Choosing between ISO 27001:2013 and ISO 27001:2022

Introduction to ISO 27001 Updates

It is also important to keep yourself updated or adhere to the latest standards. If we talk about the ISO standards, ISO 27001 is a code of practice for information security management, supported so far by ISO/IEC 27002:2013. But the International Organization for Standardization (‘ISO’) announced on October 25, 2022, that it had updated its standard ISO/IEC 27001:2022 for information security, cybersecurity, and privacy protection information security management system requirements (‘ISO/IEC 27001:2022’). So the latest version of ISO 27001 is ISO 27001:2022, which allows organizations to implement information security procedures while minimizing the risks associated with data storage and the management of information sources in a better way than ISO 27001:2013.

Here is an “ISO 27001 Overview and Guides” by TrustCloud” and another article regarding the deep dive on the changes introduced with the new version of ISO 27001:2022 How do I navigate the changes between ISO 27001:2013 and ISO 27001:2022?

Things to consider while choosing between ISO 27001:2013 and ISO 27001:2022

Firstly, let’s have a look at the transition requirements. You should consider the following points before you decide what will work best for your organization:

1. Your state of readiness to address the ISO 27001:2022 standards
2. Your state of readiness for ISO 27001:2022 changes if you are an ISO 27001:2013-certified organization.
3. Choosing an accredited certification body (CB)
4. Be aware of the ISO 27001:2022 Required Document List.
5. Be aware of the mapping of the controls between ISO 27001:2013 and ISO 27001:2022.
6. Be aware of the audit checklist.

To start implementing the 2022 revision of ISO 27001, schedule a demo with TrustCloud, the leading ISO 27001 compliance and trust assurance platform.

Depending on your readiness, let us consider the following scenarios, and you can choose the best solution yourself.

Scenario 1:
If your organization has decided to implement ISO 27001 but has not decided to go for 27002:2013 or 27002:2022, then it depends entirely on the urgency with which you need to be certified. If, for example, an existing or potential client is waiting for you to be certified before engaging with you, then it’s a good idea that your SOA (Statement of Applicability) must refer to ISO 27002:2013 annex controls. You can refer to TrustOps and TrustCloud’s compliance products for all your compliance readiness needs. TrustOps provides our customers with the mapping of new controls to the old Annex A controls.

If there is no urgency to be certified, we suggest you start implementing the controls and the existing clauses as described in ISO 27001:2022. When you are ready for ISO 27001:2022, commence the certification requirements.

Scenario 2:
If your organization is already ISO 27001:2013 certified and goes through surveillance audits every year, then, you can consider adopting ISO 27001:2022 and implementing the changes required.  These changes to ISO 27001:2013 are moderate and are mainly regarding the way controls are organized. A few controls (to the existing documentation) can be added as per the changes in Annex A controls to make sure of your organization’s transition from ISO 27001:2013 to ISO 27001:2022. As a matter of fact, the new changes are moderate, so the efforts to transition are going to be minimal.

For ISO 27001:2022, the main changes in the documentation are as follows:

1. Aligning your risk treatment process with the new controls
2. Updating your Statement of Applicability
3. Adapting certain sections of your existing policies and procedures

There is a two-year transition period for certified organizations to revise their systems to comply with ISO 27001:2022, so you need not worry about the time and effort involved in making the necessary changes.

The certifying auditor will check if you have adapted your documentation within the transition period during your regular audits. Here is a guide to “Finding an appropriate auditor”.

The article describes the types of ‘transition audits’ that can be done (by protiviti).

The transition must be done before July 2025; here is a detailed transition period by the Global Certification Body.

Ensuring your readiness:

To ensure your readiness for ISO 27001:2022,

1. Conduct a gap assessment.
   Complete a gap or readiness assessment to map your existing controls to the newly revised standard and determine what changes your company will need to make to achieve certification under the new version of the standard. Check out TrustOps to get insight into your compliance readiness. Check TrustOps gap analysis for help.
2. Start implementing new controls.
   Once the assessment is complete, you should start implementing the new controls throughout 2023.
3. Conduct a new audit.
   Considering the deadline to be compliant is October 31, 2025, if you plan well, you will be ready for an early audit. Here is a guide to “Preparing for an ISO 27001 Audit.”.

We recommend using TrustCloud to accelerate ISO 27001 readiness.

How can TrustCloud help you?

At TrustCloud, we fulfill all your compliance needs to implement an ISO 27001-compliant ISMS and achieve certification to the standard.

Whether you are looking to achieve ISO 27001:2013 accreditation or need help transitioning to the soon-to-be-published ISO 27001:2022, TrustCloud is here to help. We are an ISO 27001-certified company, and our audit partners are certified as ISO 27001 auditors.

Book a demo with one of our experts to get started on your ISO 27001 journey.

If you are an existing customer of TrustCloud and are ready to conduct your readiness assessment, please contact your account manager today.

New to compliance? Get our fast and affordable way to achieve compliance for free.