On October 25, ISO 27001:2022 was released, replacing the version from 2013. To help you determine the impact on your ISMS implementation, we have compiled this FAQ.
Table of contents
- What’s new?
- What about localized versions?
- What about other standards in the ISO 27000-family?
- When will Instant 27001 be updated?
- How can I update my existing Instant 27001 implementation?
- Can I upgrade to Instant 27001 for Microsoft?
- When does my ISMS need to be updated?
- Can I still be certified according to ISO 27001:2013?
- Can I already become certified to ISO 27001:2022?
The management system of ISO 27001:2022 contains a few minor changes, aligning it to Annex SL.
These changes include:
- Refinement of 4.1 Context
- Refinement of 4.2 Interested parties
- Refinement of 4.4 ISMS
- Refinement of 6.1.3 Risk treatment
- Refinement of 6.2 Objectives
- Addition of 6.3 Change management
- Refinement of 7.4 Communication
- Rewrite of 8.1 Operational planning
- Refinement of 9.1 Monitoring
- Splitting 9.2 into 9.2.1 General / 9.2.2 Audit program
- Splitting 9.3 into 9.3.1 General / 9.3.2 Input / 9.3.3 Output (and the addition of an extra topic)
- 10.1 Improvement and 10.2 Nonconformities have switched numbers (!)
Annex A controls
Annex A of ISO 27001:2013 contained 114 controls, divided over 14 chapters. This has been restructured, the 2022 version now contains 93 controls, divided over 4 chapters:
- 5. Organizational (37 controls)
- 6. People (8 controls)
- 7. Physical (14 controls)
- 8. Technological (34 controls)
While some controls appear to have been merged, other controls look new and might require some tweaking of your existing implementation – if you wish to include them in your Statement of Applicability, of course:
|ISO 27001:2022||ISO 27001:2013 equivalent|
|A.5.7 Threat intelligence||A.6.1.4 Contact with special interest groups|
|A.5.16 Identity management||A.9.2.1 User registration and de-registration|
|A.5.23 Information security for use of cloud services||A.15.x Supplier relationships|
|A.5.29 Information security during disruption||A.17.1.x Information security continuity|
|A.5.30 ICT readiness for business continuity||A.17.1.3 Verify, review and evaluate information security continuity|
|A.7.4 Physical security monitoring||A.9.2.5 Review of user access rights|
|A.8.9 Configuration management||A.14.2.5 Secure system engineering principles|
|A.8.10 Information deletion||A.18.1.3 Protection of records|
|A.8.11 Data masking||A.14.3.1 Protection of test data|
|A.8.12 Data leakage prevention||A.12.6.1 Management of technical vulnerabilities|
|A.8.16 Monitoring activities||A.12.4.x Logging and monitoring|
|A.8.23 Web filtering||A.13.1.2 Security of network services|
|A.8.28 Secure coding||A.14.2.1 Secure development policy|
What about localized versions?
The Dutch version has been released in December, 2022 (available here).
Other localized versions are under development, we will update this page as they will be released.
What about other standards in the ISO 27000 family?
Updates of related standards (ISO 27017, 27018, 27701, 27799, NEN 7510) largely depend on their initial release date, following the standard 5 year review cycle. Just like ISO 27002 (which started development in 2018) this might take another 3 to 4 years, starting from the next review date.
Below is an overview of all standards in the ISO 27000 family, their status and the expected release dates.
|ISO 27017:2015||This standard was last reviewed and confirmed in 2021. Therefore this version remains current (source)|
|ISO 27018:2019||Pending review in 2024 (source)|
|ISO 27701:2019||Currently in development (source)||2023 or 2024|
|ISO 27799:2016||2022-02-16: New version under development|
|NEN 7510:2017||Currently in development||2023 or 2024|
|BIO||Currently in development||2023|
If you are (planning to be) certified for ISO 27001 in combination with any one of these standards, you have two options:
- Use them in combination with the 2013 control set, so the control numbers match (this should be acceptable)
- Use them in combination with the 2022 control set, accept the fact that the control numbers do not match, and divide your Statement of Applicability in multiple sections, one for each control set
When will Instant 27001 be updated?
The English and Dutch versions of Instant 27001 are already updated, so you can start your implementation based on the 2022 version today!
How can I update my existing Instant 27001 implementation?
An update package is available for existing customers. This will contain the following:
- The new Annex A structure containing all 93 controls
- Updates for the changed high level requirements
- All new and updated policies and procedures (for reference)
- A new Statement of Applicability
- A new Monitoring plan
- A new Internal audit program
- A new Internal audit report template
- Instructions how to merge the contents and update your existing ISMS
This update package is confirmed for the English, Dutch and German versions (pending their releases).
Can I upgrade to Instant 27001 for Microsoft?
When does my ISMS need to be updated?
The International Accreditation Forum (IAF) has released a document, indicating that
starting from the publication of ISO 27001:2022, certified organizations have 36 months to complete the transition, in this case no later than October 31 of 2025.
Technically, requirement 6.1.3 leaves the door open to continue using the 2013 control set, if you deem them more appropriate. In that case, adding just one line of text on your Statement of Applicability indicating so should suffice.
However, most organizations will choose to migrate their implementation prior to their next audit, to be in line with stakeholder expectations.
Can I still become certified to ISO 27001:2013?
Organizations that have not yet been certified can complete their implementation based on ISO 27001:2013 and become certified until October 31 of 2023. You will then have 2 years to make the transition to ISO 27001:2022.
Can I already become certified to ISO 27001:2022?
Because the HLS has changed, registrars (a.k.a. certification bodies or auditing companies) are required to update their accreditation first. They have until Oct 31 of 2023 to do so (source). Since there is a commercial advantage, most of them will do this as soon as possible.
Organizations that have implemented ISO 27001:2022, who are facing a registrar that has not yet transitioned to 2022, can get certified to :2013 with just a modified Statement of Applicability (showing the :2013 controls). You can then transition to :2022 the next year. Contact us if you need help with this.
Subscribe to our newsletter
Would you like to receive updates on ISO 27001? Leave your email address below and we’ll keep you posted!
- Please use your professional email address (no Gmail, Hotmail or Yahoo)
- Existing customers will be notified automatically when the update kit becomes available
The information you submit will be processed in line with our Privacy statement.