Equal Assurance has upgraded its ISO 27001 Assurance Program for information security management systems for transition from the 2013 to the 2022 version.
Our transition policy is in line with and designed to meet the requirements of IAF MD 26:2023, as a Mandatory Document from the International Accreditation Forum. This document can be downloaded for free from the IAF website at https://www.iaf.nu, and the new version of ISO 27001 (and ISO 27002) can be downloaded from the ISO website at https://www.iso.org.
Key changes from ISO 27001:2013 to ISO 27001:2022 include:
- Annex A references the information security controls in ISO 27002:2022, which includes the information of control title and control.
- Notes of Clause 6.1.3 c) are revised, including deleting the control objectives and “information security control” replacing “control”.
- The wording of Clause 6.1.3 d) is re-organized to remove potential ambiguity.
- Adding a new item 4.2 c) to determine the requirements of the interested parties addressed through an ISMS.
- Adding a new subclause 6.3 – Planning for changes, which defines changes to the ISMS shall be carried out by the organization in a planned manner.
- Keeping consistency in the verb used in connection with documented information, for example, using “Documented information shall be available as evidence of XXX” in clauses 9.1, 9.2.2, 9.3.3 and 10.2.
- Using “externally provided process, products or services” to replace “outsourced processes” in Clause 8.1 and deleting term “outsource”.
- Naming and reordering the subclauses in Clause 9.2 – Internal audit and 9.3 – Management review.
- Exchanging order of the two subclauses in Clause 10 – Improvement.
- Updating the edition of the related documents listed in Bibliography, such as ISO 27002 and ISO 31000.
- Some deviations in ISO 27001:2013 to the high-level structure, identical core text, common terms and core definitions of MSS are revised for consistency with the harmonized structure for MSS (e.g. Clause 6.2 d)).
In relation to information security controls:
- Compared with ISO 27001:2013, the number of information security controls in ISO 27002:2022 decreases from 114 controls in 14 clauses to 93 controls in 4 clauses.
- For the controls in ISO 27002:2022, 11 controls are new, 24 controls are merged from the existing controls, and 58 controls are updated.
- The control structure is revised, which introduces “attribute” and “purpose” for each control and no longer uses “objective” for a group of controls.
- ISO/IEC 27001:2013/COR 1:2014 is related to Annex A and overlapped by ISO/IEC 27001:2013/DAMD1.
The impact of the changes in ISO 27001:2022 includes, but is not limited to the introduction of a new Annex A and Clause 6.3 – Planning for changes because:
- ISO/IEC 27001:2013/COR 2:2015 has already been published and implemented.
- Annex A is normative.
- The harmonized structure for MSS is considered as a minor revision for the high-level structure, identical core text, common terms and core definitions of MSS, in which most of the changes are considered editorial.
In respect to impact on client management systems:
- The requirements in ISO 27001 that use the reference control set in Annex A are the comparison process between the IS controls determined by the organization and those in Annex A (6.1.3 c)) and the production of a Statement of Applicability (6.1.3 d)). By comparing the necessary IS controls to those in Annex A, the organization may confirm that any necessary IS control from the reference set in Annex A of ISO 27001:2022 is not inadvertently omitted.
- Such comparison might not lead to the discovery of any necessary IS control that has been inadvertently omitted. However, if inadvertently omitted necessary IS controls are discovered, the organization shall update its risk treatment plans to accommodate the additional necessary IS controls and implement them.
- As implied above, the impact of ISO 27001:2022 on the organizations that have implemented ISMS need not be significant.
Equal Assurance has adapted the timescale requirements of IAF MD 26:2023 and has established the following transition programme:
- Pre-Certification, Certification and Re-Certification Audits with an Audit Start Date later than 30 April 2024 shall be to ISO 27001:2022 only.
- CAB Transfer and Surveillance Audits with an Audit Start Date later than 31 July 2024 shall be to ISO 27001:2022 only.
- Audit Reports released after 30 April 2025 shall be to ISO 27001:2022 only.
- Recommendations For Certification made after 31 July 2025 shall be to ISO 27001:2022 only.
- Transitions of certified clients to ISO 27001:2022 shall be completed by 31 October 2025.
Our new and existing clients currently certified to ISO 27001:2013 are expected to:
- Acquire a copy of both ISO 27001:2022 and ISO 27002:2022.
- Conduct a gap analysis to ISO 27001:2022 so as to identify the changes needed to the ISMS.
- Update the Statement Of Applicability (SoA) as required.
- Update risk treatment plans where applicable.
- Ensure implementation and effectiveness of the new or changed information security controls as chosen.
Our new and existing clients currently certified to ISO 27001:2013 can also expect the following from Equal Assurance:
- We will make updated documents including Integrated Audit Criteria Guides available at https://publications.equalassurance.com.
- We will work with our clients to establish suitable transition timelines.
- When transitioning at a Re-Certification Audit, we will add 0.5 Auditor Days to the duration of the Audit.
- When transitioning at a Surveillance Audit, we will add 1.0 Auditor Days to the duration of the Audit.
- We may review commercial arrangements when additional Audit Time is added for the transitioning process.
- We will transition clients only when requirements are met, noting no change to expiration of the current cycle.
- We will ensure any ISO 27001:2013 Certificates beyond 31 October 2025 are either expired or withdrawn.
For our client contacts, a free non-mandatory ISO 27001:2022 Transition Competence Assessment is available in your Qdos Client Portal. Successful completion of the competence assessment will give the participant access to a “Certificate of Achievement”.
To find out more, contact us or speak directly to your Client Manager or Account Manager.