Are you curious about the changes in the new ISO 27001 which is scheduled to be released in October 2022? This article seeks to provide you with few guidelines and information that would help you make an informed decision 

ISO doesn’t change the core phases involved in any implementation of their standard (i.e.) PLAN, DO, CHECK, ACT (PDCA). The last version of ISO 27001:2013, since then there have been changes in the Information Security domain.

To adapt to the changed environment, the new version of ISO 27001:2022 has grouped the control in the following categories.

• Organizational (37 controls)
• Technological (34 controls)
• Physical (14 controls)
• People (8 controls)

Organizations that have implemented HIPAA might find the control like the Security controls and Groups of HIPAA, but however it is not entirely the same. 

Has the total number of controls reduced in the new standard of ISO 27001:2013?

Rather than saying that the number of controls is reduced from the previous standards, it would be prudent to say that the controls have been reorganized, merged, and added. In essence the security controls are amended to meet the current trends and requirements but not diluted. As a matter of fact, the current standard is longer than the previous one. 

Remember that ISO 27001:2013 had 114 controls, whereas the new standard which is scheduled to be release in October 2022 shall have 93 Controls

What is new that has been added or amended into the new version of ISO 27001?

• Configuration management
• Data masking
• Data leakage prevention
• ICT readiness for business continuity
• Information deletion
• Information security for use of cloud services
• Monitoring activities
• Physical security monitoring
• Secure coding
• Threat intelligence
• Web filtering

Should I implement the new standard immediately to stay compliant?

Not necessary. ISO gives all organizations time of two years from the date of release of the new standard for transition. However, it is recommended to incorporate the new changes as best practice and have all the necessary controls implemented with appropriate procedures that needs to be performed as part of Change management. 

Remember to perform Risk Assessment and Risk Treatment for any new changes to be implemented in the origination.  Since your SoA (Statement of Applicability) shall also change, incorporate the new change at the earliest opportunity and have your organization certified for the new Standard.

10 Steps to Identify the Right Implementation Vendor for ​ ISMS  is a “must-have” guide for everyone before starting to ISO 27001 implementation.

How soon can the organization transition into the new Standard?

IARM Information Security shall assist you in transition to the new ISO 27001 standard without any drama. It is more of design and control effectiveness that organization should focus on this point in time. 

Most organizations have up to 2 years to transition into new standards. However it is recommended not to delay the process of transition from old standards to the new one. Surveillance which is required to be performed every year by organization which have been certified for Information Security Management System ISMS (ISO 27001:2013), can use the window of opportunity effectively to revisit their Security Blueprint, remove the noise, and recreate the IT environment with all the necessary security control to tackle the new and sophisticated threats.

Our experts are ISO 27001 Lead Auditors and Implementer.  Feel free to Contact IARM  if you have any further questions or require assistance on ISO 27001 Implementation and Compliance Audit.