Information Security

Key steps to ensure a successful transition to ISO 27001:2022

Published: August 07, 2024
Information Security

What is ISO 27001?

We have covered this question in a previous article but in a nutshell:

ISO/IEC 27001 is the internationally recognised standard for information security management. It provides a systematic approach to managing sensitive company information, ensuring its confidentiality, integrity, and availability.

Transitioning to ISO 27001:2022

It’s been almost 2 years since ISO 27001 was last updated (and over two years since ISO 27002, the Standard for Information Security Controls, was updated), so many organisations have already transitioned their information security management systems (ISMS) to align to the updated requirements. Thankfully for many organisations, the changes to ISO 27001’s management system requirements were minimal, instead focusing on modernising and updating the controls required to maintain the confidentiality, integrity, and availability of an organisation’s information assets.

What are the key steps to realign and update your ISMS to ISO/IEC 27001:2022?

For organisations that are yet to transition, we’ve outlined the key steps that we’ve seen successful organisations take to realign and update their ISMS below:

Understand the changes

Whilst the changes to the management system elements of ISO 27001 were minor, the controls for information security received a significant update (ISO 27002:2022 and ISO 27001:2022 Annexure A). To make sure you understand these changes and their intent, you could review the standard, read some available literature from a trusted provider (like our article on the key changes to ISO 27001), or complete more formal training (such as our ISO 27001:2022 update eLearn or one of our facilitated Information Security Management Systems courses).

Liaise with your certification body and auditor

If you haven’t yet transitioned to ISO 27001:2022, you should liaise with your certification body or conformity assessment body (CAB) to agree a transition plan, including the steps that need to be taken by you (and potentially the certification body/CAB) to provide for a smooth transition. This will include the timing of your audits and any potential grace periods or similar that may relate to new or changed controls. Time is running out to maintain certification to ISO 27001:2013, so you should get onto this quickly.

Understand your current control environment

Understanding all the existing controls that your organisation has in place to holistically manage its information security risks is critical to ensuring you’re ready for the transition to ISO 27001:2022. It may have been several years since you implemented your ISMS aligned with the 2013 revision, and we all know that businesses and their processes change, and hopefully improve, over time. Knowing the current state of your controls across the whole organisation, as well as understanding the effectiveness of these controls in managing your risks, is critical to understand the full breadth of your current ISMS. You may find that you have already implemented some of the revised or new controls from the 2022 revision of the Standard if you have a proactive information security manager or equivalent.

Undertake a risk assessment

Once you’ve understood the updates to the Standard and your organisation’s current control environment, you should undertake a risk assessment to understand the different information security risks that apply to your organisation. Successful organisations will consult broadly and include technical experts, control and/or asset owners, management, and end users to make sure that all relevant viewpoints are included, resulting in a more robust risk assessment. Any new or changed risks identified in this assessment should have controls and treatments designed to manage the risks in accordance with the organisation’s risk appetite, and there may be other controls that already exist in the organisation that are appropriate to cover the new or changed risks.

Update your Statement of Applicability

Now that you understand the Standard, your existing control environment, and your current information security risks, you should review your current Statement of Applicability (SOA) to realign it to the updated controls of ISO 27001:2022. As a reminder, the SOA is a document that compares the controls determined by the organisation as being necessary to manage its information security risks to the controls provided in ISO 27001 Annexure A and provides justification for any controls from the Standard that aren’t deemed necessary by the organisation to manage its risks. Given the significant changes to the structure of the controls, there may be:

    1. Controls that need to be combined – ISO 27001:2022 combined 56 individual controls from the 2013 version into 24 controls
    2. Controls that have been removed – the update of the Standard only removed one control, Removal of assets, however, control 7.9 Security of assets off-premises does cover the protection of assets outside of the organisation’s premises (both for routine and non-routine activities)
    3. Controls that have been added – ISO 27001:2022 introduced 11 new controls mostly aimed at addressing new and changing technologies and activities, such as cloud services, increasing use of mobile technologies, and embedding security in coding and development.
    4. 1 control that has been split – the technical compliance review control from 2013’s clause 18.2.3 is now split into 5.36 Compliance with policies, rules and standards for information security and 8.8 Management of technical vulnerabilities.

ISO 27002:2022 Annex B includes two very helpful tables to compare the controls from the 2013 revision to the 2022 revision.

Implement any additional controls required

By now, you may have identified new controls that need to be implemented to help protect your information assets – these controls should be implemented into your organisation, and depending on their complexity may need to follow a risk treatment plan or similar. Once implemented, you should also consider how you will ensure the control is effective through competence, awareness, and communication processes as well as control monitoring requirements.

Get audited

You should now be ready for your transition audit – you’ve understood the changes to the standard, planned your transition with your CAB, understood your risks and controls, updated your SOA, and implemented any new controls required. Along with the Standard being updated on your certificate, it should also refer to your new SOA to provide confidence to your stakeholders that the transition was successful. As always, you will need to demonstrate that your ISMS is working and effective, and that you are evaluating your performance through monitoring and measurement, internal audit, and management review. It can also be ok if you identify nonconformances either in your preparation for the audit or during the audit itself – you just need to make sure that you follow your corrective action process to identify the cause of the nonconformance and implement an action to prevent its recurrence across the organisation.

By following these steps, your organisation can effectively realign and update its ISMS, ensuring a smooth and successful transition to ISO 27001:2022. This helps to strengthen your overall information security framework and safeguards your organisation against evolving cyber threats.


Read more about our Information Security Management Systems courses and our Transition to ISO/IEC 27001:2022 eLearn

Back to Insights

“The virtual classroom coupled with an enthusiastic trainer made the course easy to run through and as good as any face to face courses I have ever attended.”

It was evident that the trainer had significant industry related experience in auditing. They were able to reinforce learnings and keep us interested by integrating their experiences into the course with relevant and engaging real world examples.

Course was enjoyable and I like the fact that we’re given a copy of the each of the Standards!

Honestly thought it was gonna be boring. I was very wrong! Very engaging and informative. Loved all 5 days and will be back for more courses!

Really enjoyed the training. What could be a very stale topic was delivered in a very engaging and detailed way. I particularly enjoyed the conversational delivery of the content and the practical activities were challenging and well presented. The catering was great too.

Need help finding a course?

Speak directly with a member of the RTP team to decide which course is right for you.

×
Menu