© 2020 Content Security Pty Ltd.

The ISO/IEC 27001- version 2022 compliance countdown has begun: will your company be ready by October 2025?

In brief:

  • The latest ISO/IEC 27001:2022 was released in October 2022 and accompanied by new releases of ISO/IEC 27002:2022 and ISO/IEC 27005:2022 in February 2022 and October 2022, respectively.
  • It’s a globally recognised framework for companies to set up, roll out, maintain and improve information security, cyber security and privacy protection.
  • Key changes from the earlier versions of the standard and Annex A include:
    • A greater focus on processes
    • How to plan for changes
    • New terminology databases, and
    • New requirements for documented information, communication, and monitoring.
  • Companies certified with the 2013 version must transition to the latest by 25 October 2025.

Be aware if your organisation is among the more than 40,000 organisations with certification in the globally recognised information security standard, ISO 27001. This applies as well if you are certifying for the first time.

A revamped version – ISO/IEC 27001:2022 – was issued in October 2022. And you’ve got less than three years to comply with the changes.

What is the ISO/IEC 27001:2022?

The International Organization for Standardization has issued these generic requirements for companies to set up, roll out, maintain and improve information security, cyber security and privacy protection. The standard isn’t a list of security controls to implement, but rather a risk-management framework you’ll need to tailor to your organisation to comply.

ISO/IEC 27001:2022 is best practice for information security that focuses on controls relating to people, physical objects, technology and the organisation. This framework helps you defend your company against:

  • Accidental breaches
  • Human error
  • Typical internal threats, and
  • Highly organised cyber-attacks.

That means the standard will benefit your organisation by reducing the risk of issues that could lead to penalties, financial losses, and reputational damage.

Who needs this global benchmark?

While the IOS says its standards are voluntary, the Australian government has mandated them in industries including data centre hosting and ICT. For example, here are the Australian Taxation Office’s requirements for digital service providers. Your company may need the ISO/IEC 27001 certification for legal, contractual, regulatory and business requirements, or your customers may request it.

The standard is time-tested and links well with management systems such as QMS, PIMS, SMS, and BCMS.

Any organisation can benefit from gaining ISO/IEC 27001:2022 certification, whatever your business size. Big businesses such as Microsoft, Google, Amazon and other Fortune 500 companies have been certified. You can check out how many valid certificates were issued as of 31 December 2021. Australia is in the top 15 countries on that list.

There are costs involved, such as for qualified auditors to complete the required external audits. We highly recommend using professional advisors for initial implementation, too.

How is the 2022 version different? 

Here are the major changes:

  • New relevant requirements (4.2), which cover understanding the needs and expectations of interested parties. You’ll need to work out which of these requirements you’ll address through the information security management system
  • A greater focus on that system’s processes (4.4) and their interactions
  • Risk assessment/treatment should be monitored and documented as part of 2, the information security objectives, and 9.2

  • More details about how you plan, implement and control your process to meet the standard (8.1)
  • You need to plan changes to your information security system (there was no mention of this in the previous version)
  • Your organisation should detail how it will communicate (7.4) internally and externally about issues regarding its information security management system, and
  • 11 new controls (Annex A), including information security for cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, masking data, preventing data leakage, monitoring, web filtering and secure coding.

Making the changes happen

To start, consider creating mapping tables with other standards. Next, use this process between now and the 25 October 2025 deadline:

  • Check your risk treatment plan aligns with the current standard’s structure and control numbering
  • Review and update your statement of applicability. It may help to use two spreadsheets comparing the previous and current versions
  • Focus on your inputs to review and update your ISMS management review procedure
  • Check your monitoring, measurement, analysis and evaluation procedures support your updated information system objects
  • Revamp your communication plan
  • If needed, review and update other standards, policies and procedures
  • See if your checklists and questionnaires for internal and external audits are fit for purpose, and
  • Evaluate and overhaul your third-party security tools, so your records show you comply with the new requirements.

Having ISO/IEC 27001 certification gives peace of mind to your clients, customers, suppliers and stakeholders, etc. that you’re protecting them and your information assets from cyber security threats.

You should now feel more comfortable steering your organisation towards compliance by the deadline. Proper planning will help ensure your success in meeting the current version of ISO/IEC 27001 certification.

For more information please contact our cybersecurity professionals today.

Recent news