Lessons Learnt from Early ISO 27001:2022 Transitions

Lessons Learnt from Early Transitions

Use ISO 27002:2022

ISO 27001 was not the only standard to be updated in 2022; its sister standard, ISO 27002, was also revised and in fact was released ahead of ISO 27001.  ISO 27002 is a guidance standard which accompanies ISO 27001 and provides a lot more detail than can be found in Annex A on how to implement the controls as functional business processes. Although a lot of the controls in ISO 27001 map directly from the old version to the new version, the guidance in ISO 27002 has been extensively updated, and we would strongly recommend that you obtain a copy of ISO 27002:2022 and use the guidance to ensure the way you have implemented the controls is up to date.

Thoroughly examining the guidance in ISO 27002:2022 can help you avoid falling into the trap of putting too great an emphasis on transitioning to the new version of ISO 27001 without taking the time to identify areas where your information security controls may be out of date.

Utilise existing systems

One of the changes found in ISO 27001:2022 is that it has now fully adopted the ‘high-level harmonized structure’, which is the standard approach to writing ISO standards.  This approach is also shared by other standards such as ISO 9001 for Quality Management, ISO 14001 for Environmental Management, and ISO 45001 for Health and Safety Management (among others). Therefore, if your organisation has also achieved certification to these or any other standards written in the high-level harmonized structure, it may be helpful to liaise with the teams that manage conformance to them to check if there’s anything that can be adopted in your approach to ISO 27001.

A lot of the changes in the ISO 27001 management system clauses are all about alignment with other standards.  For example, the newly introduced Clause 6.3 (planning of changes) focuses specifically on managing changes to the information security management system (ISMS), which also exists as a process requirement in ISO 9001. Therefore, if you’re already certified to ISO 9001, you will probably already have a mechanism in place that enables you to do this and will be able to apply this mechanism to ISO 27001.

Refinement not reinvention

The transition assessments will specifically look at your implementation of the changes to ISO 27001, and if there are aspects of your management system that are not affected by these changes, you can leave them alone if they’re still working well for you.  The transitional period can be a good opportunity to embark upon a more major overhaul of your ISMS if you think it’s needed and have senior leadership buy-in to manage the transition, but you are under no obligation to do this if it isn’t necessary.  

There are only a handful of changes to the management system clauses, and while some of these changes will require some work to demonstrate to your assessor that you’re meeting the requirement, the updates mostly amount to additions and tweaks.  

Common Mistakes Observed

Not updating your Statement of Applicability (SoA)

The Statement of Applicability (SoA) is one of the first things your auditor will check, and if they see that your clauses and control numbers have not been updated, this will immediately suggest that the transition is not underway within your organisation.  The changes to the structure and wording of the controls in ISO 27001 will have an impact here.  In the 2013 version of the Standard, each of the subsections within the 14 control sections had an objective, however as these sections have been streamlined, this approach has also changed.  Now, each individual control has a purpose, and you are able to determine whether this purpose meets your needs (the attributes found in ISO 27002:2022 can help you with this).  There are a couple of useful tables at the back of ISO 27002 which can help you identify where new controls map directly to old ones, however, as some controls are titled and worded slightly differently in ISO 27001:2022, it’s important to remember that even if a control maps, it may not be exactly the same as its ISO 27001:2013 equivalent.

Not updating documentation

While your assessor may check first and foremost for your updated SoA, you will need to go beyond this and update all relevant documentation, and it’s important to ensure that process guides, internal audits, etc. that reference controls do also reference new versions of controls.  For organisations with very complex management systems with a lot of documentation, it is possible that some documentation will be missed in the review.  We would, therefore, strongly recommend you conduct a full review of your documents to check that control numbers and clauses are all referenced correctly.    

Failing to integrate

As mentioned above, it’s extremely important to check for alignment with other Standards, such as ISO 9001, where possible.  If you go through this revision without taking your organisation’s other management systems into consideration, you may start to see a divergence between them, which can lead to inefficiency and risk in the system.  It’s important to ensure that you don’t end up creating an additional layer of management within the organisation during the transition process, and that you leverage existing, already certified systems, processes, and policies as much as you can.

Misunderstanding the transition timeline

While the withdrawal date for the 2013 version of the Standard (31 October 2025) has been widely published and circulated, there is less awareness of the fact that all initial visits and recertifications which take place from 1 May 2024 must be against ISO 27001:2022.  Make sure your understanding of your organisation’s individual transition timeline is completely accurate, and you haven’t assumed you have longer to transition than you actually do.  

Forgetting the people

As was the case in the previous version of the Standard, the ISO 27001 internal audit needs to be carried out by capable, competent individuals, and alongside updating the management system, you will need to update the competencies of the people who are going to audit and maintain that system, and ensure that they fully understand the changes to the Standard.  This isn’t just about understanding the changes to the management system, but also to the guidance for the controls, as you should be auditing against current best practice.  Although you can’t directly audit against the guidance in ISO 27002:2022, you should always have the best practice it defines in the back of your mind when auditing the current implementation of controls, in order to identify opportunities for improvement.

