We can help you transition from ISO 27001:2013 to ISO 27001:2022.
By now, you've heard the news that ISO has updated its standard for information security management systems (ISMS). And while this may seem like a lot to take in, it's not as difficult as it seems.
In fact, we can help you get started with our ISOvA toolbox! This toolbox is designed to make your transition even easier by providing you with all the tools and resources you need to take care of business while staying compliant with the new standard.
We want to showcase our ability to help companies like yours make the transition from one version of ISO 27001 to another without missing a beat—and we're confident that our toolbox will do just that.
Here are a few comments from our experienced ISO consultants:
Graham – “It’s good to see more emphasis on Information security in cloud services and ICT readiness for business continuity, which is a good introduction to ISO 22301 Business Continuity.”
Siyar – ISO/IEC 27001:2022 is a significant change. The new Information Security Management System standard is divided into four categories: People, Organisational, Technological, and Physical. There are 93 security controls instead of 114 compared to the previous version, ISO 27001:2013.
Some new control, such as Threat Intelligence, Information security for cloud services, ICT readiness for business continuity, data masking, data leakage prevention, and web filtering... make the new standard more sophisticated and comprehensive.
Eithne – “The changes introduced as part of the new ISO/IEC 27001:2022, published on 25 October 2022, include notable changes within the Annex A controls which we were previously familiar with and became accustomed to under the 2013 version of the standard. Also noted is the change in the title to the standard itself, which sees an inclusion of Cybersecurity and Privacy Protection elements.
The changes to the standard reflect an ever-changing and evolving security landscape and aim to meet the new challenges and risks associated with current business and organisational needs. One example of this is the ever-changing cyber threats which are constantly exploiting new weaknesses and vulnerabilities within organisations. The new standard has introduced a Threat Intelligence control aimed at addressing this issue.
A significant update within the new ISO/IEC 27001:2022 sees a shift in the structure of Annex A, which aligns with the ISOIEC 27002:2022 which was published on 15th February 2022. It also sees the number of Annex A controls decreasing from 114 to 93, and this has primarily resulted from 57 controls being merged into 24 controls. In addition, one control has been separated into 2 controls, with 35 remaining unchanged, and 23 being renamed.
The 93 controls which now exist within Annex A have been restructured from the previous 14 sections to a new 4-group structure as follows:
- A.05 Organisational Controls (37 controls)
- A.06 People Controls (8 controls)
- A.07 Physical Controls (14 controls)
- A.08 Technological Controls (34 Controls)
As well as the 11 new control areas added, it is also noted that clauses 4-10 have undergone a few minor changes, particularly within clauses 4.2, 6.2, 6.3 and 8.1.
Whilst it will take a period for the new changes to be fully established within current IS Management Systems, the changes appear to be a positive step forward to meeting the ever-growing demands and needs of organisations when it comes to complying with security requirements and protecting information processed on a day-to-day basis as part of their operations.
How can AvISO help?
AvISO can assist clients with providing advice on moving current Information Security Management Systems over to the new standard or indeed implementation of the new standard. Further detailed guidance will be made available on our website shortly to include answers to frequently asked questions.
As always, feel free to reach out with any questions or concerns!