Sep 16, 2022

ISO 27001 2022 Key Considerations and Transition Timeline

The International Organization for Standardization (ISO) 27001 standard is intended to help organizations protect the confidentiality, integrity, and availability of their information. It provides requirements for an Information Security Management System (ISMS) and includes best practices for helping organizations manage their information security.

We anticipate that ISO will release an update to this widely-adopted standard before the end of 2022. This release will be the first major update to the standard since 2013 and will likely require a substantial amount of work for currently-certified organizations to implement.

In June, we published a blog post highlighting what we expect to be the major changes introduced with the 2022 ISO 27001 release and steps you can take to prepare for it. This blog post will serve as a quick reminder about the timeline for certification and key things you should be doing to prepare for this significant update.

What’s the Certification Deadline for the 2022 ISO 27001 Release?

Currently-Certified Companies

As is the norm for other ISO standard releases, there will be a transition period of three years after publication of the 27001 release for currently-certified companies. Assuming that the release is published before the end of 2022, as we anticipate, companies will need to certify for the update before the end of 2025.

We recommend the following high-level timeline for currently-certified companies to ensure they are able to meet the certification deadline:

  • 2022 or Early 2023—Conduct Readiness Assessment to understand the changes that will be required.
  • 2023—Review and Modify ISMS policies and supporting documentation.
  • 2023—Implement new controls or modify existing controls.
  • Late 2023 or 2024—Start to certify against new release.

Currently-certified companies may wish to pursue a more aggressive timeline for this to benefit from the heightened levels of security and privacy included in the new 27001 release.

Companies Seeking First Certification

Once the 2022 ISO 27001 release is published, organizations wishing to certify for ISO 27001 for the first time will be required to comply with the 2022 release requirements. If you fall into this category, there is no time to waste. You should be preparing for this now and should plan to complete the steps described below within 6-12 months:

  • Readiness Assessment—Conduct Readiness Assessment to understand the changes that will be required.
  • Gap Remediation—Review, create and implement policies, procedures, and documentation based on readiness assessment results.
  • Control Implementation—Implement new controls or modify existing controls.
  • Internal Audit—Schedule and conduct an internal audit.
  • External Audit—Schedule and conduct a two-part (e.g., Stage 1 and Stage 2) external audit.

What Are the Main Things We Need to do to Prepare for the 2022 ISO 27001 Release?

Here are some key things you’ll need to do to prepare for certification to the 2022 ISO 27001 release:

  • Purchase and review the ISO 27002:2022 document in detail to understand the changes. This advisory document has already been published by ISO and it provides guidance to help organizations implement an ISMS that is compliant with the 2022 ISO 27001 release.
  • When the ISO 27001:2022  document is published later this year, purchase and review it to ensure you understand the new requirements in detail.
  • Identify changes to your controls, policies, procedures, and systems that will be required to comply with the updated version of 27001. Based on our understanding of the upcoming release, these are some of the key things you will need to do:
    • Make significant process updates to accommodate new and revised controls and terminology. In some cases, control requirements have been combined or re-worded.
    • Address expanded requirements for Business Continuity Planning (BCP) and Disaster Recovery (DR).
    • Incorporate strengthened controls to guard against data leakage.
    • Enhance privacy controls to align with privacy regulations that have been implemented in recent years.
  • Develop and execute a plan for making the changes needed to align your organization with the updated 27001 requirements.
  • When the ISO 27001 update is published later this year, compare it to your plan to see if any adjustments are needed.

Additional Resources

Here are additional resources that provide a deeper dive into the topics covered in this blog post:

Tevora Can Help

You shouldn’t feel like you need to tackle this significant effort alone. Tevora’s experienced team of ISO and security experts has worked with some of the world’s leading companies to help them implement ISO 27001, and we’d welcome the chance to do this for you.

Over the years, we’ve developed a proven, four-step approach that puts you on a fast track to compliance with ISO 27001 and other ISO standards. Here’s a summary of our approach:

Tevora’s Four-Step ISO Compliance Process

If you have questions about ISO 27001, ISO 27002, or would like help bringing your organization into compliance with ISO 27001, just give us a call at (833) 292-1609 or email us at sales@tevora.com.