Last year, on October 25, 2022, the International Organization for Standardization (ISO) published ISO 27001:2022, an update to the 2013 version. At a high level, the update includes:
- Re-grouping of Annex A controls
- New Annex A controls
- Merger/ renaming of Annex A controls
Why Was ISO 27001:2013 Updated to ISO 27001:2022?
The ISO 27001:2013 standard was updated to ISO 27001:2022 to address emerging cybersecurity threats and better protect organizations’ information. The new version incorporates changes in technology, regulations, and industry best practices that have evolved since 2013. By updating the standard, ISO aims to ensure that organizations can effectively manage and mitigate risks related to information security. This includes improvements in risk assessment, incident response, and the overall cybersecurity framework. The updated standard also seeks to increase flexibility and adaptability for organizations, allowing them to address emerging threats better.
Changes to the Annex A Controls
The total number of controls has been reduced from 114 controls to 93 controls. The 2013 version had 14 different domains that each control lived under, but the 2022 version has changed those 14 domains to the following four categories:
- Organizational controls: 37 controls
- Physical controls: 14 controls
- Technological controls: 34 controls
- People controls: 8 controls
Note: Your Statement of Applicability must reflect the four-category structure to achieve ISO 27001:2022 certification.
The bulk of your work to achieve certification with ISO 27001:2022 comes from the 11 brand-new controls that were added to Annex A. These controls’ purpose is to improve an organization’s threat intelligence and risk mitigation. The thought process behind this idea is that threats are ever-evolving, and an organization needs to have a mindset of continuous monitoring and compliance to stave off threats and be secure.
When Do You Need to Comply With ISO 27001:2022?
If you want to get ahead, ISO certifying bodies can issue certification for ISO 27001:2022 as of October 31, 2023. The deadline to be ISO 27001:2022 certified is two years later, on October 31, 2025.
October 31, 2023, is also the deadline for organizations to become certified with the 2013 version. (With a requirement to meet the 2022 version by the date mentioned earlier.) However, an ISO 27001:2013 certification is accepted till April 30, 2024.
Compliance should not merely be seen as a box-ticking exercise that organizations undertake to meet a deadline. It presents an opportunity for organizations to strengthen their information security practices, gain a competitive edge, and enhance customer trust.
How Carbide Helps Close Gaps and Streamline ISO 27001:2022 Compliance
First, you need to understand the gaps in your security program regarding ISO 27001:2022. Execute a gap analysis and identify the new processes you must implement to meet the new ISO 27001:2022 controls. Our platform is designed to quickly identify the new tasks you need to complete and help you track and document their implementation on your path to certification. Book a demo with our team to learn more.