Initiate ISO 27001:2013 to ISO 27001:2022 transition with us
As a leader in ISO 27001 implementation consulting, training and certification services in the Philippines, we offer a simple yet effective and 100% successful solution to help organizations migrate from the old ISO 27001:2013 to the new ISO 27001:2022 standard.
ISO 27001:2013 certified organizations will need to transition to the new revision (ISO 27001:2022) within 36 months from the last day of the publication month of ISO/IEC 27001:2022. Since the new standard was released on October 25, 2022, all currently certified organizations have until October 31, 2025 to transition to the new revision. Certification bodies will continue to issue new ISO 27001:2013 certificates till October 2023. We offer consulting, training and implementation services to organizations across the Philippines in the smooth transition from the old ISO 27001 version to the new ISO 27001 version.
The new ISO 27001:2022 standard was published in October 2022. This updated version of the standard includes several changes, which organizations will need to consider when migrating from ISO 27001:2013. This page will explore the key changes between the two standards and what organizations need to do to make sure they are compliant with the new requirements. We will also provide a step-by-step guide on how to migrate from ISO 27001:2013 to ISO 27001:2022.
What are the main changes in ISO 27001:2022
ISO 27001:2022 is the latest revision of the ISO 27001 standard for information security management and has replaced ISO 27001:2013.
The main changes between ISO 27001:2022 and ISO 27001:2013 are as follows:
Most of the core text remains as it is in clauses 4 to 10. Some minor changes, especially in clauses 4.2, 6.2, 6.3, and 8.1 where additional updated content has been added.
Annex A controls are not better organized and more user-friendly. The number of Annex A controls decreased from 114 to 93. This makes management and implementation simpler. The decrease in the number of controls has mostly come from merging many of them. 35 controls have remained the same, 23 controls were renamed, 57 controls were merged into 24 controls, and one control has been divided into two. The 93 controls have been restructured into four control groups or sections.
The new control groups of ISO/IEC 27001:2022 are:
- A.5 Organizational controls – contains 37 controls
- A.6 People controls – contains 8 controls
- A.7 Physical controls – contains 14 controls
- A.8 Technological controls – contains 34 controls
The 11 new controls added in ISO 27001:2022 are as follows:
- Threat intelligence
- Information security for the use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
Some more changes are as below:
– The scope of the standard has been expanded to include not just information security, but also cybersecurity.
– The structure of the standard has been revised to align with other recent ISO standards such as ISO 9001:2015 and ISO 14001:2015.
– The terminology used in the standard has been updated to reflect current usage. For example, the term “asset” is now used instead of “resource”.
– The requirements for risk assessment have been made more prescriptive. In particular, organizations must now identify and assess risks to their cybersecurity posture as well as their information security risks.
– The requirements for the incident response have been updated to reflect the need for a more coordinated approach involving multiple stakeholders.
– A new Annex A provides guidance on how to implement an ISMS using a risk-based approach.
How to move from ISO 27001:2013 to ISO 27001:2022
With the release of ISO 27001:2022, organizations have the opportunity to update their certification to the latest version. This article provides a high-level overview of the steps involved in migrating from ISO 27001:2013 to ISO 27001:2022.
The first step is to review the changes between the two versions of the standard. The second step is to update your organization’s documentation to reflect the changes. The third step is to implement any necessary changes to your management system. Finally, you will need to undergo a re-certification audit by an accredited certification body.
Organizations that are already certified to ISO 27001:2013 can continue to use that version of the standard until their next scheduled surveillance or recertification audit. After that, they will need to migrate to ISO 27001:2022 to maintain their certification status.