Beyond the auditors, the competence of the implementors, such as the individuals who implement and operate the processes and technical controls, should also be taking the new guidance into consideration, and improving controls where necessary.

Failing to maintain ISO 27001:2013

We have seen some organisations dedicate all of their information security resources to implementing the changes in the new version of the Standard, however until you have completed your transition assessment and received your new certificate, you are still obligated to maintain conformance to ISO 27001:2013.  You can’t completely scrap your old SoA if you’re still certified to the 2013 version and are not yet ready to do a full transition.

A better way to approach this interim period is to run two separate columns in your SoA for the two different sets of controls, map them against both standards, and remove the 2013 version once you’re ready to fully transition, which will allow you to maintain conformance.  

Delays leading to exposure

It is a good idea to implement the new controls now, instead of waiting to transition, as ISO 27001:2022 is largely about dealing with the latest threats and best practice.  In particular, the new Control 5.7 (threat intelligence) requires careful consideration and will almost certainly need to be selected on your organisation’s SoA, as you are required to perform risk assessments and risk assessments implicitly require you to consider information security threats.  You may need to move towards a more dynamic process for doing so, e.g., a day-by-day or week-by-week understanding of what new threats are out there, the relevance they have to your organisation, and how they will be dealt with.

Underestimating the changes

Some organisations have assumed that if the change to a particular control or clause of ISO 27001 amounts to the difference of just a few words, the impact on the management system will also be minor.  In practice, the addition, removal or revision of a few words can have a significant impact on how the ISMS needs to work, and the evidence that will be required, etc.  Maintaining conformance in your implementation of the merged controls, in particular, may need more consideration than initially seems to be the case.  Familiarising yourself with ISO 27002 is, once again, extremely important here, as the guidance for some of the controls has seen quite a significant amount of update.  The mapping tables at the back of the document are also useful in helping you identify which of the old controls have been merged into a single new control.

Get your transition assessment dates booked in

If you don’t book dates for your transition assessment well before your transition deadline, you may struggle to get the appropriate resources in place, and having dates booked will help focus your transition project timeline.

Insufficient evidence

To achieve a successful transition and retain your ISO 27001 certification, you need to have fully implemented the changes and be able to evidence this in your assessment.  Clause 6.3 is particularly important here.  The process of transitioning will provide you with an opportunity to generate evidence of your implementation of this Clause, as the minutes of your management review in this period will allow you to document recommendations for and approval of change.

Misunderstanding the title

Alongside the clauses and controls, the title of the Standard has been updated to now include ‘cybersecurity and privacy protection’.  While ISO 27001:2022 has some consideration of these areas, it is not a replacement for other standards, such as ISO 27032 for Information Technology or ISO 27701 for Privacy Protection, nor will it guarantee complete cyber security or compliance with data protection legislation such as the General Data Protection Regulation (GDPR).

Challenging Clauses

Each organisation’s implementation of the ISO 27001:2022 clauses will look slightly different, and each will come up against unique challenges, however there are some clauses that seem to present more issues than others.  

As we have already suggested, the transition process is an excellent opportunity to generate evidence of your conformance to Clause 6.3, and it’s important to ensure you don’t miss out on this opportunity by implementing the changes to ISO 27001 without properly documenting your management of this process.

Clause 6.2 (information security objectives and planning to achieve them) now requires you to monitor your information security objectives.  While many organisations are already doing this, those that aren’t will now need to implement a new process to monitor progress against objectives and determine whether they will be met.

Clause 8.1 (operational planning and control) now requires you to set out exactly what needs to be in place when you perform all of the actions under Clause 6.  As this was already a requirement for risk assessment under Clause 6, conformance to the updated Clause 8.1 may be achievable by building on what you already have in place.

For most organisations, the management review agenda is essentially lifted from Clause 9.3 of the Standard, and this agenda will now need to include consideration of changes to the needs and expectations of interested parties due to an addition to Clause 9.3.2 (management review inputs).  Depending on who your interested parties are, you may need to implement processes which will allow you to proactively identify whether there have been changes to their needs and expectations, instead of assuming there haven’t been any.

Challenging Controls

Control 5.7 necessitates a much more dynamic approach to risk management than many organisations currently take, and, as the risks associated with information security are also incredibly dynamic, your entire risk profile can change overnight.  As such, your information security risk management needs to be much more rapid in its response than other, existing management systems within your organisation.

Most organsiations will probably already have some requirements in place to prevent certain information from being accessed by unauthorised parties, both internal and external, which will align with Control 8.11 (data masking).  However, challenges may arise when you consider the strength of the controls that enable you to do so.  Data masking measures can include pseudonymisation, anonymisation, truncation and encryption, for example, if this control is selected in your SoA.

Closing Thoughts

Transition to ISO 27001:2022 can seem daunting, and remaining conformant in your implementation of some new/updated controls and clauses may require a fairly significant amount of effort and consideration. However, through careful planning and learning lessons from some of the early transitions, you will be ideally placed to achieve a seamless and successful transition.