TRANSITION TO THE NEW ISO 27001 STANDARD
Information Security Standard Editions
ISO management system standards are reviewed periodically to ensure that they remain up-to-date and relevant. There was a somewhat strange period from February to October last year. It was extremely dry here in Hungary, but it is not just about that: the current edition of the ISO 27002 standard was issued in February, but the ISO 27001 standard was not published until October. That was unusual, as ISO 27001 and ISO 27002 are normally strongly related: the latter contains suggestions for the implementation of the information security controls listed in the certification standard. The numbering of Annex A in the ISO 27001 standard starts with 5 to maintain sync with ISO 27002 section numbering.
Changes to the Standard
Now, as the standards have been resynchronized, it is time to take a look at what has changed. The renewed standard already handles the topics of information security, cybersecurity, and data protection control in a uniform manner. This is reflected in the modified title of the standard.
There were only minor changes to the standard body. The new standard maintains adherence to the common ISO management system framework (Harmonized Structure).
Although, there are no major changes, information security controls in the compulsory Annex A have been restructured and extended. The earlier 14 control groups have been contracted into 4 major groups.
Due to contraction of related control requirements, the new standard is more streamlined, with 93 controls compared to the previous 114, but still includes new control topics such as cloud security, remote work security, and data leakage prevention.
A good example for the above control changes is how business continuity is addressed in the two standards. The 2013 edition had a subsection with 3 controls devoted to information security continuity (that is, provision of adequate security during business continuity events). The 2022 edition has a single control related to the topic, but it nearly fully covers the previous requirements, and it focuses on ICT readiness instead of processes.
Impact on Certification
The International Accreditation Forum (IAF) is the entity that controls transition of certifications from the old standard to the new one. The IAF has set transition rules for its member accreditation bodies as well as the certification bodies (aka conformity assessment bodies) supervised by them. Certification bodies are allowed by IAF to audit according to the new standard as soon as their readiness to do so is assessed and approved by their relevant accreditation body, but no later than 31 October 2023.
Until that date, certification audit is possible according to the old standard as well. In fact, organizations that are at the end of their compliance project or ready to be certified are better to go for the certification according to the old standard. If they do so, they will have time to get ready for the transition. Otherwise, they would lose time by transforming their controls and documents to comply with the new requirements, do the internal audit, and maybe wait for the certification body to be authorized for the audit according to the new standard.
Certification bodies will inform their clients on the date they are authorized to audit according to the new standard. They may conduct the transition audit in conjunction with a surveillance audit or renewal audit or through a separate audit. This audit needs to gather proofs of operation of the new/updated controls on-site or remotely. All certificates based on ISO/IEC 27001:2013 will expire or be withdrawn at the end of the transition period, that is by 31 October 2025.
Impact on Certified Organizations
The IAF transitional requirements apply to accrediting and certification organizations but of course also affect organizations applying the standard.
First of all, compliance needs to be achieved. In case of an existing ISMS, there will be not much to do with the policies and procedures covering the management system framework requirements. Documents related to the security controls, however, need to be revised and extended, and a new Statement of Applicability (SoA) shall be devised. Those unfamiliar with the new requirements and the importance of the SoA may contact an experienced consultant.
Certified organizations may request the transition audit after the certification body is authorized to audit according to ISO 27001:2022 up to 31 October 2025. They must maintain compliance with the old standard until the transition, as audits will be carried out according to that.
Purely financially the best thing is to do the transition on the next renewal audit, because then the audit is simply carried out according to the new standard with no extra cost. Otherwise, the audit will include an additional half auditor day as a minimum to confirm compliance with the new and modified requirements.
Photo by Mat Brown: https://www.pexels.com/photo/silhouette-of-wind-vane-552600/12/03/2023