Adopt ISO/IEC 27001:2022 now, and avoid exposure to unacceptable security risks

  
  Need help with implementing ISO/IEC 27001 or want to improve your ISMS? — contact IMS-Smart today for a consultancy quotation
 

Planning your transition to ISO/IEC 27001:2022

ISO/IEC 27001:2022 is the third edition of the ISMS standard. The changes concern a revised Annex A and alignment with the revised ISO Directives. Want to understand more about the changes?

At first view, transition is easy — just update your SOA to align it with the revised Annex A (there are mapping tables in ISO/IEC 27001:2022 — job done!, but why is there a three-year transition period — perhaps it is not so straightforward.

Want to see a step-by-step guide?

There are six steps

As shown later in this article:

  • acquire a copy of ISO/IEC 27001:2022 and study especially the changes
  • draw up your overall transition plan (and start implementing it)
  • compare your existing information security controls with those in the revised Annex A
  • add the additional/changed information security controls to your plan and implement
  • ensure that you are confident in being able to demonstrate conformance with the Harmonised Structure (HS) changes in ISO/IEC 27001:2022
  • liaise with your certification body over the timing of transitioning your ISMS to the new edition of the standard..

The step that demands the greatest skill is the third step — to compare your existing necessary controls with those in the revised Annex A. We explain why below in the section below entitled “The devil is in the detail”.

The purpose of this comparison is to help ensure that you have all the information security controls that you need to manage your information security risks. The proper way to do this is to forget the old Annex A. Do not even contemplate performing a delta using the mapping tables in ISO/IEC 27002:2022 — they are not accurate enough. Just start afresh and perform the comparison of your information security controls with those in ISO/IEC 27001:2022, Annex A.

Performing the comparison

Consider each Annex A control in turn, and ask “Do I do this?”. If the answer is “yes” you have a control that corresponds exactly to an Annex A control. If the answer is “no” the Annex A control is unnecessary for you, but you must justify its exclusion from your Statement of Applicability (SOA). There is, however, a third answer, “similar”, which means that you have a control that serves the same purpose of the Annex A control, but does not correspond exactly to it. It is a variant of that Annex A control. Record the variant in your SOA, since the SOA must contain all necessary controls.

Don’t refer to any control in the SOA as being “applicable” or “non-applicable”. Those terms have not appeared in ISO/IEC 27001 since 2013. The terms are “necessary controls” and "excluded Annex A controls".

Making the most of the comparison requirement

Book cover for ISO/IEC 27001:2022 — Mastering Risk Assessment and the Statement of Applicability by David Brewer

The control text in ISO/IEC 27001, Annex A, does not capture all the useful ideas contained in ISO/IEC 27002:2022. This is because the Annex A control texts are just summaries and sometimes fail to capture important control characteristics. Thus, there are ideas in the control purposes and control guidance that can also help you to determine missing controls from your risk treatment plan.

However, there is an alternative to studying the whole of ISO/IEC 27002:2022 — IMS-Smart On-Line has already extracted many of the useful ideas in the control purposes and control guidance for you.

IMS-Smart‘s software-as-a-service, IMS-Smart Online”, recasts the ISO/IEC 27002:2022 control text, purpose text and guidance as questions. Answer these and the SAAS will produce the SOA for you. The process is described, together with all the control questions in David Brewer‘s book “ISO/IEC 27001:2022 — Mastering Risk Assessment and the Statement of Applicability”, which is available on Amazon. There is another SAAS, the IMS-Smart Assistant, which automates the process.

IMS-Smart can import your IMS-Smart On-Line 2013 data into IMS-Smart On-Line 2022 for you. You can import the output from the IMS-Smart Assistant into IMS-Smart On-Line 2022.

Dealing with the new Annex A — your IMS-Smart options

There are three options which depend on how you established your ISO/IEC 27001:2013 conformant ISMS, and how you intend to establish your ISO/IEC 27001:2022 conformant ISMS.

IMS-Smart On-LineIMS-Smart On-Line

  • Prepare your new risk assessment, risk treatment and SOA using IMS-Smart On-Line 2022
  • Import your IMS-Smart On-Line 2013 data (except for your old risk assessment, risk treatment and SOA) into IMS-Smart On-Line 2022.

Custom approachIMS-Smart On-Line

  • Prepare your new risk assessment, risk treatment and SOA using IMS-Smart On-Line 2022
  • Manually copy the relevant documented information from your old ISMS into IMS-Smart On-Line 2022.

Custom approachCustom approach

  • Prepare your risk assessment, risk treatment and SOA using IMS-Smart Assistant
  • Export the results
  • Manually copy these results into your ISMS.

or, just use the questions in the book “ISO/IEC 27001:2022 — Mastering Risk Assessment and the Statement of Applicability” to manually recreate your risk assessment, risk treatment and SOA.

Dealing with the associated and HS changes

When you add the additional/changed information security controls to your plan, you must also add any associated changes, for example changes to policy, measurements and the internal audit programme.

