On October 25, ISO 27001:2022 was released, replacing the version from 2013. To help you determine the impact on your ISMS implementation, we have compiled this FAQ.
Table of contents
- What’s new?
- What about localized versions?
- What about other standards in the ISO 27000-family?
- When will Instant 27001 be updated?
- How can I update my existing Instant 27001 implementation?
- Can I upgrade to Instant 27001 for Microsoft?
- When does my ISMS need to be updated?
- Can I still be certified according to ISO 27001:2013?
- Can I already become certified to ISO 27001:2022?
What’s new?
Management system
The management system of ISO 27001:2022 contains a few minor changes, aligning it to Annex SL ↗️.
These changes include:
- Refinement of 4.1 Context
- Refinement of 4.2 Interested parties
- Refinement of 4.4 ISMS
- Refinement of 6.1.3 Risk treatment
- Refinement of 6.2 Objectives
- Addition of 6.3 Change management
- Refinement of 7.4 Communication
- Rewrite of 8.1 Operational planning
- Refinement of 9.1 Monitoring
- Splitting of 9.2 into 9.2.1 General / 9.2.2 Audit program
- Splitting of 9.3 into 9.3.1 General / 9.3.2 Input / 9.3.3 Output (and the addition of an extra topic)
- 10.1 Improvement and 10.2 Nonconformities have changed places (!)
Annex A controls
Annex A of ISO 27001:2013 contained 114 controls, divided over 14 chapters. This has been restructured, the 2022 version now contains 93 controls, divided over 4 chapters:
- 5. Organizational (37 controls)
- 6. People (8 controls)
- 7. Physical (14 controls)
- 8. Technological (34 controls)
While some controls appear to have been merged, other controls look new and might require some tweaking of your existing implementation – if you wish to include them in your Statement of Applicability, of course:
| ISO 27001:2022 | ISO 27001:2013 equivalent |
|---|---|
| A.5.7 Threat intelligence | A.6.1.4 Contact with special interest groups |
| A.5.16 Identity management | A.9.2.1 User registration and de-registration |
| A.5.23 Information security for use of cloud services | A.15.x Supplier relationships |
| A.5.29 Information security during disruption | A.17.1.x Information security continuity |
| A.5.30 ICT readiness for business continuity | A.17.1.3 Verify, review and evaluate information security continuity |
| A.7.4 Physical security monitoring | A.9.2.5 Review of user access rights |
| A.8.9 Configuration management | A.14.2.5 Secure system engineering principles |
| A.8.10 Information deletion | A.18.1.3 Protection of records |
| A.8.11 Data masking | A.14.3.1 Protection of test data |
| A.8.12 Data leakage prevention | A.12.6.1 Management of technical vulnerabilities |
| A.8.16 Monitoring activities | A.12.4.x Logging and monitoring |
| A.8.23 Web filtering | A.13.1.2 Security of network services |
| A.8.28 Secure coding | A.14.2.1 Secure development policy |
What about localized versions?
Most translations will made available within 6 to 12 months, contact your local ISO member ↗️ for more details.
What about other standards in the ISO 27000 family?
Updates of related standards (ISO 27017, 27018, 27701, 27799, NEN 7510) largely depend on their initial release date, following the standard 5 year review cycle. Just like ISO 27002 (which started development in 2018) this might take another 3 to 4 years, starting from the next review date.
Below is an overview of all standards in the ISO 27000 family, their status and the expected release dates.
| Standard | Status | Expected |
|---|---|---|
| ISO 27017:2015 | This standard was last reviewed and confirmed in 2021. Therefore this version remains current (source ↗️) | |
| ISO 27018:2019 | Pending review in 2024 (source ↗️) | |
| ISO 27701:2019 | Currently in development (source ↗️) | 2023 or 2024 |
| ISO 27799:2016 | 2022-02-16: New version under development (source ↗️) | 2025 |
| NEN 7510:2017 | Currently in development | 2023 or 2024 |
| BIO | Currently in development | 2023 or 2024 |
If you are (planning to be) certified for ISO 27001 in combination with any one of these standards, you have two options:
- Use them in combination with the 2013 control set, so the control numbers match (this should be acceptable)
- Use them in combination with the 2022 control set, accept the fact that the control numbers do not match, and divide your Statement of Applicability in multiple sections, one for each control set
When will Instant 27001 be updated?
Instant 27001 is following the market closely. The English version has been available since early 2022 (based on the drafts) and Dutch and German were done just days after the release of the translations.
How can I update my existing Instant 27001 implementation?
An update package is available for existing customers. This package consists of:
- The new Annex A structure containing all 93 controls
- Updates for the changed high level requirements
- All new and updated policies and procedures (for reference)
- A new Statement of Applicability
- A new Monitoring plan
- A new Internal audit program
- A new Internal audit report template
- A Gap analysis + action plan template (as required for the transition audit)
- Instructions how to merge the contents and update your existing ISMS
Can I upgrade to Instant 27001 for Microsoft?
When does my ISMS need to be updated?
The International Accreditation Forum (IAF) has released a document ↗️, indicating that
starting from the publication of ISO 27001:2022, certified organizations have 36 months to complete the transition, in this case no later than October 31 of 2025.
The transition consists of:
- Creation of a Gap analysis + action plan
- Updating the ISMS (controls, risk assessment, documentation)
- An internal audit (that focuses on the transition)
- A management review (focusing on the transition)
We recommend combining the transition audit with your next surveillance or re-certification audit, this way you can re-use the existing internal audit and management review slots.
Once the transition audit is done by your registrar, you will be issued an updated certificate.
Can I still become certified to ISO 27001:2013?
Organizations that have not yet been certified can complete their implementation based on ISO 27001:2013 and become certified until April 30 of 2024. You will then have 18 months to make the transition to ISO 27001:2022.
Can I already become certified to ISO 27001:2022?
Because the HLS has changed, registrars (a.k.a. certification bodies or auditing companies) are required to update their accreditation first. They have until Oct 31 of 2023 to do so (source ↗️). Since there is a commercial advantage, most of them will do this as soon as possible.
Organizations that have implemented ISO 27001:2022, who are facing a registrar that has not yet transitioned to 2022, can get certified to :2013 with just a modified Statement of Applicability (showing the :2013 controls). You can then transition to :2022 the next year. Contact us if you need help with this.