Your transition plan to ISO27001 version 2022!

It’s now almost a year since ISO 27001:2013 was replaced by the new version named ISO 27001:2022. Here’s your transition plan!

This 2022 version of the standard enhances requirements and introduces new elements to meet changing challenges and new threats in the field of information security.

It covers not only the traditional risks, but also adds points on emerging threats such as advanced attacks (APT), the Internet of Things (IoT), artificial intelligence (AI) and, above all, the confidentiality of personal information.

The only transitional document we found was that of the IAF (International Accreditation Forum), a group that informs accreditation bodies and those who manage the certification bodies that will certify your company.

Link: https://iaf.nu/iaf_system/uploads/documents/IAF_MD26_Issue_2_15012023.pdf

There are three transition scenarios:

• Companies wishing to become ISO27001:2013 certified have until October 31, 2023 to do so.
• Companies wishing to become ISO 27001:2022 certified can do so from October 25, 2022.
• Companies already certified to ISO27001:2013 must make the transition before October 31, 2025.

After migrating a few companies to ISO27001:2022, here are the easy transition steps I use.

1- Document the change plan.

In order to comply with the change management procedure and clause 6.3 (new clause in version 2022 – Change planning), we document and plan our change at ISMS. The purpose of this document is to help you create this plan. All you have to do is add who will do which items and by when!

2- Modifying the ISMS management framework

New required clause 4.2 c)

Indicate which of your stakeholders’ requirements and expectations are addressed by the ISMS, either by a new section in the document or perhaps by highlighting the items on your list that are covered by the ISMS.

The aim is to communicate to these stakeholders if there are any requirements NOT covered!

Adjustment to clause 4.4

We now need to include in our documentation how changes and continuous improvement are implemented.

In practical terms, we have different procedures and we need to understand how they interact, especially in the context of continuous improvement. For example, in the event of an incident or non-conformity, do we reflect on and adjust the other procedures?

Adjustment to clause 5.3 – Roles and responsibilities

Information security roles and responsibilities must be assigned and communicated to everyone in the organization!

For the auditor, this means validating that the person in charge of information security has indeed been appointed as such.

Redo clause 6.1.2 – risk analysis

A new version of the risk analysis must have been carried out, and, above all, it must be linked to the new safety measures (Appendix A).

Adjustment to clause 6.1.3 – Declaration of applicability

In view of the major change to Annex A of ISO27001:2022, it is recommended that we redo our declaration of applicability. However, this must include answers to the following questions:

• What safety measures are required (in conjunction with risk analysis results);
• Why the security measure is included in the ISMS;
• Whether the security measure is in place or not;
• Justification for the exclusion of a safety measure.

Please note – when migrating, you can also cut corners by only making a comparison between Appendix A version 2013 and Appendix A version 2022, and add the elements that have an impact on your risk management. This option speeds things up.

Adjustment to clause 6.2 – Objectives and plan to achieve them

Item 6.2.d calls for objectives to be monitored, and defines how they will be monitored. So, provide evidence of how objectives are monitored.

New required clause 6.3 – Planning changes

The new clause states: “when the organization determines that it is necessary to make changes to the ISMS, these must be carried out in a planned manner.”

In practical terms, this means that all changes to the ISMS must use the organization’s change management procedure.

Adjustment to clause 7.4 – Communication

ISO27001:2013 has removed items (7.4.d)-who communicates and (7.4.e)the processes by which communication is carried out.

To simply replace by the new article 7.4-d) how to communicate?

Adjustment to clause 8.1 – Control and planning of operations

Clause 6 sets out the risks and objectives to be met by the ISMS, and clause 8 is reworded so that the organization can implement operations to meet these objectives.

In concrete terms, then, for each procedure, we need to define the criteria for assessing whether the process is effective. For example, how do we evaluate change management, to find out whether it adequately protects us against unauthorized changes?

Adjustment to clause 9.1 – Surveillance

This clause has been reworded for simplicity, but adds emphasis on (9.1.b) the fact that the monitoring method must be repeatable and offer the same results if re-analyzed.

Reword clause 9.2 – Internal auditing

There are few changes to clause 9.2, except for a reorganization of the elements into two sub-clauses, i.e. general and internal audit program.

Adjustment to clause 9.3 – Management review

Modify the management review planning and agenda document to include clause 9.3.c – “Changes in stakeholder needs and expectations that are relevant to the ISMS”.

Change in the order of clauses 10.1 and 10.2

The new ISO27001:2022 standard simply reverses item 10.1 and 10.2.