How to transition to the 2022 version of ISO27001

How to transition to the 2022 version of ISO27001

This article gives some guidance on how to transition to ISO27001:2022 from the 2013 version.

This approach is tried and tested in that I have used it to successfully transition an organisation to the new version. In the transition audit there were no nonconformities.

I will be using this approach to transition all my clients.

The official view about how to transition

There is no official view as such about how to transition. The nearest is the official guidance (IAF MD 26:2023) from the ?International Accreditation Forum (IAF) to accreditation bodies (which oversee the certification bodies). It describes the changes and notes that apart from the Annex A changes, “most of the changes are considered editorial”. With respect to Annex A it describes the comparison with Annex A that is needed because of the new Annex A.

After describing the changes it then says:

“The impact of ISO/IEC 27001:2022 on the organizations that have implemented Information Security Management System (ISMS) need not be significant”.

Note the phrase “need not be significant”

The changes that might be needed

Before reading the rest of this article you should read this as it describes the main changes. https://www.dhirubhai.net/pulse/changes-2022-version-iso27001-chris-hall/

Step 1 – Create a plan

Create a plan (ok just a list) of the changes you plan to make to the ISMS. The plan I suggest you use is this:

? 4.2 Understanding the needs and expectations of interested parties.

? 5.3 Organisational roles, responsibilities and authorities.

? Annex A changes.

? 6.1.3 Comparison of the controls in the risk assessment with new Annex A.

? 6.2 Information security objectives and planning to achieve them.

? 6.3 Planning of changes.

? 7.4 Communication.

? 8.1 Operational planning and control.

? 9.3 Management Review.

This plan (ok just a list) is also useful to show the auditor as evidence for meeting requirement 6.3 about planning of changes to the ISMS.

This list does not cover everything that might be needed because, for example, the comparison with the new Annex A may lead to updates to the risk assessment and therefore the Statement of Applicability (SOA). This could then mean changes are needed to performance management approach, internal audit approach/schedule and policies/procedures, etc may be needed. Also, if changes are made to the controls then as well as changing the internal audit schedule it may be a good idea to do an internal audit to cover the changes. But you won’t know this until you do the comparison of your controls in the risk assessment with the new Annex A.

Step 2 - Implementation of the changes.

An overview of what I recommend that you do for each of these.

4.2 Understanding the needs and expectations of interested parties

Whatever document you have that describes this I suggest simply highlighting in red those that you think are being addressed by the ISMS. Add a note to the top that says “The requirements that the ISMS will be designed to meet are shown in red.

5.3 Organisational roles, responsibilities and authorities

Make sure that the roles are communicated as required and keep some evidence that you did so.

Annex A changes

As an overall principle, if you are currently happy with your risk assessment and your ISMS is meeting its objectives the new Annex A should not make any difference to your policies and procedures and day to day operational activities. If it does then that suggests there was something not quite right about what you had before. I.e. the changes needed because of the new Annex A should largely be about changing documentation.

If your organisation does not use Annex A (e.g. it uses all custom controls or NIST or CSA) then the changes to Annex A are of little relevance to you apart from having to do the comparison of the controls in the risk assessment with the new Annex A. See 6.1.3 below.

If your organisation does uses Annex A (most do) then you have a choice about how to transition to the new Annex A.

1)????The quick approach.

If your organisation uses Annex A then you can simplify the transition as you can if you want to keep using the 2013 Annex A controls. Yes you can do that! How to quickly transition to the new Annex A whilst keeping use of the 2013 version of Annex A is covered in this article: https://www.dhirubhai.net/pulse/how-quickly-transition-annex-version-iso270012022-chris-hall/ .

2)????The slow approach.

If you are going to remove all references to any of the old Annex A controls from your Information Security Management System (ISMS) (the slow approach) then this is a bigger job as outlined in this article. https://www.dhirubhai.net/pulse/slow-approach-transitioning-new-annex-iso270012022-chris-hall/ . This is not recommended but I expect that many organisations will do this.

6.1.3 Comparison of controls in the risk assessment with new Annex A

This requirement hasn’t changed but you will need to do it using the new Annex A. I suggest you follow the process in here: https://www.dhirubhai.net/pulse/how-do-iso27001-comparison-annex-clause-613-c-chris-hall/

6.2 Information security objectives and planning to achieve them

Whatever documentation you have about objectives you should add some content about how they will be monitored.

6.3 Planning of changes

You need to be able to show some evidence that changes to your ISMS do not just “happen”. This is fairly easy to show as you can show the list/plan you created to make the changes to your ISMS to ensure if conforms to the new version of ISO27001. A bit recursive. This should be sufficient for now.

7.4 Communication

You need to update any documentation you have about communication to ensure that it is clear about "how" the communication takes place.

8.1 Operational planning and control

The approach to criteria is somewhat open ended. My suggestion is to add some criteria for each of the controls. I.e. for each control identify and document the “criteria” – perhaps in some kind of simple table. One way of thinking about this is to consider these criteria as “success criteria” or “critical success factors”. There is some guidance about this in https://www.dhirubhai.net/pulse/how-define-criteria-processes-iso270012022-clause-81-chris-hall/ .

This does not fully address the requirements about criteria but I think is a good start. Specifically you also need to properly consider how you ensure that the controls operate using the criteria you have defined.

9.3 Management Review

Assuming you have some documentation about how and when to do the management review then you need to add an agenda item “Changes in needs and expectations of interested parties that are relevant to the information security management system”.

Before your transition audit you will need to hold a full management review or hold a very short meeting that has the same people at it but with just the one agenda item. Record the fact that you did this and what was the outcome. If you have an Information Security Committee you could add this item to be covered at the next meeting.

Summary

If you are going to fully use the new Annex A (you don’t have to) then this will have implications on many parts of your ISMS – notably the risk assessment and the SOA. Also, if the controls change you may need to do an internal audit to assess the status of the controls.

If you are not using the new Annex A then there is not a great deal to do as listed above.

There are many different interpretations about what is needed to transition but the above is my recommendation and as I have said, I have successfully used this approach to transition a client and I will use it for all my other clients.

Chris

A list of my article is here: https://www.btrp.co.uk/Articles2

Akhmad ???????????? Priantoro

Digital Transformation | IT Strategy | IT Strategic Planning | Certified Scrum Practitioner (CSP)

1 年

Thank you for sharing Chris. Indeed a timely piece.

回复

要查看或添加评论,请登录

社区洞察

其他会员也浏览了