Introduction #

ISO 27001 is an international standard that specifies the requirements for setting up, implementing, maintaining and continuously improving an ISMS. With the introduction of ISO 27001:2022, there are some important changes that organizations must implement to meet the new requirements.

Main differences between the old and new ISO standard #

The latest edition, ISO/IEC 27001:2022, highlights new challenges facing organizations. The main changes can be found in Appendix A, in anticipation of the upcoming ISO/IEC 27002, in which new security measures have been introduced, adapted or merged. In addition, there has been an extension to cyber security and privacy aspects, and the audit terminology has been updated with added guidelines. This supports organizations in risk management and ensures that important aspects are not overlooked, while also ensuring effective follow-up.

Against the background of the rapid evolution in the field of security, the previous version, dating from 2013, has now been significantly updated. The updates to security controls are significant: 11 new, 58 updated, and 24 merged controls. Major updated scenarios include:

• Adoption of digital technologies such as cloud and automation.
• Increased use of these technologies in recent times.
• Awareness of cybersecurity and privacy risks.
• Reflection on the changing threat landscape, including new types of malware and ransomware.
• Alignment with other recognized best practices such as NIST and COBIT.
• Renewal of audit terminology and introduction of additional guidelines.

As a result, organizations will need to revise their risk assessments and reconfigure their security controls to meet the new demands. Finally, organizations will need to revise their risk assessments and reconfigure their security controls to meet the new requirements.

Furthermore, the 2022 edition is aligned with the most recent changes in ISO’s High-Level Structure (HLS). These adjustments are based on the latest edition of Annex SL of the ISO/IEC Guidelines Part 1 (2022). However, these adjustments are considered minimal, as the 2013 edition was already one of the first standards to implement the HLS.

Preparing for the transition to ISO 27001:2022 #

To ensure a smooth transition to the new ISO 27001:2022 standard, there are some important steps that organizations need to take:

1. Perform a gap analysis #

Identify the differences between your current ISMS and the new ISO 27001:2022 standard. This involves comparing your current documentation set, risk analysis, risk treatment plan, Statement of Applicability (SoA) and the configuration of the new and changed controls.

How to do this in ISOPlanner #

ISOPlanner has a build-in procedure to upgrade ISO 27001:2013 to ISO 27001:2022. This upgrade procedure will activate the ISO 27001:2022 standard next to the 2013 version. It will copy all information and create tasks for you to do for:

• New controls
• Merged controls
• Split controls
• Maatregelen that can be mapped but should be checked because the implementation may have changed for you
• Generic tasks for risk analysis and de-activating the 2013 standard

Go to the administration section of Standards and click the Edit button behind the currently activated ISO 27001:2013 standard.

At the bottom of the panel, you’ll find an Upgrade button. This brings you to a panel where an automatic analysis of your situation is started. Follow the steps in the screen.

Note that you can try the upgrade in a seperate environment by purchasing a Premium subscription. You can downgrade after the project, if needed.

After upgrading, you get a new dashboard with the status of the tasks. This forms the basis of your gap analysis. Go through each task and specify in the task what the differences are for your situation, if any. When there are no differences, you can make a note of this in the task as well and complete the task. Each task contains links (Context tab) to the old and new controls for easy navigation.

The gap analysis is now done. You can get an easy overview through the dashboard by clicking on the segment in the pie chart with tasks in the status Requested.

2. Draw up an action plan #

Based on the gap analysis, determine which actions are necessary to adapt your ISMS to the new standard. Assign responsibilities and set deadlines for completing these actions.

How to do this in ISOPlanner #

Go through each task and add items to the checklist that must be done or create Follow-up tasks when the task is bigger or needs to be done by someone else. Assign people to each task and set deadlines. After this step, the action plan is implemented as this list of tasks. You can monitor the progress through the dashboard.

3. Update your risk analysis and treatment plan #

Check your current controls against the new Annex A of ISO 27001:2022 to confirm that no essential controls are missing. Adjust your risk analysis and treatment plan based on this comparison.

How to do this in ISOPlanner #

First, create a ‘Risk threatment plan’ report and archive it. This is the current situation. Now, check en complete the task with the name ‘Check updated risks’. Because of the fact that controls can be merged and / or splitted, the mitigation of risks can be changed. ISOPlanner has changed the relation between controls and risks based on the new control set. But you could have a specific implementation so you need to go through each risk and confirm that the controls that mitigate the risk are still correct. Make adjustments where needed. Afterwards, create the report again and let the risk owner(s) approve the changes.

4. Adjust your Annex A controls #

Implement the new and changed controls from the new standard. Use the new ISO 27002 as a guide to best practices.

How to do this in ISOPlanner #

1. Based on the tasks, implement the changes (as checklist items or new tasks) you created.
2. For each control, set the PCDA status to Doing (D). You can do this on a high level and all child controls are also updated.
3. Review the Annual plan. Create new monitoring tasks for the new controls or link them to existing monitoring tasks.
4. Complete all remaining tasks.
5. Verify that all controls are implemented using the dashboard

5. Revision of the SoA #

Update your SoA to comply with the new Annex A.

How to do this in ISOPlanner #

Create the report ‘SoA ISO 27001:2022’. This is your new Statement of Applicability.

6. Conduct an internal audit #

Conduct an internal audit of your updated ISMS to verify that it meets the new ISO 27001:2022 requirements. Identify any shortcomings and develop a plan to address them.

How to do this in ISOPlanner #

Follow your internal established procedure. Probably you have your internal audit tasks scheduled in the Annual Plan. No specific things have to be done in ISOPlanner.

7. Manage the transition #

Inform all those involved within your organization about the changes and provide appropriate training and awareness. Ensure effective communication between all departments and teams involved.

How to do this in ISOPlanner #

No specific things have to be done in ISOPlanner. But we recommend to create tasks for any action with the same Tag as the other tasks to create a complete dossier.

8. External audit and certification #

Prepare for the external audit by a certification body. Make sure you have all the necessary documentation, evidence and plans ready to demonstrate your compliance with the new standard.

How to do this in ISOPlanner #

No specific things have to be done in ISOPlanner. With the completed task list and updated risk analysis you have everything what you need.