Learn How Recent ISO 27001 Updates Could Impact Compliance

Learn How Recent ISO 27001 Updates Could Impact Compliance

Since it was published on January 9th, 2023, there has been additional guidance released. See below for updates:


For clients that are recertifying this year (2023) to the 2013 standard - you will notice that their Certification will have an expiration date of October 2025 (2 years out). 

  • If asked, this does not mean that a brand-new recertification must be done in 2 years, just that the client must adopt the 2022 standard prior to that date.
  • Once the client adopts the new standard (during Surveillance 1/2 or during a special audit), the certification will be reissued, with an appropriate expiration date that aligns with their standard 3-year cycle.

 

For Initial Certifications - Initial and Recertification Audits shall be conducted against the 2022 version as of April 30th, 2024. Until this date, clients can get certified with the 2013 version.

  • This date was updated from October 31, 2023, previously.

 

For existing certifications (i.e., certifications in Surveillance years during 2024/2025) – clients must complete their audits against the 2022 framework prior to October 31st, 2025, otherwise their certificate will expire.

  • This was an update from April 30, 2024.  That said, we should still recommend that the transition in the 2024 timeframe. That may be the update we make in our marketing document.

Overview

The International Organization for Standardization (ISO) announced the release of an updated version of the ISO 27001 standard on October 25, 2022. These revisions reflect changes to the ISMS framework guidance, designed to enhance a company’s security posture and to protect against the continued rise in cyberattacks and data breaches. 


What are the Key Changes?

Main Clauses

In reviewing the ISO/IEC 27001:2022 changes to clauses 4 to 10, noted the following:

  • Clause 4.2 new requirement added “Understanding the needs and expectations of interested parties,”
  • Clause 6.2 “Information security objectives and planning to achieve them” introduces two new requirements which include monitoring information security objectives and ensuring they are available as documented information.
  • Clause 6.3 “Planning of changes” is a new requirement of ISO/IEC 27001:2022. When determining the need for changes to the ISMS, the organization must carry out those changes in a planned manner. 
  • Clause 8.1 has added a requirement for organizations to plan, implement and control the processes needed to meet requirements, and to implement the actions determined in Clause 6.


Domains

The ISO has restructured the domains featured in the ISO 27001 standard, replacing the 14 sections they had previously with the following four sections and two new annexes. As a result, the number of information security controls have decreased from 114 to 93.

New Sections 

  • Organizational Controls (37) – Now Domain 5
  • People Controls (8) – Now Domain 6
  • Physical Controls (14) – Now Domain 7
  • Technological Controls (34) – Now Domain 8

New Annexes

  • Annex A, summarizes guidance for the application of attributes to the controls detailed in the new Domains 5 - 8, and
  • Annex B, provides backwards compatibility from ISO/IEC 27002:2022 controls to ISO/IEC 27002:2013 to help organizations transition to the current standard.


Controls

The following 11 control topics were also introduced. Now categorized holistically as either people, physical, technology, or organizational, these new controls include:

  • Threat intelligence (5.7)
  • Information security for the use of cloud services (5.23)
  • ICT readiness for business continuity (5.30)
  • Physical security monitoring (7.4)
  • Configuration management (8.9)
  • Information deletion (8.10)
  • Data masking (8.11)
  • Data leakage prevention (8.12)
  • Monitoring activities (8.16)
  • Web filtering (8.22)
  • Secure coding (8.28)

Below are the top takeaways from control level updates to ISO 27002:

  1. The 11 net new controls provide organizations with opportunity for a specific control aligned with technology advances and in response to increased risk areas representative of changes in the security landscape since 2013. Previously those activities might have been recognized in an area not specifically designed for the control.
  2. The 2022 framework includes 24 instances of control numbering that combined multiple controls from the 2013 framework. This effectively reduced redundancy by combining similar controls addressing a particular objective. 
    Example: prior controls 9.2.4, 9.3.1, 9.4.3 were combined into 2022 framework control 5.17 (authentication information). Consolidation makes sense since legacy controls similarly addressed aspects of password security that are logically related. 
  3. There are 58 controls from 2013 that have been renumbered to align with the 4 new 2022 classification themes. These 2022 controls remain consistent with legacy guidance.


Effective Dates and Transition

Below are key dates for the transition period as defined by the International Accreditation Forum (IAF) August 2022 guidance.  

4/30/2023Accreditation bodies/auditors must be ready to assess to ISO 27001:2022.  
10/31/2023Organizations seeking initial ISO 27001 certification will be required to adopt the new standard.
4/30/2024All existing ISO/IEC 27001:2013 Certified Clients shall be audited (surveillance or recertification audits) against ISO/IEC 27001:2022.
10/31/2025Organizations with an active ISO 27001 certification will be required to transition to the new standard.  All ISO 27001:2013 certificates issued after October 31st, 2022, will expire on October 31st, 2025.


Our Perspective

The ISO 27001 framework update delivers the most significant impact through streamlining and reorganizing the familiar Annex A controls into four broad categories - organizational, people, physical and technological controls.  

For most organizations with a robust security risk management programs and controls, it will largely be a matter of updating control language, mappings, risk assessments, internal audits and documentation to consider the new Clause updates and Annex A controls.  It may also be a good opportunity to take a fresh look at the company's control framework and structure.

Those who also certify against ISO 27701, ISO 27017 and ISO 27018 should still be mindful of ISO 27001:2013 as the current versions of those standards still reference, incorporate and build upon its content.

For organizations that are new to ISO or have a less mature security program, it may be beneficial to perform a full gap analysis based on the new Annex A controls before proceeding to a certification audit.

As a certified ISO 27001 Assessor, BDO can help identify how these changes might impact your company’s cyber security infrastructure and develop a timely implementation plan to help ensure compliance. 

Our professionals can assist through each stage of the audit workflow, including: 

  • Initial documentation and forms
  • Submitting the audit plan
  • Conducting the initial certification audit
  • Completion of the audit report
  • Certification decision
  • Maintaining certification

Each of these third-party attestation processes help a company evaluate and improve its information security controls and capability to mitigate the risk of cyberthreats. Additionally, the resulting independent auditor’s reports can then be shared with third parties to help address their security concerns.