ISO 27001:2022 Transition: 7 Months and Counting

In the meantime, threats to information security continue to grow; hopefully you can see them on the horizon, but many companies can find it really easy to start lagging behind. Unfortunately, if you are still working to the 2013 edition of ISO 27001 then you’re now behind the curve.

Its easy to put off the transition; it has been so far anyway. But this will absolutely create unnecessary stress and potential complications down the line for you and your staff. The new updates to the standard introduce a number of controls that can be surprising time-sinks if you aren’t familiar with them. They can also end up costing a significant amount of time and money to implement if you aren’t careful.

The problem is, the longer you wait and mull this over, the greater your potential exposure is to emerging security and compliance threats. And, the greater number of resources and time you’ll need at the last minute to get it sorted. ISO 27001 certification isn’t just a tick-box exercise giving you a badge of compliance. It’s a commitment to proactive cybersecurity. If you fail to transition in time, you risk having your certificate revoked, this can impact existing client trust and even your ability to secure new contracts and customers.

What’s Changed in ISO 27001:2022?

The 2022 edition introduces some key updates that make the framework more relevant to today’s security landscape, some of these changes are quite crucial and can be surprisingly challenging:

1. Annex A, the Statement of Applicability (SOA) has been rejigged

Definitely the most significant update out of the lot, is the restructuring of Annex A, this now includes 93 controls (down from 114). Several controls have merged, some have been refined, and the overall structure of the SOA has been re-organised into four key themes:

• People
• Organisational
• Technological
• Physical

This restructuring is supposedly meant to make it easier to understand an implement the security measures ‘making implementation more effective’ but we’ll have to wait and see if it’s really that groundbreaking.

2. New Security Controls (As part of the SOA update)

The 2022 update introduces 11 new controls that address modern cybersecurity challenges. These cover:

• Threat Intelligence – Encouraging organizations to proactively collect and use threat intelligence.

• Information security for use of cloud services – Providing specific guidance on securing cloud-based environments.

• ICT Readiness for business continuity – Ensuring IT services are resilient against disruptions.

• Physical Security Monitoring – brings a more simplified but definitive stance on physical security than the previous edition.

• Configuration Management – Enhancing security through better control of system configurations.

• Information Deletion – introduces the concept from GDPR that you can no longer keep data forever, as much as your inner dragon likes hoarding gold; you’re no longer along to emulate Smaug in Erebor (but with data!)

• Data Masking – introduces the concept that if people don’t need to know specific info to do their job, then they shouldn’t be able to see it. A simple principle in concept but can become complicated when looking at ways to apply it in a meaningful way.

• Data Leakage Prevention – Strengthening data protection measures.

• Monitoring Activities – Adds a bit of Big Brother seasoning to the standard to make sure your networks, systems and applications aren’t going haywire with “anomalous behaviour”.

• Web Filtering – makes it a requirement for you to make sure your staff aren’t using their web browsers to access anywhere dumb during work hours / from a work device.

• Secure Coding – this makes industry best practice essentially a requirement. This covers things like code reviews, peer checks before publishing, making sure you apply Least Privilege methodology etc.

3. Enhanced Focus on Risk Management

The new standard places a stronger emphasis on risk-based thinking. Companies must ensure their ISMS is not just a static set of policies but that they are actually used, this also means making sure these policies are efficient and appropriate to the task.

4. More Flexibility in Implementation

ISO 27001:2022 does however allow for a more tailored implementation of controls based on an organisation’s specific risk environment. This should make compliance more efficient, but it also means companies must take a fresh look at how their security measures align with the new framework.

How to Get Started with the Transition

Switching to ISO 27001:2022 doesn’t have to be overwhelming. Here are some tips to make it more manageable:

1. You’ll need Leadership “Buy-In” so make sure they’re involved

All businesses need support from the leadership team when implementing new controls, policies, procedures or anything that disrupts the norm (sometimes even a new kettle needs approval). Without “buy-in” from leadership you may struggle with the resources you need to prioritise transitioning the system and making sure everyone understands and adheres to it.

2. Perform a Gap Analysis (if you want)

If you want to do the transition yourself, then you’ll need to assess your current ISMS against the new requirements; this is so you can identify any gaps and areas that need updating. This should then help you to create a clear action plan for the transition.

3. Update your Policies and Procedures

Many of the new controls require policy updates or even new policies writing from scratch. This is especially prevalent in areas like cloud security, threat intelligence and configuration management. You’ll need to make sure your documentation reflects the latest best practices too. (This is something we can help you do if you don’t have the time or knowledge).

4. Train Your Team

Your staff must understand the changes and their implications. So, you’ll need to provide training on the new controls, risk management approach, and updated compliance requirements. People will need to understand these changes and how they impact the day-to-day operations of the business.

5. Schedule Your Certification Audit

I’ve written this blog on the assumption you’re already certified to ISO 27001:2013, (if that’s not the case then I atleast hope you’ve enjoyed this read! And you should build your system around the 2022 edition from scratch instead of jumping through these hoops).

The certification body I imagine will have also been hounding you by this point; but you need to get booked in with them for your transition and tell them it’s a transition audit; they will undoubtedly want to add an extra day or more to your visit in order to transition you.

I had one customer who forgot to mention they were transitioning to the auditing body so when we were sat down infront of the auditor and I handed over our updated docs he was a little dumb struck; after a quick panic call to his head office we ended up managing to transition that visit but it was only because they were able to switch the auditors ‘office day’ to another assessment day.

They would have been well within their rights to have cancelled and rescheduled the visit along with slapping our customer with an extra charge for the issue had we not been so lucky. SO, plan your transition audit well in advance, this will also help avoid last-minute bottlenecks from the limited supply of 27001 auditors that the cert bodies have.

Final Thoughts

Most cert bodies like to see at least 3 months of evidence of a new system being in place; which means, if you want to show them evidence of your new system, that 7 months to deadline drops to 4 months from now (to get your system updated and audited).

You’ve also got to consider your staff and the availability of the auditors to come and do the transition. With the Summer Holidays and Easter half-term happening, this could make it even more strategically challenging to transition before the deadline.

Ultimately, this deadline for transitioning isn’t as far off as it seems. It’s also not optional – it’s necessary to maintain your existing certification. Companies that delay risk operational disruptions, security vulnerabilities, and compliance failures.

Getting started now will save you from even more last-minute stress. Making the switch sooner means your compliance efforts will be all-round smoother, and you’ll be able to catch up to those early birds already standing proud with their 2022 certs pinned to their chests.

More importantly, waiting and leaving it much longer could mean a rushed, ineffective transition that leaves your organization exposed.