In February 2022, ISO 27002:2022 – the standard which provides the best practice controls that organisations can implement to improve security – was updated. As a result, a new version of ISO 27001 – the international standard which outlines the requirements of an information security management system (ISMS) – was also published on 25 October 2022.
The new version of the standard features the controls outlined by ISO 27002:2022, and organisations will need to revisit their risk assessment to determine whether updates or new risk treatments need to be implemented.
Here, we outline ten key steps that an ISO 27001 certified organisation can take to successfully transition to the new standard.
Ten steps to a successful ISO 27001:2022 transition
- Understand the changes
Build an understanding of ISO 27002:2022 as the new security controls feature in Annex A of ISO 27001. This is the most significant revision to the new standard.
ISO 27002:2022 has been restructured, featuring 93 controls instead of 114, split between 4 different themes:
53 controls from the previous version have been merged into 24 in ISO 27002:2022, with 11 new controls added. It should also be noted that the majority of controls are subject to some form of text change which could impact how the standard is interpreted and implemented.
2. Assess your training requirements
Create a training programme for your team members to build their knowledge around the standard and ensure they can implement the changes effectively.
Updated versions of LRQA’s ISO 27001 training courses will be available shortly with options for all experience levels including:
- An introduction to ISO 27001:2022
- ISO 27001:2022 Implementation
- ISO 27001:2022 Internal Auditor
- ISO 27001:2022 Auditor Conversion
- ISO 27001:2022 Lead Auditor Conversion
- ISO 27001:2022: Management Briefing
We can deliver our courses through multiple online, in-person or blended learning styles depending on what works best for you and your team members.
3. Perform a Gap Analysis on existing controls
A Gap Analysis that assesses your existing controls and risk treatments against those included in ISO 27002:2022 will help you identify focus areas that need to be addressed prior to your transition to ISO 27001:2022.
Annex B of ISO 27002:2022 is a good starting point as it includes a useful comparison of all available controls and how they correspond to those in the previous version (ISO 27002:2013). The updated standard divides controls into four key themes – organisational, people, physical, and technological – and we’d recommend forming a specialist team that can own and provide insight around these areas.
LRQA provide optional pre-assessment services that are carried out by expert auditors in the form of a Gap Analysis or Preliminary Audit. We’ll look at your existing controls and wider ISMS identifying any areas that need attention.
4. Revisit your Risk Assessment
It’s necessary to check that your risk assessment, along with its objectives and context, remains well aligned with your business and risk appetite - if it isn’t, changes need to be made. You may wish to consult ISO 27005 – the international standard that outlines the procedures for conducting an information security risk assessment.
5. Update your Risk Treatment Plan (RTP)
You’ll need to update the RTP to reflect your decisions regarding threat response, selecting appropriate controls from the updated version of ISO 27002, which feature in Annex A of ISO 27001:2022.
You may wish to engage LRQA to perform an additional Gap Analysis at this point to ensure that the controls selected are justified and effective. Our independent insights give you confidence in your organisation’s readiness, and Nettitude, our cybersecurity specialists, can provide advice and guidance around technical controls and services.
6. Update your Statement of Applicability (SOA)
It’s crucial to update your SOA to reflect the evidence and justification relating to the inclusion and exclusion of any controls or policies. You’ll also need to highlight whether your business has implemented any controls in line with the RTP. If the answer is yes, a robust internal audit programme should be carried out to assess the effectiveness of your activities.
7. Book your transition audit
By this point, the changes you’ve implemented will have strengthened your management system, information security and wider cyber resilience. It’s time to get in touch with LRQA to discuss your dedicated transition audit, which can be carried out as a standalone activity or in line with any other scheduled visit.
Organisations with existing ISO 27001:2013 certification will have until October 2025 to transition to the new standard.
8. Complete your audit and implement any changes
Your auditor will assess your ISMS and supporting documentation to determine whether it meets the requirements of ISO 27001:2022 – with a special focus on the changes to the controls in Annex A. Upon completion, you’ll receive your Audit Report, which features your auditor’s feedback and any findings that need to be addressed before certification is awarded.
9. Promote your ISO 27001:2022 certification
Your certification demonstrates a commitment to internationally recognised best practices and continual improvement – helping you win new business and meet customer demands. You can have confidence that your ISMS is robust and effective – utilising controls and risk treatments that reflect the changing threat landscape.
10. Focus on continual improvement
Post-certification, it’s important to keep the momentum to ensure that your ISMS remains effective and well maintained. We’ll carry out surveillance audits annually which will focus on the status of your system – we’ll also be looking to ensure that continual improvements are being delivered.
Our deep experience in assurance, combined with award-winning cybersecurity services and threat-led intelligence, enables us to deliver bespoke insights into – and protection from – the unique threats facing your business. Keeping you one step ahead of cyber risk, today, tomorrow and beyond.
We provide audit, training and certification services against the world’s leading international standards and schemes, complemented by a wide range of advanced cybersecurity services delivered by our specialists, Nettitude.
We work collaboratively with your business – helping you to identify the specific threats you face and build strategies to mitigate them. We’ll work with you to certify your systems, identify vulnerabilities, and help prevent attacks and incidents that could impact your brand integrity, finances and operations.
Click Here to Get certified and trained by the experts at LRQA
Who we work with
We help businesses across dozens of sectors push forward and achieve like never before. How can we help you?
Shell: 3D printing quality assurance case study
LRQA is supporting Shell with assurance solutions for safety-critical 3D printed parts, driving trust and innovation in additive manufacturing.
What we think
LRQA's experts regularly share their research and insights.