Official Publication of ISO/IEC 27001:2022

Publication of ISO/IEC 27001:2022

The International Standardization Organization (ISO) has published the ISO/IEC 27001:2022 standard, which is to replace ISO/IEC 27001:2013.

The ISO/IEC Joint Technical Committee  JTC 1/SC 27 develops International Standards within the field of information security.  The current international secretariat of ISO/IEC JTC 1/SC 27 is DIN, one of the primary shareholders of DQS in Germany.

Background

Cybercrime is growing in recent years. According to the World Economic Forum’s Global Cybersecurity Outlook Report, the cyber-attacks increased 125 % globally in 2021. The top management of different kinds of organizations have to take a strategic approach to address the risks associated with information security. 

To address global cybersecurity challenges and improve digital trust, the new and improved version of ISO/IEC 27001 has just been published. It's the world’s best-known standard on information security management. The implementation of an information security management system and certification against ISO 27001:2022 standard will help organizations:

• secure information in a systematic approach, including paper-based, cloud-based and digital data,
• increase resilience to evolving security threats and cyber attacks,
• ensure the integrity, confidentiality and availability of data, and
• demonstrate their professional corporate governance to the public.

Changes to ISO 27001:2022

As compared to ISO/IEC 27001:2013, the key changes to ISO/IEC 27001:2022 include:

• Annex A references to the controls in ISO/IEC 27002:2022, including the information of control title and control;
• The notes of Clause 6.1.3 c) are revised editorially, including deleting the control objectives and using “information security control” to replace “control”;
• The wording of Clause 6.1.3 d) is re-organized to remove the potential ambiguity.
• The number of controls decreases from 114 controls in 14 clauses to 93 controls in 4 clauses.
• 11 controls are new, 24 controls are merged from the existing controls, and 58 controls are updated.
• The control structure is revised, which introduces “attribute” and “purpose” for each control and no longer uses “objective” for a group of controls.

Most of the new information security controls are associated with IT. You can have a look about the new controls at here.

Transition Period

• The transition period will end after Oct 31, 2025, according to IAF MD26:2022.
• DQS will provide transition audits or initial audits against ISO 27001:2022 after the required assessment by the associated accreditation bodies, which may be around Q2 of 2023.
• An existing certified organization shall plan transition audit, to ensure the issuance of revised certificate before the end of the transition period.
• All certifications based on ISO/IEC 27001:2013 will expire or be withdrawn at the end of the transition period.
• For an ISO 27001 Initial Audit or Recertification Audit after October 31, 2023, DQS will conduct it only in accordance with the new ISO/IEC 27001:2022 standard.

Transition Audits

• The transition audit can be in conjunction with a surveillance/recertification audit with appropriately additional audit days or through a separate special audit.
• The transition audit will include, but be not limited to the following:
  -  the gap analysis of ISO/IEC 27001:2022, as well as the need for changes to the ISMS;
  - the updating of the statement of applicability (SoA);
  - if applicable, the updating of the risk treatment plan;
  - the implementation and effectiveness of the new or changed controls chosen by the organizations.
• The expiration of the current certificate will not be changed solely due to a transition audit.
• An transition audit by DQS will include a 2-Stage Audit:
  - Stage 1 Audit:  Typically on-site document review for 0.5 to 1 man-day; and
  - Stage 2 Audit: Typically with additional audit time on the basis of a Recertification Audit or Surveillance Audit.
• In case that an ISO 27001:2013 certified client fails in an ISO 27001:2022 Transition Audit, but it's in compliance with ISO 27001:2013, then original certificate can be maintained with expiration date no later than Oct 31, 2025.

Supports by DQS

• DQS is a global certification body providing accredited ISO 27001 ISMS certification and ISO 27701:219 PIMS Certification service.
• DQS Academy is delivering public ISO 27001 Internal Auditor Courses and PECB certified ISO 27001 Lead Auditor self-study Course to help customers understand the standard and prepare for the coming upgrade.
• Stay informed, sign up for DQS' newsletters and follow DQS at LinkedIn.