ISO 27001 standard for information security revised
Recently, the ISO 27001 standard for information security received an update. The revised standard was published on 25 October 2022. The updated standard has been aligned with ISO 27002:2022 published in February this year and includes some technical corrections. ISO 27001:2022 is subject to a three-year transition period. This means that certified organisations must have switched to ISO 27001:2022 by autumn 2025.
The ISO/IEC 27001 standard sets out the requirements for information security management systems and gives organisations direction for establishing, implementing, managing, maintaining, evaluating and improving an information security management system. The new version replaces ISO/IEC 27001:2017.
Harmonized Structure
Apart from alignment of ISO 27001 with the new ISO 27002 (which includes the 'controls' used by ISO 27001) and some technical corrections, the difference from the previous version of the standard lies mainly in the revised Annex A (see also this article from August 2022) and the structure of the standard. The 2022 version of ISO 27001 is classified according to the latest version of ISO's Harmonized Structure (HS), which makes it easier for organisations to integrate different management systems. Because of the HS, there is overlap between the different standards in the following areas:
- Context of the organisation;
- Leadership (policies, roles, authorizations and responsibilities);
- Planning (risks, objectives, legislation);
- Support (resources, competences, awareness, communication and documentation);
- Implementation;
- Evaluation (internal audits, management review);
- Improvement (continuous improvement, deviations and corrective actions).
Transition period
The introduction of ISO 27001:2022 means that organisations with an ISO 27001 certificate must transition to this revised version. A transition period has been set for this purpose. Its timeline is as follows:
- First, the accreditation bodies will have six months from now to assess against the new version.
- After that, the accreditation bodies will start assessing certification There is also a six-month period for this, so no later than 12 months after publication of the updated standard, the accreditation bodies must have completed this.
- Meanwhile, but no later than 12 months after publication of the updated standard, certification bodies can start re-certifying certificate holders.
- As the transition period is set at three years, certification bodies must finish (re)certifying certificate holders by October 2025 at the latest.
During the transition period, both versions of the standard are valid and certifiable. This means that you can still be certified against the 'old' ISO 27001, but you can also opt to acquire the new standard and start working with the new set of control measures.
Download the timeline ISO 27001:2022 (version 24 Feb 2023).
How can we help?
Do you have questions about ISO 27001:2022 and what it means for you? Please contact Kiwa’s Expert Center Cybersecurity (NL.cybersecurity@kiwa.com).