ISO 27001 is a widely adopted international standard that sets out systematic and adaptable approach to managing information security. It enables organisations to establish a culture of continuous improvement, staying ahead of emerging threats, and ensuring business resilience in the face of evolving cybersecurity challenges.
A new version of this standard – ISO 27001:2022 – was published on 24 October 2022. I recently led the transition to this version and wanted to share my key takeaways.
The transition process is used when a standard has changed. In this case, organisations certified to the existing ISO 27001:2013 standard must transition to the new ISO 27001:2022 version of the standard by 2025.
Transitioning to the ISO 27001:2022 can seem daunting but I recommend doing it early. Why? The controls are better written with clearer directions on how to comply. Overlapping or similar controls were condensed into a single control (from 114 in 14 groups to 93 in 4 groups). Overall, 11 new controls were introduced, with 58 existing controls revised and 24 controls merged.
I found the audit process quite smooth and, due to the updated structure, there was less repetition for evidence gathering and submission.
It’s expected that standards and frameworks will evolve in line with technological trends and increasing maturity of the cybersecurity industry. As security leaders, it’s our job to navigate this transition and enable businesses build trust in this digital age.
Cyber Security Leadership 
2 Comments