Transitioning to ISO 27001:2022 or ISO 27001:2023
Anne Sophie Dil
Co-Founder at NAALA
Published on 16 January, 2024
By: Anne Sophie Dil – Co-Founder at NAALA
Published on 16 January, 2024
In the dynamic landscape of information security, staying updated with the latest standards is essential. The recent publication of ISO 27001:2022 or ISO 27001:2023 – read more about that below – is of interest to anyone who has, or wishes to obtain, information security certification. In this blog, we cover the ins and outs, and explain key highlights necessary to make the transition smooth and efficient.
- Understanding ISO 27001. The standard is globally recognised standard providing framework for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). The revision of ISO 27001, resulting in the new version, is part of the regular updating process that ISO standards undergo to stay relevant and effective. The changes reflect the evolving nature of information security risks and practices. The new version of the standard brings key changes, including enhanced focus on information security in context of organization’s external and internal issues, greater emphasis on leadership and commitment, and inclusion of new controls and refinement of existing ones for addressing evolving security threats.
- ISO 27001:2022 or ISO 27001:2023. While ISO 27001:2022 was published in October 2022, ISO 27001:2023 was made available in August 2023. The latter is the European version of ISO 27001 and corresponds to the global version, but includes a European preface. This foreword is part of specific procedures established to harmonize global standards at the European level. European standards are uniform in all EU countries and conflicting national standards are not allowed. The European version is identical in content and requirements to the global version. In the rest of this blog, therefore, we refer to ISO 27001:2022, but it may as well read -2023 here.
- Implementation challenges. Transitioning to updated standard may present challenges like aligning new requirements with existing business processes, training staff on updated protocols, and ensuring continued compliance during transition. To overcome these, you should adopt phased approach, starting with gap analysis to identify areas needing attention and developing clear implementation plan. A comprehensive overview of steps to take to overcome implementation challenges can be found at the end of this blog.
- Benefits for your business. Upgrading to ISO 27001:2022 brings various benefits. It ensures your business is at forefront of information security best practices, enhancing reputation and building trust with stakeholders. Moreover, it provides robust framework for preemptively managing and mitigating information security risks, which is a crucial advantage in today’s digital landscape.
- Timelines. A realistic timeline for transitioning to ISO 27001:2022 is important to ensure a smooth process. Businesses should plan for period of 6 to 12 months, depending on their current ISMS maturity level.
- ISO 27001:2022 Toolkit. To assist businesses in this transition, NAALA offers a comprehensive ISO 27001:2022 Toolkit. This toolkit simplifies process by providing templates, guidelines, and tools designed to align efficiently with new standard requirements. Utilising this resource can significantly reduce time and effort needed for achieving compliance.
Ready for change? These are the steps to transition to ISO 27001:2022.
Transitioning to ISO 27001:2022 involves a series of steps that organizations should undertake to ensure compliance with the updated standard. Here is a general overview of the steps involved:
Gap analysis. The first step is to conduct a gap analysis to identify the differences between your current Information Security Management System (ISMS) and the requirements of the new ISO 27001:2022 standard. This analysis should focus on aspects like your policies, risk analysis, risk treatment plan, and the structuring of new and revised controls.
Action plan development. Based on the findings of the gap analysis, develop an action plan. This plan should detail how you will address the identified gaps, including specifying what changes are needed, who will be responsible for implementing them, and the timeline for completion.
Updating risk analysis and risk treatment plan. Review and update your existing risk analysis and risk treatment plan to align with the changes in the new standard, particularly the revised Annex A. This involves reassessing the controls and measures you have in place to mitigate risks and ensuring they are in line with the new requirements.
Adapting Annex A controls. The new standard includes 11 new control measures, and some existing measures have been combined. It is crucial to review these controls, assess their relevance to your organization, and integrate them into your ISMS.
Revision of the Statement of Applicability (SoA). The changes in Annex A necessitate a complete review and update of your Statement of Applicability. Create a new version of it, and ensure that it reflects the current state of controls as per the new standard.
Internal audit. Conduct an internal audit of your ISMS, focusing on the revised risk analysis, risk treatment plan, and the newly implemented or modified controls. This audit is a critical step in ensuring that the changes made are effective and compliant with the new standard. Are you still looking for an independent and expert internal auditor? We’re here to help!
Management review. Perform a management review as per clause 9.3 of the standard. This should include a discussion of the results from the internal audit and an evaluation of the overall readiness for transition to the new standard.
External audit. Finally, an external (transition) audit will be conducted by a certification body to assess your organization’s compliance with ISO 27001:2022. This audit will review all the steps you have taken during the transition process.
If you’re seeking a partner to guide and support you through this process, our expertise is just what you need. We offer comprehensive assistance, not only with the ISO 27001:2022 Toolkit and the internal audit process but also throughout every step of the transition. Our goal is to alleviate the burden from your team, ensuring a smooth and efficient path to compliance. Let us know what you are looking for, and together we will find an appropriate solution to achieve ISO 27001:2022 compliance as smoothly as possible!
Questions? We are happy to discuss your specific case.
Although the word “trend” typically sparks your curiosity, when paired with “information and cyber security”, we encourage you to be vigilant and mindful of the challenges foreseen. The landscape of information and cyber security is ever-changing, and 2024 brings its own set of challenges.
The European Commission adopted a revamped cybersecurity directive: Network and Information System (NIS) 2 Directive. This directive succeeds an earlier NIS Directive (called NIS (1) in this blog), as cyber threats developed faster than organisations and legislation were prepared for.
Please note that all details and listings do not claim to be complete, are without guarantee and are for information purposes only. Changes in legal or regulatory requirements may occur at short notice, which we cannot reflect on a daily basis.