Why has ISO/IEC 27001:2013 been updated to ISO/IEC 27001:2022?
ISO/IEC 27001 provides companies with a cybersecurity framework to manage risks and protect against threats. Compliance with this framework helps secure information assets such as financial information, personal data, and intellectual property. That includes information related to an organization’s business and employees, as well as their customers and suppliers.
Cybersecurity should now be at the top of every company agenda. Cyber incidents such as data breaches and ransomware are regularly making headlines. This is exacerbated by global political tensions. In addition, the majority of enterprises now rely on cloud-based infrastructures, and in many countries around one-third of the workforce now works remotely, at least part of the time. As a result of these changes, organizations are required to reassess their risks and countermeasures in a structured way, in the context of their ISMS. Since ISO/IEC 27001:2013 was published in 2013, the changes in ISO/IEC 27001:2022 were necessary to help address the above-mentioned developments.
The title of the ISO/IEC 27001:2022 standard has been updated to reflect the increased focus on cybersecurity and privacy protection. The new version also reflects changes to the workplace and the threat landscape, including those which have arisen due to increased remote working and the use of cloud storage. In addition, five attribute values have been introduced, which can be assigned to each Annex A control, allowing these to be sorted according to the designated attributes. This is intended to enable alignment and interoperability of ISO/IEC 27001:2022 with other cybersecurity best practices, such as the NIST publications.
Furthermore, ISO/IEC 27001:2022 also includes a minor re-alignment with the ISO High Level Structure referenced by other management system standards, such as ISO 9001:2015 and ISO 22301:2019. However, these changes clarify existing requirements, rather than adding significant new ones.
Transition times and timelines
ISO/IEC 27001:2022 was released in October 2022. The transition timeline is three years. To maintain certification, all ISO/IEC 27001:2013 certificates need to be transitioned to ISO/IEC 27001:2022 before November 1, 2025. The transition audit can be carried out during scheduled audits during the three-year transition period or can be performed as an additional special audit.
The transition should ideally start sooner than later, to ensure completion within the 3-year transition period. This will enable adequate preparation to incorporate the needed changes into the ISMS.
The above statements must take into account two transition milestones, which are detailed below:
May 1, 2024 – All new initial certifications and recertification audits must adhere to ISO/IEC 27001:2022 after this date.
End of October 2025 – Transition period ends, after which ISO/IEC 27001:2013 certificates will no longer be valid.
- ISO/IEC 27001:2022 transitions completed during surveillance or special audits will require an additional audit time of one day and maintain the existing validity date on certificates.
- ISO/IEC 27001:2022 transitions completed during recertification audits will require an additional audit time of half a day, and result in certificates being renewed for another three-year period.
- Additional audit time to assess an ISO/IEC 27001:2022 transition is stated to the International Accreditation (IAF) Forum MD 26:2022 Transition Requirements for ISO/IEC 27001:2022 document. Therefore these requirements apply to all certification bodies accredited by the IAF.
Recommended steps for the ISO/IEC 27001:2022 transition
How we can support
We can support ISO/IEC 27001:2022 with an initial or a transition audit:
- ISO/IEC 27001:2022 training, providing an overview of key changes and the transition process.
- Gap assessments, to provide an indication of how well an ISMS meets the ISO/IEC 27001:2022 requirements.
- ISO/IEC 27001:2022 audits to transition your certification to the new version of the standard.
Unlocking ISO/IEC 27001:2022. Join our on-demand webinar for insights
Want to know more about ISO/IEC 27001:2022 transition or certification? Please join our on-demand webinar, to learn more about the steps required to achieve ISO/IEC 27001:2022 certification.