ISO/IEC 27001:2022 – how different is the new standard?

ISO/IEC 27001:2022 is currently due for publication in early October. How different will it be to the current version of the Standard, which has been in use since 2013? Should an organisation delay kicking off an ISO 27001 implementation and certification project until the new standard is available?

The most recent draft of the new standard, together with inside knowledge about discussions in the standard-setting committee, indicate that changes to ISO 27001 will be minimal.

A change in Clause 6, and to a couple of notes, have a minimal impact on implementation strategies and can easily be accommodated into projects starting before the publication of ISO/IEC 27001:2022.

The more significant change is in Annex A, which will be mapped to the controls set out in ISO/IEC 27002:2022, which was published earlier this year.

But organisations implementing ISO 27001 are not obliged to implement the controls in Annex A; the requirement is simply that the implementing organisation selects controls from whatever source it considers appropriate and, for completeness, maps those controls to Annex A and provides a justification for the omission of any that are not implemented.

What does that mean, from an implementation point of view? It means that an organisation can go ahead, today, and implement a management system that can be certified to ISO 27001:2013, and can do so in the knowledge that the transition to ISO/IEC 27001:2022 will only require minimal effort – and the transition deadline will not be until late 2024.

This transition could be as simple as changing your Statement of Applicability to map the 2013 controls against the 2022 controls – and that mapping is already set out in ISO/IEC 27002:2022.

How does that work?

It will take accreditation bodies about six months to establish an ISO/IEC 27001:2022 certification scheme, and for accredited certification bodies to train auditors on the revised scheme. There will then be a transition period, typically of 18 months.

If the new standard is published in October 2022, compliance will only be mandatory by around October 2024 – but it is unlikely certification will be available before April 2023.

So, if you see a benefit in implementing, and being certificated to, ISO 27001, the sensible step is to get started today. The Clause 6.3 changes could be included before the 2022 version of the Standard is published, and the ISO/IEC 27001:2013 Annex A controls can, as mentioned above, simply be mapped to the 2022 Annex A.

Of course, if revisions to the Standard are unexpectedly more complex, then the transition period may be even longer.

As things stand, the best time to kick off an ISO 27001 project is right now: cyber criminals are not waiting, and your clients are increasingly disinterested in dealing with suppliers whose information security frameworks are inadequate to meet today’s cyber challenges.