ISMS Transition Process
Transition of ISO 27001:2013 to ISO 27001:2022:
ISO/IEC 27001, or ISO 27001, is the international standard that defines best practices for implementing and managing information security controls within an information security management system (ISMS). ISO/IEC 27001 is one part of the overarching ISO 27000 family of security standards determined by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The purpose of ISO 27001 is to address how organizations establish, monitor, maintain, and improve their ISMS to keep their data, documents, and other information assets secure.
The 2022 version of ISO 227001 was published on 25th October 2022. With this release, ISO 27001:2013 will be withdrawn. Companies certified to the ISO 27001:2013 standard have to transition their certificate to ISO 27001:2022 and there is a 3-year transition period until November 2025. We recommend starting the transition preparations already now. The aim of the ISO 27001:2022 is to help organizations to manage controls more effectively by grouping them into four clear 'themes' – organizational, people, technological and physical. This key change aims to achieve greater clarity, focus and accountability for information security within an organization. Until October 2025 i.e. within the 3 years of the date of publication of ISO 27001:2022, certifications issued against both ISO 27001:2013 and ISO 27001:2022 remain valid but transition need to be completed by 25th October 2025 and beyond October 2025 certifications against the latter standard will not be recognized. TNV have planned our activities to permit the migration of certifications to ISO 27001:2022. The expiry date of all the certifications issued against ISO 27001:2013 during the period of migration must be the final one of the periods of migration – 25th October 2025, consequently the validity of the certificate becomes less than 3 years, leading to increased economic costs to be met by the organizations. In order to discourage the old standards, starting from April 2023 (06 months from the date of publication of the standard ISO 27001:2022) TNV shall carry out new audits against the requirements of the new standard and shall not accept any application for ISO 27001:2022.
KEY CHANGES IN ISO 27001:2022:
The security control changes are quite significant with 11 new, 58 updated and 24 merged. The changing scenarios being addressed in particular are:
· Introduction of digital technologies like Cloud and automation.
· Recent, increased adoption of such technologies.
· Recognizing cybersecurity and privacy risks.
· Reflecting the changing threat landscape, e.g. new types of malware and ransomware;
· Aligning with other best practices, e.g. NIST, COBIT, etc.
· Refreshing the control language and adding additional guidance
· The main areas impacted by the changes are:
· Leadership.
· Corporate security;
· IT Function;
· Other support functions
· Delivery (for service providers).
Comparative of ISO 27001:2022 & ISO 27001:2013
ISO 27001:2022
Clause
Clause
ISO 27001:2013
Scope
1
1
Scope
Normative references
2
2
Normative references
Terms and definitions
3
3
Terms and definitions
Context of the organization
4
4
Context of the organization
Understanding the organization and its context
4.1
4.1
Understanding the organization and its context
Understanding the needs and expectations of interested parties
4.2
4.2
Understanding the needs and expectations of interested parties
Determining the scope of the information security management system
4.3
4.3
Determining the scope of the information security management system
Information security management system
4.4
4.4
Information security management system
Leadership
5
5
Leadership
Leadership and commitment
5.1
5.1
Leadership and commitment
Policy
5.2
5.2
Policy
Organizational roles, responsibilities and authorities
5.3
5.3
Organizational roles, responsibilities and authorities
Planning
6
6
Planning
Actions to address risks and opportunities
6.1
6.1
Actions to address risks and opportunities
General
6.1.1
6.1.1
General
Information security risk assessment
6.1.2
6.1.2
Information security risk assessment
Information security risk treatment
6.1.3
6.1.3
Information security risk treatment
Information security objectives and planning to achieve them
6.2
6.2
Information security objectives and planning to achieve them
Planning of changes
6.3
6.3
Planning of changes
Support
7
7
Support
Resources
7.1
7.1
Resources
Competence
7.2
7.2
Competence
Awareness
7.3
7.3
Awareness
Communication
7.4
7.4
Communication
Documented information
7.5
7.5
Documented information
General
7.5.1
7.5.1
General
Creating and updating
7.5.2
7.5.2
Creating and updating
Control of documented information
7.5.3
7.5.3
Control of documented information
Operation
8
8
Operation
Operational planning and control
8.1
8.1
Operational planning and control
Information security risk assessment
8.2
8.2
Information security risk assessment
Information security risk treatment
8.3
8.3
Information security risk treatment
Performance evaluation
9
9
Performance evaluation
Monitoring, measurement, analysis and evaluation
9.1
9.1
Monitoring, measurement, analysis and evaluation
Internal audit
9.2
9.2
Internal Audit
General
9.2.1
Internal audit programme
9.2.2
Management review
9.3
Management Review
General
9.3.1
Management review inputs
9.3.2
Management review results
9.3.3
Improvement
10
10
Improvement
Continual improvement
10.1
10.1
