ISO/IEC 27001:2022 pros and cons
















I can think of eight key advantages and opportunities in adopting the new third edition of ISO/IEC 27001 as opposed to the second edition nearly a decade old:

  1. Small but significant and very welcome changes to the wording of clause 6.1.3 e.g. greater clarity on the intended purpose of the controls catalogue in Annex A as a means of identifying controls that might be necessary (to mitigate unacceptable information risks), not a shopping-list of expected or required controls; 

  2. The new clause 6.3 on planning ISMS changes is an opportunity for management to take stock, consider and plan the migration to the new version - just one of many potential changes that would benefit from being deliberately, consciously planned;

  3. A completely restructured and thoroughly revised controls checklist (Annex A), with a few new controls, improved wording to update many, and the addition of control attributes to help identify potentially relevant/applicable controls;

  4. The chance to review and update pre-existing ISMSs, from the ground-up if needs be, perhaps to revise strategies, governance and management approaches in this area, update budgets and policies, clarify objectives etc.;

  5. Moving ahead with the times, keeping pace with developments in the field;

  6. Increased focus on, and general awareness and understanding of, information risk, security, management, governance, assurance, compliance etc.;

  7. Acknowledgment that even a good, popular, well-regarded standard can still be improved upon;

  8. Another step on the security maturity journey, driving improvements to the management of information risk, information security etc
It's not all good news though. Countering those reasons to move to the new edition are disadvantages and challenges:

  1. Inertia!  Anything new or different takes time to settle in and adjust to, creating problems for highly regimented, rule-driven, complex or stable/mature organisations, and individuals who are change-resistant slow-adopters, set in their ways; 

  2. The new clause on planning changes is so concisely and ambiguously worded that it could become a nightmare if interpreted/applied too broadly and strictly, particularly by egocentric, over-assertive, naive, misinformed or inept "jobsworth" certification auditors;

  3. The costs of change e.g. studying the new version, informing and training people, planning and then making various updates to existing strategies, plans, policies, support systems, products and services etc.;

  4. The risks of change e.g. uncertainties, doubts, limited understanding of what is truly required, or of the distal effects as changes ripple across the organisation and beyond into supply chains, industries and global society;

  5. Unrealistic expectations, perhaps, that enthusiastically adopting the shiny new version will somehow completely mitigate all information risks, eliminating incidents which the old version failed to do;

  6. Finding accredited certification bodies willing and able to certify to the third edition;

  7. Perpetuates the emphasis on IT or cyber security rather than information security, and on risk mitigation through security controls rather than other risk treatments;

  8. Perpetuates the myth that security is primarily if not exclusively about reducing/preventing bad things, as opposed to allowing/enabling good things (e.g. maintaining the quality and timeliness of information needed for important decisions, processes and purposes);

  9. Starts the countdown clock ticking for organisations familiar with and comfortably certified to the 2013 version, with three years to transition to the new edition.
In my opinion*, the advantages of transitioning to or adopting the new version are valuable, easily outweighing the disadvantages that can be minimised or simply ignored ... but your organisation, management, understanding, business situation, objectives and strategies may dictate otherwise, and I can't make that decision for you - for example there may be resourcing or timing constraints, obligations to third parties, or simply "too much else on the go right now" (other priorities).    


* I freely admit to being biased, as an active contributing member of the ISO/IEC JTC 1/SC 27 committee responsible for the standards. I'm proud of what we have achieved as a global community of experts working together.