Top 8 Questions about the new ISO

Q3. What has changed in the new ISO 27001 : 2022 version?

 

The following exert has been taken from bestpractice.biz

 

The structure of ISO 27001 – Annex A has undergone a complete overhaul. The updated version of ISO 27001 has been restructured and revised. First, the modified ISO 27001 does not identify with the commonly used phrase ‘code of practice’. This helps outline its purpose through the set of information security controls.

 

Secondly, the number of controls has decreased from 114 to 93 in the new version of ISO 27001. These security controls are now divided into four chapters instead of the previous 14. The new domains of ISO 27002:2022 are:

• • Chapter 5: Organizational (37 controls)

• • Chapter 6: People (8 controls)

• • Chapter 7: Physical (14 controls)

• • Chapter 8: Technology (34 controls)

 

In the newly revised ISO 27001, 35 controls remained unchanged, 23 controls have been renamed, and 57 controls have been merged to form 24 controls. Only one control was divided into two: Control 18.2.3 – Technical Compliance Review has been split into 8.8 – Management of technical vulnerabilities and 5.3.6 – Conformity with policies and standards of information security. Eleven new controls have been added to the latest version:

• • Threat Intelligence

• • Physical security monitoring

• • Data masking

• • Information security for cloud services

• • Monitoring activities

• • ICT readiness for business continuity

• • Data leakage prevention

• • Configuration management

• • Web filtering

• • Information deletion

• • Secure coding
  •  

The merging and addition of new controls create five major security attributes that make them easier to group. They are control types, operational capabilities, security domains, cybersecurity concepts, and information security properties.

 

Q4. When are the changes going to be released?

 

The revised version of ISO 27001 has already been published in October 2022 and collaboration between accreditation bodies and certification companies, are already underway.

 

Q5. I have already started with my certification before the new revision, do I need to start over?

 

Absolutely not!

 

If you are already in the process of your certification, you can make the necessary adjustment to meet the new revision requirements. The changes in the revision are moderate, which means that there will be little effort to transition into the ISO 27001:2022 revision

 

Q6. We are already ISO 27001:2013 certified, what now?

 

The revised ISO 27001 standard does not impact your existing certification, but there will be collaboration between accreditation bodies and certification companies on a transition period to allow all currently certified organisations, to move to the newer certification version.

 

It is however important to note that your Statement of Applicability (SoA) should refer to the ISO 27001:2013 Annex A, and ISO 27001:2022 should only be a reference guide to the revised controls of 2022.

 

You should not wait for accreditation bodies to be able to certify you on the new revision ISO 27001.

 

Waiting for the accreditation bodies, will leave your organisation open to risks.

 

Q7. How long grace period will we have to transition from the 2013 to the 2022 revision.

 

Based on previous transition periods, you will have a two-year period, in which to transition between the two revisions. This will allow you ample time to make the necessary changes to your ISMS and certification.

 

Q8. Will the certification body check the changes in the documentation?

 

Yes, if your company is certified, your auditor will, with your regular surveillance audits, check if your documentation has been adapted towards the new revision and within the transition period.

 

VDAC ISO Auditing and Consulting have excellent knowledge of the industry changes. You can make contact with us on carien@vdac.co.za and we will be more than happy to assist you with your transition or certification.