ISO 27001, a globally recognised standard for information security management systems (ISMS), underwent significant updates from its 2013 version to the latest 2022 edition.
This article covers the key differences between these two versions, highlighting the transition deadlines and the validity period of the 2022 version.
Understanding these changes is crucial for organisations aiming to maintain or achieve and maintain ISO 27001 certification.
Overview of ISO 27001
ISO 27001 is a comprehensive framework for managing and protecting sensitive company information. It provides a set of standardised requirements for an Information Security Management System (ISMS).
The standard is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties.
ISO 27001:2013 Version
The 2013 version of ISO 27001 introduced a number of updates from its predecessor, focusing on a risk-based approach to information security and emphasising leadership engagement and continuous improvement.
It was well-received for its flexibility and applicability to various types of organisations.
ISO 27001:2022 Version
In 2022, ISO 27001 received another update. This version reflected the latest trends in information security and addresses emerging risks in the digital landscape.
It introduced new controls and updated existing ones, ensuring that the standard remains relevant in a rapidly evolving cyber environment.
Key Differences Between 2013 and 2022 Versions
Structure and Controls
One of the most significant changes is the restructuring of Annex A, which contains the reference control objectives and controls.
The 2022 version has reduced the number of control categories from 14 to 4, streamlining the framework and making it more user-friendly.
Additionally, the total number of controls has decreased from 114 to 93, with some controls being merged or removed, and new ones introduced.
New and Updated Controls
The 2022 version included several new controls that address contemporary security challenges, such as information security for cloud services, threat intelligence, and data leakage prevention.
Those additions reflect the growing importance of cloud computing, big data, and the need for more proactive security measures.
Both versions emphasise risk management, but the 2022 update places a stronger focus on establishing, implementing, maintaining, and continually improving an ISMS.
It encourages organisations to adopt a more dynamic approach to risk management, aligning with evolving threats and business changes.
Emphasis on Leadership
The 2022 version continues to stress the importance of top management involvement in the ISMS.
It places greater emphasis on leadership roles and responsibilities, ensuring that information security is integrated into the organisation’s processes and aligned with its strategic direction.
Transition from 2013 to 2022 Version
Organisations currently certified under the 2013 version need to transition to the 2022 version and The International Accreditation Forum (IAF) has provided a transition period for this update …
As of the publication date of the 2022 version, organisations have a three-year transition period to update their ISMS and achieve certification against the new standard. Failure to transition within this timeframe may result in the loss of certification.
Validity Period of the 2022 Version
The 2022 version of ISO 27001 does not have a specified expiry date. However, certifications are typically valid for three years, subject to annual surveillance audits to ensure ongoing compliance. After three years, a re-certification audit is required.
It is important to note that the standard may be revised again in the future, necessitating further updates to the ISMS.
The transition from ISO 27001:2013 to 2022 is a significant step for organisations committed to robust information security practices.
The updated version addresses contemporary challenges and ensures that the standard remains relevant and effective in protecting sensitive information.
Organisations are encouraged to begin their transition as soon as possible to align with the new requirements and maintain their commitment to information security excellence.