ISO/IEC 27001:2022 has been published on Oct 25, 2022.
Publication of ISO/IEC 27001:2022
The International Standardization Organization (ISO) has published the ISO/IEC 27001:2022 standard, which is to replace ISO/IEC 27001:2013.
The ISO/IEC Joint Technical Committee JTC 1/SC 27 develops International Standards within the field of information security. The current international secretariat of ISO/IEC JTC 1/SC 27 is DIN, one of the primary shareholders of DQS in Germany.
Background
Cybercrime is growing in recent years. According to the World Economic Forum’s Global Cybersecurity Outlook Report, the cyber-attacks increased 125 % globally in 2021. The top management of different kinds of organizations have to take a strategic approach to address the risks associated with information security.
To address global cybersecurity challenges and improve digital trust, the new and improved version of ISO/IEC 27001 has just been published. It's the world’s best-known standard on information security management. The implementation of an information security management system and certification against ISO 27001:2022 standard will help organizations:
- secure information in a systematic approach, including paper-based, cloud-based and digital data,
- increase resilience to evolving security threats and cyber attacks,
- ensure the integrity, confidentiality and availability of data, and
- demonstrate their professional corporate governance to the public.
Changes to ISO 27001:2022
As compared to ISO/IEC 27001:2013, the key changes to ISO/IEC 27001:2022 include:
- Annex A references to the controls in ISO/IEC 27002:2022, including the information of control title and control;
- The notes of Clause 6.1.3 c) are revised editorially, including deleting the control objectives and using “information security control” to replace “control”;
- The wording of Clause 6.1.3 d) is re-organized to remove the potential ambiguity.
- The number of controls decreases from 114 controls in 14 clauses to 93 controls in 4 clauses.
- 11 controls are new, 24 controls are merged from the existing controls, and 58 controls are updated.
- The control structure is revised, which introduces “attribute” and “purpose” for each control and no longer uses “objective” for a group of controls.
Most of the new information security controls are associated with IT. You can have a look about the new controls at here.
Transition Period
- The transition period will end after Oct 31, 2025, according to IAF MD26:2022.
- DQS will provide transition audits or initial audits against ISO 27001:2022 after the required assessment by the associated accreditation bodies, which may be around Q2 of 2023.
- An existing certified organization shall plan transition audit, to ensure the issuance of revised certificate before the end of the transition period.
- All certifications based on ISO/IEC 27001:2013 will expire or be withdrawn at the end of the transition period.
- For an ISO 27001 Initial Audit or Recertification Audit after October 31, 2023, DQS will conduct it only in accordance with the new ISO/IEC 27001:2022 standard.
Transition Audits
- The transition audit can be in conjunction with a surveillance/recertification audit with appropriately additional audit days or through a separate special audit.
- The transition audit will include, but be not limited to the following:
- the gap analysis of ISO/IEC 27001:2022, as well as the need for changes to the ISMS;
- the updating of the statement of applicability (SoA);
- if applicable, the updating of the risk treatment plan;
- the implementation and effectiveness of the new or changed controls chosen by the organizations. - The expiration of the current certificate will not be changed solely due to a transition audit.
- An transition audit by DQS will include a 2-Stage Audit:
- Stage 1 Audit: Typically on-site document review for 0.5 to 1 man-day; and
- Stage 2 Audit: Typically with additional audit time on the basis of a Recertification Audit or Surveillance Audit. - In case that an ISO 27001:2013 certified client fails in an ISO 27001:2022 Transition Audit, but it's in compliance with ISO 27001:2013, then original certificate can be maintained with expiration date no later than Oct 31, 2025.
Supports by DQS
- DQS is a global certification body providing accredited ISO 27001 ISMS certification and ISO 27701:219 PIMS Certification service.
- DQS Academy is delivering public ISO 27001 Internal Auditor Courses and PECB certified ISO 27001 Lead Auditor self-study Course to help customers understand the standard and prepare for the coming upgrade.
- Stay informed, sign up for DQS' newsletters and follow DQS at LinkedIn.
DQS Newsletter
Blog Author of DQS HK
DQS HK