Countdown to Compliance: Understanding the shift from ISO 27001:2013 to ISO 27001:2022

Today, we’re tackling a crucial topic for organizations worldwide: the transition from ISO 27001:2013 to ISO 27001:2022. With the landscape of cybersecurity threats evolving constantly, staying ahead of the curve with robust security measures is essential. In this blog, we’ll guide you through conducting a gap assessment  tailored for ISO 27001:2022, whether  starting from scratch or building upon an existing ISO 27001:2013 internal audit.

Understanding the Need for Transition:

The release of ISO 27001:2022 signifies an important update to the internationally recognized for information security management systems (ISMS) standard. As technology advances and new threats emerge organizations must adapt their security practices accordingly. This transition isn’t merely about compliance; it’s about enhancing your organization’s resilience against cyber threats and safeguarding sensitive information in an increasingly digital world.

Differentiating ISO 27001:2013 and ISO 27001:2022:

Before diving into the gap assessment process, it’s crucial to understand the critical differences between the previous and current versions of the standard. While ISO 27001:2013 laid a solid foundation for information security management, ISO 27001:2022 introduces updates and enhancements to address emerging cybersecurity challenges and aligns with evolving best practices. Similar to previous versions, the ISO 27001:2022 standard is accompanied by ISO 27002:2022 implementation guidance. The ISO 27001:2022 standard list the requirements while ISO 27002:2022 provides the guidance on how to implement the Annex A requirements.

What’s Changing with The ISO 27001 And 27002 Updates In 2022?

ISO published an update to ISO 27002 in February 2022 and ISO 27001 in October 2022. The updated version is referred to as ISO 27001:2022 and replaces the previous version (ISO 27001:2013).

Below is a brief overview of the key changes included in ISO 27001:2022 and ISO 27001:2022 Implementation guidance.

New Controls—Introduced 11 new controls to keep the standard up to date with emerging security threats, trends, and technologies (e.g., increased security for remote working and improved threat intelligence). The new controls cover the following areas:

• Threat intelligence

• Identity management

• Information security for the use of cloud services

• Information and communication technology (ICT) readiness for business continuity

• Physical security monitoring

• User endpoint devices

• Configuration management

• Information deletion

• Data masking

• Data leakage prevention

• Web filtering secure coding

Conducting a Gap Assessment:

Now, let’s explore the step-by-step process of conducting a gap assessment for ISO 27001:2022:

• Familiarize Yourself with ISO 27001:2022 Requirements:
  • Begin by thoroughly reviewing the updated standard and gaining a clear understanding of its requirements and implications for your organization.
• Assess Current Compliance Status:
  • Evaluate your organization’s existing ISMS against the requirements of ISO 27001:2022. Identify areas of compliance and gaps or discrepancies that need to be addressed.
• Identify Changes and Updates:
  • Pay close attention to the changes and updates introduced in ISO 27001:2022 compared to the previous version. This may include new or revised controls, additional requirements, or updated terminology.
• Update Policies and Procedures:
  • Based on the findings of your gap assessment, revise and update your organization’s policies, procedures, and documentation to ensure alignment with ISO 27001:2022 requirements.
• Implement Necessary Controls:
  • Implement any new controls or measures necessary to address identified gaps and enhance your organization’s information security posture.
• Training and Awareness:
  • Provide training and awareness sessions to relevant organizational stakeholders to ensure understanding and compliance with the updated ISMS requirements.
• Monitor and Review:
  • Establish mechanisms for ongoing monitoring, review, and continuous improvement of your ISMS to maintain compliance with ISO 27001:2022 and effectively mitigate cybersecurity risks.

Unified ISO 27001:2022 Gap Assessment with Existing ISO 27001:2013 Internal Audit

One of the benefits of having an existing ISO 27001:2013 certification is that an organization can combine the Gap Assessment with the current Internal Audit. Essentially, additional interviews for the new requirements are conducted with the existing internal audit to identify a potential gap. This saves organizations time and money, while also helping them understand their gaps in the ISO standard.

What’s The Timeline for Implementing of the 2022 Updates to ISO 27001 and 27002?

All organizations must transition to the new ISO 27001:2022 Standard before October 31, 2025. This means completing your Internal and External audits with the updated certification. Ideally, organizations should plan their Internal and External Audits in advance of this date to ensure no lapse in certification or issues with booking with theExternal Auditing organization.