Welcome to Protify.

In accordance with cookie legislation and our privacy policy, we only place strictly necessary functional cookies. 😊

For visitor analysis, we use Google Analytics (also cookieless). May we also place some Google Analytics analytical cookies to gain a better understanding?

How do you transition to ISO 27001 version 2022?

Written by Mathijs de Vaal

Informative

The revised version of the ISO 27001 standard for information security was published in October 2022, with the previous version of this certification dating back to 2017. To make sure your organisation can make a good choice and determine the best time to switch to the revised version of the ISO 27001 standard, we had a conversation with colleague Tim Kemper. We take in you in this blog, happy to take you by the hand and address the following questions:

  • What are the changes in the new ISO27001:2022?
  • What are the main changes to the Harmonised Structure and management measures?
  • What does the Gap analysis entail?
  • As an organisation, how can you prepare for the transition to this updated version of the standard?
  • As an organisation, how do you transition to the revised version for the ISO 27001 standard and how can Protify help your organisation?
  • When is the best time for my organisation to switch, right now or upon recertification?
  • What is the impact for your organisation?

What are the changes in the new ISO 27001:2022?

The main changes in the new standard compared to the version published in 2017 are as follows:

  • The High Level Structure (HLS) has been renamed Harmonised Structure (HS) and a number of standard sections have been updated.
  • The structure of the management measures has been changed and now consists of only four instead of 14 chapters. The number of management measures has been reduced, from 114 to 93. Some management measures have been merged; 11 new ones have also been added.

Read more about the changes in our blog New standard ISO 27001 version 2022.

What are the main changes to the Harmonised Structure (HS)?

  • It should describe which needs and expectations of stakeholders are met through the ISMS.
  • The HS includes a new paragraph relating to change management. Changes to the management system should be carried out in a planned manner.
  • Information security performance and ISMS effectiveness should be evaluated.
  • The management review should now also assess changes in stakeholder expectations.

What are the biggest changes in management measures?

The biggest changes involve the control measures, which are explained in the topics below. For each topic, we indicate by means of a number of questions what you as an organisation should think about. By going through these questions, you can prepare your organisation for the new version of the ISO 27001 standard:

  • Cloud services: As an organisation, what have you agreed with cloud service providers about the acquisition, use, management and termination of cloud services? For example, about an exit strategy (e.g. who retains ownership of the data)?
  • Threat intelligence: How is your organisation kept abreast of information security threats, vulnerabilities and other issues? How do you respond to this as an organisation and how do you deal with it?
  • Preventing data leaks: What information does your organisation have, where is it stored? What measures has your organisation taken to prevent a data leak?
  • Deleting information: How long do you need information within your organisation? After that, how do you make sure it is not freely accessible or deleted? Think about a logical timeframe for keeping data (available)?
  • Software development, secure coding, or secure development: as an organisation, what do you consider in the development process? What are the secure coding principles, how does testing take place? As an organisation, how do you ensure data masking, i.e. that live data but representative and realistic test data are used?
  • Configuration management: How do you ensure that your organisation’s IT infrastructure is configured appropriately, in line with the desired security level, taking standards into account? As an organisation, how do you ensure that this configuration is also permanently appropriate, can only be adjusted according to a fixed process and that no one can independently make major changes just like that? Do you ensure that any changes are also registered?
  • Additional monitoring requirements:
  • Web filtering: how do you make sure you block harmful websites within your organisation?
  • Vulnerabilities: As an organisation, how do you ensure that you are informed about vulnerabilities, for example by organisations specialising in them?
  • Data backup policy: What is the data retention period?
  • Supplier registration: How are suppliers registered?

Gap analysis: how can your organisation comply with the new version of ISO 27001?

Does your organisation want to transition to the new version of ISO 27001? Then the certification body (CB) must perform a transition audit. This transition audit usually takes half a day and consists of the following components:

  • Assess how you as an organisation have implemented the new and amended requirements of the standard. This is where most importance is attached during this audit.
  • How have these changes been incorporated into the management system (ISMS)?
  • Assessment of the new Declaration of Applicability (AoA)
  • Are there any adjustments to the risk treatment plan.

In short, this transition audit focuses on how your organisation has implemented the new standard requirements and how this has been applied in the ISMS. When you have a transition audit performed, these are additional costs that you as an organisation would not otherwise have.

How can Protify support your organisation with the transition to ISO 27001: 2022?

We offer two sessions of 2.5 to 3 hours:

  • Gap analysis and introduction of new standard:
    • What are the changes in the new ISO 27001? We look at HS versus HLS and the changes in control measures. What do these changes entail and what does it mean for your organisation?
    • Performing Gap analysis that is reviewed during the transition audit. We use this Gap analysis to see how your organisation has complied with the new standard in your ISMS and what steps you may still need to take to become compliant. If your organisation is not yet certified, the Gap analysis is not necessary.
  • Fleshing out the new ISO 27001-2022: how do we flesh out the new parts of the standard together? Here we mainly look at the new control measures, how they should be elaborated and adapted.

Based on these two sessions, we create a set-up in the management system, included in the ProActive Compliance Tool (PCT), incorporating new components and adding to existing ones. This is presented to your organisation for review, so that it can then be finalised. This will then be used to determine whether your organisation is ready for the external audit. Also make sure you make an appointment with CI in good time when you want to (re)certify.

“Move to the new version of ISO 27001 at the end of the audit cycle or re-certification or before the end of 2025.”

– Tim Kemper, information security consultant at Protify

When is the best time to switch to the new standard?

“We advise our customers who are currently still in their certification cycle not to switch to new version of ISO 27001. But rather switch at the end of the audit cycle (at recertification). As an organisation, you can continue to use version from 2017 until the end of your audit cycle. Even though there are differences in the versions of the standard, the current market does not yet consider on which version of the standard your organisation is certified. If you switch now as an organisation, you will incur additional costs, namely half a day for the analysis from the CB.
So our advice is: switch when you have to; either at the end of the audit cycle either recertification or before the end of 2025.” says Tim Kemper.

What is the impact for your organisation of moving to the new standard?

If, as an organisation, you are already certified for ISO 27001, the impact is not very big, of course there are new control measures you need to implement as an organisation. But if you prepare yourself, for example by scheduling ISO 27001:2022 sessions with us, we can support your organisation in switching to the new standard at the right time. It involves supplementing your current management system and adding a number of components.

Want to learn more about ISO 27001:2022 and how and when your organisation can best transition?

Contact us and we will be happy to tell you what is the best choice for your organisation.

Avatar photo

Mathijs de Vaal

As managing consultant, Mathijs leads strategic projects and advises organisations on how to gain control over compliance. With sharp analytical skills and as a true team player, he leads project teams and translates compliance challenges into concrete solutions.

Other articles on our website

What are the changes in ISO 27001 version 2022?

Obligations and implementation of the NIS2 directive