In addition, you must ensure that you can demonstrate conformance with the HS changes. For a properly implemented ISO/IEC 27001:2013 conformant ISMS, there should be no need to change your ISMS to conform to these new and changed requirements. However, you need to know why and you might want to change your explanations of conformance. Both IMS-Smart On-Line 2022 and IMS-Smart Assistant have features which can help you in this respect.

Book cover for An introduction to ISO/IEC 27001:2022 by David Brewer

David Brewer’s book “An introduction to ISO/IEC 27001:2022”, gives a detailed explanation of the whole of ISO/IEC 27001:2022 and includes detailed information on transition. It is available on Amazon in e-book (£36.00) and paperback formats (price £42.25).

Whilst there is very little change to the Information security requirements, one of the most challenging and perplexing aspects of ISO/IEC 27001, is still risk assessment and the SOA, but that can easily be mastered, as can measuring performance, optimising, showcasing and exploiting your ISMS.

The devil is in the detail

Annex A

Comparison of the organisation’s necessary controls with those in the new Annex A has two possible outcomes:

  • The comparison determines that no necessary control has been overlooked.
  • The comparison determines that there is at least one necessary control that has been overlooked or requires change.

In the first case, you have concluded that none of the 11 new controls are necessary. However, you must justify their exclusion in your SOA. This means that the SOA must be updated. There is no requirement to use the same layout as Annex A for your SOA, but if you choose to do that, that is another change.

In the second case, you may have concluded that at least one of the 11 new controls is necessary. You could also have concluded that some of your existing necessary controls must be revised. However these additions and revisions are likely to require:

  • changes to the risk assessment (new controls implies that new risks have been identified)
  • changes to the risk treatment (new and changes controls implies that the treatment has changed)
  • changes to the risk treatment plan (because the risk treatment has changed)
  • implementing the new/changed controls.

There can also be consequential changes, for example to the policy, objectives, measurements, and the internal audit programme. Thus, the change in content of Annex A can bring about significant change in the ISMS.

In conclusion, this transition process is far more complicated than just updating your SOA using the ISO/IEC 27001:2022. Moreover, please be aware that these mapping tables are imprecise. The merging of controls was not always clean cut, and the mapping tables only show the principal mergers.

Harmonised structure (HS)

There is a new clause in ISO/IEC 27001:2022 (6.3) that requires organisations to carry out changes to the ISMS in a planned manner. This means that the changes to the ISMS required for transition must be planned. There are other changes that result from the changes to the core requirements. For properly implemented ISMS these can have no effect and no changes are required, other for the organisation to know what the changes are and how they are already fulfilled by its ISMS.

For example, consider the new requirement that “externally provided processes, products or services that are relevant to the ISMS are controlled”. If failure of such is an acceptable risk, then that process, product or service is not relevant to the intended results of the ISMS and need not be controlled. If failure presents an unacceptable risk, then that risk should have been assessed and treated by virtue of Clauses 6.1.2 and 6.1.3. However, it is advisable to check.

Likewise, the new requirement (4.2 c)): “which of these [interested party] requirements will be addressed through the ISMS”, should be equally benign. If an organisation decides to fulfil an interested party requirement that is relevant to the ISMS, it becomes an organisational requirement and is addressed through the ISMS. If such a requirement presents a risk (e.g., competitors and cybercriminals are interested parties) it does not become an organisational requirement (i.e., it is not fulfilled) but nevertheless it is still addressed through the ISMS by the information controls that the organisation uses to protect itself from the activities of such nefarious actors. Otherwise unfilled requirement are not relevant to the ISMS. However, care must be taken to ensure that certification scope statement does not imply the organisation fulfils some requirement when it does not.

Transition

Transition arrangements

The transition arrangements are governed by the International Accreditation Forum (IAF). In brief, from the last day the publication month of ISO/IEC 27001:2022 (i.e., 2022-10-31):

  • accreditation bodies must be ready to assess their certification bodies within 6 months
  • transition of certification bodies must be completed within 12 months
  • transition of certified clients must be completed within 36 months.

It is anticipated that several certification bodies will be ready to perform audits against ISO/IEC 27001:2022 by mid-2023.

When should I transition?

Comparison of necessary controls with the revised Annex A can result in the discovery of missing necessary controls, thereby implying that organisation is exposed to unacceptable information security risk. Since the purpose of an ISMS to manage information security risk, early adoption of ISO/IEC 27001:2022 is recommended.

Transition steps

  • acquire a copy of ISO/IEC 27001:2022 and study especially the changes
  • draw up your overall transition plan (and start implementing it)
  • compare your existing information security controls with those in the revised Annex A
  • add the additional/changed information security controls to your plan and implement
  • ensure that you are confident in being able to demonstrate conformance with the HS changes in ISO/IEC 27001:2022
  • liaise with your certification body over the timing of transitioning your ISMS to the new edition of the standard.

Want to know more?

David Brewer’s book “An introduction to ISO/IEC 27001:2022”, gives a detailed explanation of the whole of ISO/IEC 27001:2022 and includes detailed information on transition. It is available on Amazon in e-book (£36.00) and paperback formats (price £42.25).

If you have any question about ISO/IEC 27001:2022, just or use the find facility above. We will be pleased to assist.