Late last year, a replacement of ISO 27001 was announced, designed to help businesses improve their cybersecurity, information security, and privacy protection. All organisations who wish to remain ISO 27001 certified will need to transition to the ISO 27001:2022 update before the end of the transition period in October 2025.
What exactly is the ISO 27001:22 update, though, and what are the requirements businesses need to follow to ensure they remain certified? In this latest blog, we thought we would take a closer look…
The ISO 27001:2022 certification is the leading international standard for information security. It was published in partnership between the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC), and forms part of a set of standards that outline how businesses need to handle information security.
The framework is designed to be used by any organisation, no matter their size or the industry they work in. The aim of the certification is to ensure companies have clear guidance on how to establish, implement, maintain and improve their information management system.
With the threat of cybercrime on the rise, ISO 27001 is a vital certification for any organisation. Although it is most commonly adopted by businesses within the Information Technology (IT) sector, any company that achieves the certification will be able to showcase to their customers that they care about their data and have taken steps to keep it safe.
The standard is an important part of an Information Security Management System (ISMS), which is a set of policies and procedures designed to systematically manage all sensitive data. An ISMS are able to address everything from employee behaviour through to data processes and the technology you use.
There are many benefits to achieving the ISO 27001:2022 certification, including:
One of the biggest benefits of having ISO 27001 certification is that it will give you a clear overview of your current information security. Maintaining the certification requires regular audits and reviews to ensure businesses are continually improving their security against the ever-changing threats posed by cybercriminals.
As your business grows and new technology gets adopted, it can quickly become a confusing landscape. ISO 27001:2022 helps to clearly outline the responsibilities that organisations need to follow. This can help to increase productivity by ensuring everyone understands who is responsible for information management, while it can also help to improve decision-making by helping businesses understand the risks and how to best manage them.
With the threat of cyber attacks on the rise, ISO 27001:2022 certification helps to protect your business from these risks, demonstrating to your customers that you have taken steps to protect their data. This is a very important step in improving your reputation, helping you to take your brand to the next level.
Finally, ISO 27001 certification ensures that your business is complying with all legal, contractual and regulatory requirements around GDPR and NIS.
The announced update of the ISO 27001 certification is in response to the rapidly changing environment. The 2022 version features several important improvements and updates alongside new guidance and requirements around the governance of data, keeping the supply chain secure, and how to use cloud services.
One of the biggest changes in the 2022 update is the addition of a new risk assessment process. The process is based on the same risk management standards found in ISO 31000, creating a more flexible and adaptable process for risk assessment. This allows organisations to better tailor the strategies to their specific circumstances and needs.
The update also saw a number of new controls added, including
Alongside announcing the details of the update, when ISO 27001:2022 was released a transition period was also launched. This means that in order to remain certified, businesses will need to implement these changes within this time period. Some key dates to remember:
31st October 2022
This was the date that the transition period began.
1st May 2024
This is an important date as it is from the 1st of May that all new certifications should be created to the ISO 27001:2022 standards. It is also from this date that all recertification audits will need to utilise the criteria set out in the 2022 update.
Until then, though, organisations can still submit certification applications under the original 2013 criteria.
21st July 2025
This is the date that all ISO 27001 transition audits should be completed.
31st October 2025
The end of October 2025 is when the ISO 27001 transition period comes to an end, and all certificates for ISO/IEC 27001:2013 will no longer be valid.
In order to remain compliant, all organisations will need to implement the required changes within the ISO 27001 transition period. The first step to preparing for the transition is to ensure that your management system is updated so that it is in line with the requirements set out in the new guidelines. This will need to be done before the audit is undertaken, and you will need to showcase things such as documentation changes as well as any changes or additions to process requirements.
Ahead of the formal audit, businesses will also need to undertake their own internal audit and management review to ensure that all of the new changes have been implemented. If you are unsure if you are meeting all of the required changes, then you should consider having an ISO 27001 transition audit undertaken to ensure that you are able to maintain your certification.
The ISO 27001 transition audit will confirm that all of the required revisions have been implemented. It can be conducted in conjunction with an existing audit or as a standalone option, with the duration dependent on the option you select.
In this fast-paced digital world, ensuring that your business is keeping client data safe and secure from the growing threat of cybercriminals is essential. Here at Critical Path, our mission is to help our clients to plan, monitor and control their projects effectively, ensuring they can reach their goals and overcome any obstacles they may face.
We can help you with your ISO 27001 transition, supporting you every step of the way to ensure that you are fully compliant. Get in touch today to learn more about our services and how we can help you.