Nonconformity and corrective action
Nonconformity and corrective action
10.2
10.2
Continual improvement
While some controls appear to have been merged, other controls look new and might require some tweaking of existing implementation:
ISO 27001:2022
ISO 27001:2013
A.5.7 Threat intelligence
A.6.1.4 Contact with special interest groups
A.5.16 Identity management
A.9.2.1 User registration and de-registration
A.5.23 Information security for use of cloud services
A.15.x Supplier relationships
A.5.29 Information security during disruption
A.17.1.x Information security continuity
A.5.30 ICT readiness for business continuity
A.17.1.3 Verify, review and evaluate information security continuity
A.7.4 Physical security monitoring
A.9.2.5 Review of user access rights
A.8.9 Configuration management
A.14.2.5 Secure system engineering principles
A.8.10 Information deletion
A.18.1.3 Protection of records
A.8.11 Data masking
A.14.3.1 Protection of test data
A.8.12 Data leakage prevention
A.12.6.1 Management of technical vulnerabilities
A.8.16 Monitoring activities
A.12.4.x Logging and monitoring
A.8.23 Web filtering
A.13.1.2 Security of network services
A.8.28 Secure coding
A.14.2.1 Secure development policy
Validity of certifications Issued under existing version i.e. ISO 27001:2013
ISO 27001:2013 certifications will not be valid after three years from publication of ISO 27001:2022 i.e. 31st October 2025. The expiry date of certifications to ISO 27001:2013 issued during the transition period needs to correspond to the end of the three-year transition period and last date would be 31st October 2025.
· Routine surveillance Audit or
· Recertification audit or
· A special audit
Transition Audit and Audit Duration:
Where transition audits are carried out in conjunction with scheduled surveillance or recertification (i. e. progressive or staged approach), additional time shall be required to ensure that all activities are covered for the existing and new standards. Conformity to the new standards ISO 27001:2022 may be given only after the demonstrated conformance to ISO 27001:2022:
i) TNV shall start accepting the transition request by April 2023, TNV Plan Single visit approach in normal case, but in case of special request from the Client; staged process may be adopted. Transition may be carried out either by special audit for the transition or with the surveillance audit. Man-days for the transition may be following:
a. In case of Special audit, 1/3rd of the initial audit man-days subject to minimum 1 man-days.
b. In case of transition audit planned with Surveillance audit, duration of the surveillance audit shall be increased by 20% of the required man-days subject to minimum .50 man-days.
c. In case of transition audit planned with Recertification audit, duration of the surveillance audit shall be increased by 20% of the required man-days subject to minimum .50 man-days.
ii) Certificate issued under ISO 27001:2013 shall not be affected and shall remain valid till the validity of certificate issued under old version of the standard i.e. (25th October 2025).
iii) TNV shall issue certificate for ISO 27001:2013 with the expiry date on or before 25th October 2025 and this date can be extended to 25th October 2022. if client fails to complete the transition by three years after the publication of ISO 27001:2022, certificate shall expire its validity. This clause shall not affect the surveillance requirement of the TNV. In case transition is not completed during the validity period of the standards, the whole process of certification shall be required (Stage-1 & Stage-2 Audit to be made necessary for certification to be reinstated).
During the transition, TNV shall include and consider the following:
· All issues that require client action for compliance with the new requirements should be clearly identified and raised as documented findings.
· Only when all identified outstanding issues have been appropriately addressed and the effectiveness of the management system demonstrated, approved auditors can recommend certification to the ISO 27001:2022 standard.
· Records should be available to demonstrate that all prior transition audit findings have been evaluated for corrective action and compliance before any recommendation for approval to ISO 27001:2022 can be made.
· Evaluation of a client’s conformance to the new requirements during the transition phase does not interfere with the client’s on-going conformance to ISO 27001:2022.
Common Guidelines for transition:
TNV shall take the following actions fir transition to ISO 27001:2022:
1. Identify organizational gaps which need to be addressed to meet new requirements. Client may please refer “GAP Analysis of ISO 27001:2022 Annexure: 01 of this document.
2. Develop an implementation plan.
3. Provide appropriate training and awareness for all parties that have an impact on the effectiveness of the organization.
4. Update the existing Information Security Management system (ISMS) to meet the revised requirements and provide verification of effectiveness.
5. Liaison with TNV (your Certification Body) for transition arrangements
All the clients need to complete the transition before the expiry date of the old ISMS standards i.e. ISO 27001:2013, this means that Management Systems Certificate issued under ISO 27001:2013 standard may be valid till 25th October 2025 only and transition must took place to ISO 27001:2022 before this date.