The security, privacy, and compliance landscape is constantly evolving — and with it, the frameworks designed to protect organizations and their customers from threats. ISO 27001 and its companion standard ISO 27002 were recently updated for 2022, with structural changes to clauses and new controls added to Annex A.

In our Secureframe Webinar | Expert Insights held on Tuesday, November 29, compliance expert Cavan Leung explained the key changes to the framework and its controls. 

If you missed it, check out the video replay on demand. We’re also recapping his insights and expert advice for keeping your organization compliant with ISO 27001:2022 below. 

A brief overview of ISO 27001 

Before diving into the latest updates to the framework, it’s important to understand what ISO 27001 is and the advantages of pursuing certification. 

ISO 27001 is an internationally recognized standard that helps organizations establish, maintain, and continuously improve their information security posture. It focuses on a combination of people, processes, technologies, and controls to establish what ISO calls an information security management system (ISMS). 

ISO 27001 certification comes with several benefits. As an internationally recognized standard, ISO 27001 is respected by organizations around the globe. Achieving certification with the standard establishes deeper trust with prospects, customers, partners, and investors. And because the standard is adaptable to different types of organizations, it can enable and support businesses as they scale. 

ISO 27001 entails two core areas:

• ISMS clauses 4-10: This aspect of the standard outlines requirements for establishing information security processes and controls to continuously improve your information security posture
• Annex A controls: Information security controls that organizations can implement to minimize risks.

Organizations must undergo a series of external certification audits to become certified. The process involves a series of audits:

• Year 1: Initial certification audits. Following successful stage 1 and stage 2 audits, the organization is ISO 27001 certified. Certification is valid for three years.
• Years 2 and 3: Surveillance audits are conducted to review clauses 4-10 and a sample of Annex A controls
• Year 4: Recertification audit assesses clauses 4-10 and all Annex A controls. The organization is recertified, valid for another three years. 

So what is ISO 27002?

ISO 27002 is a supplementary standard that provides advice on how to implement information security controls, which are listed in Annex A of ISO 27001. In other words, ISO 27002 is simply information on a control, how it works, and how it could be implemented, but it doesn’t tell you whether it’s applicable to your company.

This is why you can get an ISO 27001 certification, but not an ISO 27002 certification because it’s not a management standard that provides a full list of compliance requirements. ISO 27001 requires companies to actually perform a risk assessment to identify risks, what controls are required to mitigate the risk, and how it should be implemented.

Summarizing the changes to ISO 27001:2022 and ISO 27002:2022

ISO 27001:2022 was officially published in October 2022 and introduced minor wording and structural changes to ISMS Clauses 4-10. The major changes to Annex A controls are reflected in ISO 27002:2022. 

Updates to the ISO 27002 document were officially published in February 2022. In previous versions, Annex A controls were segmented into fourteen control domains: Annex A.5 through Annex A.18. In the 2022 version, they have consolidated those 14 domains into 4 main categories:

• Organizational
• People
• Physical
• Technological 

These changes simplify the structure of ISO 27002 and make the document more intuitive for organizations to navigate. 

The total number of controls was reduced from 114 to 93. Within those 93 controls, 58 controls remain the same with minor contextual changes. Twenty-four controls were consolidated and 11 net new controls were introduced. 

How do these changes affect ISO 27001 certification?

Organizations that are already ISO 27001 certified have three years, from the date of ISO 27001:2022 publication, to transition to the new standard. In other words, for these organizations, ISO 27001:2013 certificates will expire or be withdrawn at the end of October 2025. Transition audits can be performed at the same time as your next audit, or you can do them separately. 

Organizations that are pursuing certification for the first time can still be certified on ISO 27001:2013. For these certificates, they must be rectified on ISO 27001:2022 by October 2025 or risk losing their certification status. Transition audits can be performed at the same time as your next audit, or you can do them separately. 

Moreover, ISO audit firms will also need to become accredited to perform ISO 27001:2022 audits. Therefore the organization, as part of the auditor selection process, should ensure that the audit firm can audit and consequently certify against the new ISO 27001:2022 version. 

ISO 27001:2022 and ISO 27002:2022 FAQs

During the Secureframe Expert Insights webinar on changes to ISO 27001 and ISO 27002, Cavan Leung, CISSP, CISA, CCSK shared his expertise with attendees who submitted questions live or in advance. Here’s a recap of the questions and answers.

Will the Secureframe platform reflect ISO 27001:2022 standards? 

Yes. Once the ISO 27001:2022 solution is live in the platform, you will have the option to transition to the 2022 version so that you don’t lose your progress to date towards the 2013 version. Both versions will be available on the platform. 

If we’re already in the process of ISO 27001 certification today, should we continue with ISO 27001:2013 or try to switch to ISO 27001:2022? 

If you’re already in the process of getting certified on ISO 27001:2013 or you have an urgent need for certification, continue to do so on the 2013 version. Having said that, if you are just beginning the process of establishing and implementing your ISO 27001 controls and processes, I suggest looking into implementing the ISO 27001:2022 standard. 

Caveat: ISO audit firms will need to get accredited on the new 2022 version. As such, when selecting audit firms, the organization should ensure the selected auditors can certify against ISO 27001:2022.

If I don’t recertify for ISO 27001:2022 by October 2025, what happens?

If you’re an existing certificate holder, most likely your certification will expire by 2025 since it’s valid for three years. When you recertify, you would recertify on the ISO 27001:2022 standard. 

If for some reason your ISO 27001:2013 is still active in 2025 and you haven’t transitioned to the 2022 version, your certification body will withdraw your certificate, making it invalid. 

If our certificate expires in 2023 after August, can we still be rectified according to the 2013 version?

Technically speaking yes, you have until October 2025. However, I would advise against it. That way you can already start implementing the 2022 changes into your ISMS and prepare to get certified on the 2022 version. 

Join our next Secureframe Webinar | Expert Insights

We’re hosting Secureframe webinars regularly throughout the coming months to address the biggest security, privacy, and compliance pain points that we hear and questions that we get from prospects, customers, and security professionals. Keep an eye out for upcoming registration details, or check out recordings of past events if you missed out.