The typical lifespan of an ISO standard is five years. After this period, it is evaluated whether the standard remains valid, needs revision or should be retracted.
In 2018, five years after the publication of ISO 27001:2013, it was time for a revision of both ISO 27001 and 27002. On February 15, ISO 27002:2022 was released (source), and ISO 27001:2022 is expected by October.
To help you determine the impact on your (upcoming) ISO 27001 implementation, we have compiled this page. Subscribe to our newsletter and you’ll be notified of any changes instantly!
Frequently asked questions
- What’s the difference between ISO 27001 and 27002?
- What’s new in ISO 27002:2022?
- What about ISO 27001?
- What about localized versions?
- What about other standards in the ISO 27000-family?
- When will Instant 27001 be updated?
- How can I update my existing Instant 27001 implementation?
- When does my ISMS need to be updated?
What’s the difference between ISO 27001 and 27002?
ISO 27001 contains the requirements to implement a management system for information security. ISO 27002 contains best practices, in the form of a set of security controls (or “measures”) that you can implement to improve your security.
ISO 27001 makes use of the controls from ISO 27002 in it’s Annex A (but rewritten in the normative form; e.g. it uses “shall” instead of “should”).
ISO 27001 is the standard that you can certify against, while ISO 27002 is “just” a code of practice.
ISO 27002 (and Annex A of ISO 27001) contained 114 controls, divided over 14 chapters. This has been restructured, the 2022 version contains 93 controls, divided over 4 chapters:
- 5. Organizational (37 controls)
- 6. People (8 controls)
- 7. Physical (14 controls)
- 8. Technological (34 controls)
While some controls appear to have been merged in, other controls look new and might require some tweaking of your existing implementation – if you wish to include them in your Statement of Applicability, of course:
|ISO 27001:2022||ISO 27001:2013 equivalent|
|A.5.7 Threat intelligence||A.6.1.4 Contact with special interest groups|
|A.5.16 Identity management||A.9.2.1 User registration and de-registration|
|A.5.23 Information security for use of cloud services||A.15.x Supplier relationships|
|A.5.29 Information security during disruption||A.17.1.x Information security continuity|
|A.5.30 ICT readiness for business continuity||A.17.1.3 Verify, review and evaluate information security continuity|
|A.7.4 Physical security monitoring||A.9.2.5 Review of user access rights|
|A.8.9 Configuration management||A.14.2.5 Secure system engineering principles|
|A.8.10 Information deletion||A.18.1.3 Protection of records|
|A.8.11 Data masking||A.14.3.1 Protection of test data|
|A.8.12 Data leakage prevention||A.12.6.1 Management of technical vulnerabilities|
|A.8.16 Monitoring activities||A.12.4.x Logging and monitoring|
|A.8.23 Web filtering||A.13.1.2 Security of network services|
|A.8.28 Secure coding||A.14.2.1 Secure development policy|
What about ISO 27001?
Next to replacing the controls in Annex A, we can confirm that ISO 27001:2022 will contain a few small changes to the management system, aligning it to Annex SL. These changes include:
– Refinement of 4.2 Interested parties
– Refinement of 4.3 Scope
– Refinement of 6.1.3 Risk treatment
– Addition of 6.3 Change management
– Splitting 9.2 into 9.2.1 General / 9.2.2 Audit program
– Splitting 9.3 into 9.3.1 General / 9.3.2 Input / 9.3.3 Output
These changes also require certification bodies to update their accreditation. They should do so within 12 months after publication of the standard (source).
ISO 27001:2022 has been formally approved on Sept 22, 2022 (source). We expect ISO 27001:2022 to be released no later than October 2022. Subscribe to our newsletter below and we will update you instantly!
What about localized versions?
We have it on good authority that most localized versions are already under development, based on the released draft-versions. We expect them to be released a few months after the respective English versions.
On June 22 of 2022, ISO 27002:2022 in Dutch was released.
What about other standards in the ISO 27000 family?
Updates of related standards (ISO 27017, 27018, 27701, 27799) largely depend on their initial release date, following the standard 5 year review cycle. Just like ISO 27002 (which started development in 2018) this might take another 3 to 4 years, starting from the next review date.
Below is an overview of all standards in the ISO 27000 family, their status and the expected release dates.
|ISO 27017:2015||This standard was last reviewed and confirmed in 2021. Therefore this version remains current (source)|
|ISO 27018:2019||Pending review in 2024 (source)|
|ISO 27701:2019||Pending review in 2024 (source)|
|ISO 27799:2016||2022-02-16: New version under development|
|NEN 7510:2017||Pending release of ISO 27799||2025 or 2026|
|BIO||Pending release of ISO 27002:2022 NL||2023|
If you are (planning to be) certified for ISO 27001 in combination with any one of these standards, you have two options:
- Use them in combination with the 2013 control set, so the control numbers match (this should be acceptable)
- Use them in combination with the 2022 control set, accept the fact that the control numbers do not match, and divide your Statement of Applicability in multiple sections, one for each control set
When will Instant 27001 be updated?
The English version of Instant 27001 has already been updated, based on ISO 27002:2022 and the published draft version of the ISO 27001 amendment, so you can start your implementation based on the 2022 version today!
How can I update my existing Instant 27001 implementation?
Once ISO 27001:2022 is published, an update kit will be made available for existing customers.
This update kit will contain the following:
- The new Annex A structure containing all 93 controls
- Updates for the changed high level requirements
- All new and updated policies and procedures (for reference)
- A new Statement of Applicability
- A new Monitoring plan
- A new Internal audit program
- A new Internal audit report template
- Instructions how to merge the contents and update your existing ISMS
The price for the update kit will be € 995.
This update kit is confirmed for the English, Dutch and German versions (pending their releases).
When does my ISMS need to be updated?
The International Accreditation Forum (IAF) has released a document, indicating that
starting from the publication of ISO 27001:2022, organizations have 36 months to make the transition (source).
Technically, the proposed amendment to ISO 27001 leaves the door open to continue using the 2013 control set, if you deem them more appropriate. In that case, adding just one line of text on your Statement of Applicability indicating so should suffice.
However, most organizations will choose to migrate their implementation prior to their next audit, to be in line with stakeholder expectations.
Subscribe to our newsletter
Would you like to receive updates on the upcoming ISO 27001/27002 releases? Leave your email address below and we’ll keep you posted!
- Please use your professional email address
- Existing customers will be notified automatically when the update kit becomes available
The information you submit will be processed in line with our Privacy statement.