliance with ISO 27001: 2022 as soon as possible.
In order to start preparing for ISO 27001: 2022, we recommend that you first review all of the amended, updated, and new ISO 27001: 2022 controls. From there, you’ll want to determine which are applicable to your organization, then carry out the appropriate steps in order to implement the necessary changes. When implementing new controls, make sure you enforce them with procedures and policies, and test them before proceeding to your audit.
Thankfully, Strike Graph can make this ISO 27001 transition — as well as other regulatory shifts — easier with our pre-loaded controls, streamlined audit capabilities, and more.
Not only can we help you better understand what’s changed when it comes to ISO 27001, we make it simple to upgrade. Our ISO 27001:2002 pre-mapped controls are ready to implement with the click of your mouse.
The security landscape is ever changing. Sign up for our newsletter to make sure you stay abreast of the latest regulations and requirements.
Strike Graph offers an easy, flexible security compliance solution that scales efficiently with your business needs — from SOC 2 to ISO 27001 to GDPR and beyond.
© 2024 Strike Graph, Inc. All Rights Reserved • Privacy Policy • Terms of Service
Find out why Strike Graph is the right choice for your organization. What can you expect?
Find out why Strike Graph is the right choice for your organization. What can you expect?