The new version of ISO 27001 is expected to be published next October

The new version will be consistent with ISO 27002:2022, which was issued in February 2022, in terms of the control mechanisms that companies seeking to create and operate an Information Security Management System in accordance with this standard must implement. This completes the standard’s updating cycle, which will replace the previous version that has been in use for about ten years. The specific time frame in which organizations already certified to ISO 27001:2013 will need to comply with the new version has yet to be announced, although it will be about two years.

No significant changes have been made to the main clauses of the standard. This means that the framework required for the successful development and implementation of an Information Security Management System, has not changed. Regarding the controls described in Annex A of ISO 27001 as well as in ISO 27002, significant changes have been made in the way they are organized. Previously categorized into 14 control areas, they are now streamlined into 4 themes:

• Organizational Controls
• People Controls
• Physical Controls
• Technological Controls

The new structure is expected to facilitate the correlation of similar requirements and contribute to the easier implementation and monitoring of Information Security measures.

Despite the drastic reform of Annex A, the requirements for implementing new controls are not expected to cause any significant concerns to the organizations already certified to ISO 27001:2013. In particular, Annex A of ISO 27001:2022 encompasses 93 controls, with 58 updated controls, 24 merged controls and 11 newly introduced controls. The introduction of new controls aims to contribute to the timely and proactive management of new risks that have emerged in the Information Security domain and to the alignment with the requirements emerging from other Information Security standards and regulatory frameworks governing the operation of organizations and enterprises.

Organizations currently adhering to ISO 27001:2013 and aiming to transition to the updated version must undertake a gap analysis and an Information Security Risk Assessment. This process is essential for identifying and prioritizing actions necessary to address potential risks in the areas covered by the new controls.

Having valuable experience in developing and implementing Information Security Management Systems, PRIORITY consultants stand prepared to support organizations and businesses of all sizes in smoothly adopting the updated standard. This assistance guarantees the enhancement of the Information Security level and operational effectiveness.