On October 25, ISO 27001:2022 was released ↗️, replacing the version from 2013. To help you determine the impact on your ISMS implementation, we have compiled this FAQ.
Are you looking for the Instant 27001:2022 update package?
Table of contents
- What’s new?
- What about localized versions?
- What about other standards in the ISO 27000-family?
- How can I update my existing Instant 27001 implementation?
- Can I upgrade to Instant 27001 for Microsoft?
- When does my ISMS need to be updated?
- Can I already become certified to ISO 27001:2022?
- What about ISO 27001:2023?
What’s new?
Management system
The management system of ISO 27001:2022 contains a few minor changes, aligning it to Annex SL ↗️.
These changes include:
- Refinement of 4.1 Context
- Refinement of 4.2 Interested parties
- Refinement of 4.4 ISMS
- Refinement of 6.1.3 Risk treatment
- Refinement of 6.2 Objectives
- Addition of 6.3 Change management
- Refinement of 7.4 Communication
- Rewrite of 8.1 Operational planning
- Refinement of 9.1 Monitoring
- Splitting of 9.2 into 9.2.1 General / 9.2.2 Audit program
- Splitting of 9.3 into 9.3.1 General / 9.3.2 Input / 9.3.3 Output (and the addition of an extra topic)
- 10.1 Improvement and 10.2 Nonconformities have changed places (!)
Annex A controls
Annex A of ISO 27001:2013 contained 114 controls, divided over 14 chapters. This has been restructured, the 2022 version now contains 93 controls, divided over 4 chapters:
- 5. Organizational (37 controls)
- 6. People (8 controls)
- 7. Physical (14 controls)
- 8. Technological (34 controls)
While some controls appear to have been merged, others look new and might require some tweaking of your existing implementation – if you wish to include them in your Statement of Applicability, of course:
| ISO 27001:2022 | ISO 27001:2013 equivalent |
|---|---|
| A.5.7 Threat intelligence | A.6.1.4 Contact with special interest groups |
| A.5.16 Identity management | A.9.2.1 User registration and de-registration |
| A.5.23 Information security for use of cloud services | A.15.x Supplier relationships |
| A.5.29 Information security during disruption | A.17.1.x Information security continuity |
| A.5.30 ICT readiness for business continuity | A.17.1.3 Verify, review and evaluate information security continuity |
| A.7.4 Physical security monitoring | A.9.2.5 Review of user access rights |
| A.8.9 Configuration management | A.14.2.5 Secure system engineering principles |
| A.8.10 Information deletion | A.18.1.3 Protection of records |
| A.8.11 Data masking | A.14.3.1 Protection of test data |
| A.8.12 Data leakage prevention | A.12.6.1 Management of technical vulnerabilities |
| A.8.16 Monitoring activities | A.12.4.x Logging and monitoring |
| A.8.23 Web filtering | A.13.1.2 Security of network services |
| A.8.28 Secure coding | A.14.2.1 Secure development policy |
What about localized versions?
Most translations will made available within 6 to 12 months, contact your local ISO member ↗️ for more details.
What about other standards in the ISO 27000 family?
Updates of related standards (ISO 27017, 27018, 27701, 27799, NEN 7510) largely depend on their initial release date, following the standard 5 year review cycle. Just like ISO 27002 (which started development in 2018) this might take another 3 to 4 years, starting from the next review date.
Below is an overview of all standards in the ISO 27000 family, their status and the expected release dates.
| Standard | Status | Expected |
|---|---|---|
| ISO 27017:2015 | In development (source ↗️) | 2025 |
| ISO 27018:2019 | In development (source ↗️) | 2025 |
| ISO 27701:2019 | In development (source ↗️) | 2024 or 2025 |
| ISO 27799:2016 | In development (source ↗️) | 2025 |
| NEN 7510:2017 | In development | 2024 or 2025 |
| BIO | In development | 2024 |
If you are (planning to be) certified for ISO 27001 in combination with any one of these standards, you have two options:
- Use them in combination with the 2013 control set, so the control numbers match (this should be acceptable)
- Use them in combination with the 2022 control set, accept the fact that the control numbers do not match, and divide your Statement of Applicability in multiple sections, one for each control set
How can I update my existing Instant 27001 implementation?
An update package is available for existing customers. This package consists of:
- The new Annex A structure containing all 93 controls
- A table that maps the 114 controls from 2013 to the new controls
- Updates for the changed high level requirements
- All new and updated policies and procedures (for reference)
- A new Statement of Applicability
- A new Monitoring plan
- A new Internal audit program
- A new Internal audit report template
- A Gap analysis + action plan template (as required for the transition audit)
- Instructions how to merge the contents and update your existing ISMS
Can I upgrade to Instant 27001 for Microsoft?
When does my ISMS need to be updated?
The International Accreditation Forum (IAF) has released a document ↗️, indicating that
starting from the publication of ISO 27001:2022, certified organizations have 36 months to complete the transition, in this case no later than October 31 of 2025.
The transition consists of:
- Creation of a Gap analysis + action plan
- Updating the ISMS (controls, risk assessment, documentation)
- An internal audit (that focuses on the transition)
- A management review (focusing on the transition)
We recommend combining the transition audit with your next surveillance or re-certification audit, this way you can re-use the existing internal audit and management review slots.
Once the transition audit is done by your registrar, you will be issued an updated certificate.
Can I still become certified to ISO 27001:2013?
Not anymore. Organizations that have not yet been certified could complete their implementation based on ISO 27001:2013 and become certified until April 30 of 2024.
What about ISO 27001:2023?
In 2023, ISO 27001:2022 was acknowledged as a European standard. As a result, some of the previously released 2022 versions were retracted and replaced by 2023 versions. The only difference is the addition of a comment in the preface.
Your registrar may require the full localized name of the standard to be included on your Statement of Applicability (e.g. NEN-EN-ISO/IEC 27001:2023 instead of just ISO 27001:2022).