ISO 27001 Transition: 2022 Guidance and Checklist
If your company currently holds an ISO 27001 certification, you should be aware of the ISO 27001 transition.
ISO 27001 is the international standard for information security. It is suitable for any organisation as it deals with security issues in relation to company sensitive information as well as personal information.
What is an ISO 27001 Transition?
The transition moves ISO 27001 from 2013 version to the 2022 revision. If your organisation currently holds an ISO 27001:2013 certification, you will need to update your certification.
The changes were first introduced in 2022, and the deadline to transition your certification is October 2025.
If you currently hold an ISO 27001:2013 certificate and you are looking for a consultant to help you transition to ISO 27001:2022, contact Blackmores today. Our ISO 27001 consultants can discuss the transition with you and help you to adapt your management systems to achieve the newer revision.
Analysis of an ISO 27001 Transition
Many of our clients are asking about the differences between ISO 27001:2013 and ISO 27001:2022. We have a whole mini-series on our pod casts – The ISO Show all about the ISO 27001 Transition.
There have been several changes which include 56 controls which can been combined into 24 newly titles controls with 11 new controls added. This leaves 58 controls unchanged.
New Controls Added to ISO 27001:2022
To summarise, these are the 11 new controls that have been added to the ISO 27001 transition:
1. Control A.5.7 Threat Intelligence – ‘To provide awareness of the organisation’s threat environment so that the appropriate mitigation actions can be taken.’ – Threat Intelligence can come from many different sources. Some of the best places to look include the NCSC or local police websites, as well as tools that can be used to detect phishing attacks. As well as digital threats, you also need to think about physical security. ISO 27001 is about much more than just protecting data!
2. Control A.5.23 Information security for use of cloud services – “To specify and manage information security for the use of cloud services.” – With the increase in cloud computing between 2013 and 2022, adding a control around this topic was incredibly important. The best place to start is to verify the security of your service provider to ensure it’s adequate by checking their valid Information Security credentials such as CSA Star, Cyber Essentials, and SOC. This also overlaps with principles of ISO 27017 (certification for cloud security), ISO 27018 (Protection of PII in the public cloud) and ISO 27701 (PII Security Standard).
3. Control A.5.30 ICT readiness for business continuity –’ To ensure the availability of the organisation’s information and other associated assets during disruption’ – There are a few other ISO standards that could assist with this, for example, ISO 27031 (ICT
4. Control A.5.30 ICT readiness for business continuity – further considerations: Recovery Time Objectives and Recovery Point Objectives are a big focus of this control of the standard. Business Continuity is one of the most important elements of security as it determines how your business will cope in the event of an attack or a breach. If you’re looking to dig deeper into business recovery time, you may want to check out BS 25777 (ICT continuity), which is an older certification that should be helpful to you and your business.
5. Control A.7.4 Physical security monitoring –’ To detect and deter unauthorised physical access.’ – Physical security monitoring can include elements like CCTV, access control, swipe cards, etc. Within the monitoring elements, you should also have a method for detecting and alerting anomalies.
6. Control A.8.9 Configuration management – ‘To ensure hardware, software, services and networks function correctly with required security settings, and configuration is not altered by unauthorised or incorrect changes’ – This involves configuration for any software or hardware that is required. Things, including firewalls, software, any hardware devices, passwords, etc, should be documented, as well as explained and monitored on a regular basis. This will ensure nothing changes without notifying the relevant people. For further guidance, you could find helpful elements within ISO 20000.
7. Control A.8.10 Information deletion – ‘To prevent unnecessary exposure of sensitive information and to comply with legal, statutory, regulatory and contractual requirements for information deletion.’ – Information deletion is a control that already existed in the ISO 27001:2013 Standard, but it has simply been clarified further. You will now need to prove that data has been deleted as required; you may need to provide relevant certificates if you currently use a 3rd party for this.
8. Control A.8.11 Data Masking – ‘To limit the exposure of sensitive data including PII, and to comply with legal, statutory, regulatory and contractual requirements.’ – There are three options when it comes to data masking. These three options are;Obfuscation, pseudonymisation and anonymisation. The data masking elements can also help your organisation to comply with GDPR requirements.
9. Control A.8.12 Data leakage prevention – ‘To detect and prevent the unauthorised disclosure and extraction of information by individuals or systems.’ – This control has been re-added from the previous 2005 version of ISO 27001. Organisations should have systems in place to monitor any particularly large data downloads – or even possibly large print batches. Secure email systems and regular security training are also a must for any organisation.
10. Control A.8.16 Monitoring Activities – ‘To detect anomalous behaviour and potential information security incidents.’ – within ISO 27001, there is an element where monitoring and detecting unusual activities is required. This can help with secrurity and data breech es or issues.
11. Control A.8.23 Web Filtering – ‘To protect systems from being compromised by malware and to prevent access to unauthorised web resources.’ – Because we use the internty and cloud based systems, there has been a cause for including web filtering into ISO 27001. Your systems should ensure that people are unable to access unsecure sites. Some organisations choose to extend this to social media.
12. Control A.8.28 Secure Coding – ‘To ensure the software is written securely, thereby reducing the number of potential information security vulnerabilities in the software.’ – Software must be written securely. If you use a 3rdparty, this should be seen as standard. If you use a bespoke system, then you must evaluate it against industry professional standards.
Working with Blackmores for your ISO 27001 Transition
At Blackmores, we are ISO consultants. We work with organisations in various industries to help them create and implement management systems that comply with ISO standards so that they can achieve various certifications.
When it comes to completing an ISO 27001 transition, we have worked with many of our clients to help them make the required changes and ensure they are able to achieve certification to the 2022 version.
You only have until October 2025 to transition to the 2022 version of ISO 27001. If you would like expert advice and support, contact our team or isologists today.
Stitcher | Spotify | YouTube | iTunes | Soundcloud