ISO/IEC 27001:2013 --> 2022 transition

SEE UPDATE 19th Feb 2023


The third edition of ISO/IEC 27001 will have a few changes in the main body text and a complete replacement for Annex A based on ISO/IEC 27002:2022.

 

 

The transition arrangements are still uncertain but this is my understanding at this point:

  • Nobody can use ISO/IEC 27001:2022 formally until it is published - any day now;

  • The International Accreditation Forum will update a mandate for its members, the accreditation bodies, early in 2023 with details of the three-year transition period:
    • Accreditation and certification bodies will be required to update their processes, and train and prepare auditors for accreditation and certification against the new standard within a year of its release;
    • Organisations may wish to be certified against the new standard as soon as the certification bodies are ready to do so, or may (continue to) use the old standard for up to three years beyond its release, meaning a full certification cycle;

  • Already (right now), organisations are free to declare any or all of the controls in ISO/IEC 27001:2013 Annex A inapplicable in their Statement of Applicability, instead opting to use an appropriate selection of controls e.g. from ISO/IEC 27002:2022, NIST SP800-53, NIST CSF, ISF, COBIT, CSA, GDPR, PCI-DSS and whatever other sources they like (even entirely custom control sets) in accordance with the current ISO/IEC 27001:2013 clause 6.1.3 note 2, which says in part "The control objectives and controls listed in Annex A are not exhaustive and additional control objectives and controls may be needed."

  • Regardless of where the controls come from, organisations must:
    • Use Annex A as a checklist to confirm that they have not neglected controls that are in fact applicable to them i.e. they are necessary to mitigate their information risks;
    • Justify their rationale for not selecting any controls listed in Annex A;
    • Justify the inclusion of 'necessary' controls in the ISMS SoA on the basis that they are required by the organisation to treat its unacceptable information risks;
    • Indicate their implementation status;
    • Retain sufficient documentary evidence to convince the certification auditors that the requirements of the standard have been met.

It is worth knowing that ISO/IEC 27001:2013 Annex A can be declared entirely inapplicable since it is out of date and an incomplete reference set of information security controls. ISO/IEC 27002:2022 is considerably improved, but even so it also remains incomplete and weak in some areas, hence may well need to be supplemented by other controls that are relevant to each organisation's information risks.

Certification bodies should already be capable of certifying organisations that declare the current Annex A controls inapplicable, opting for other control sets instead. I'm not clear why they and the accreditation bodies would need up to a year to prepare for ISO/IEC 27001:2022. Therefore they may be ready sooner, especially given that their primary job is to confirm the mandatory management system elements against the '27001 main body clauses (which will remain substantially the same as now with a few changes), rather than conducting an in-depth audit of the information security controls being managed (which is primarily the organisation's concern rather than the certification body's).