ISO 27001 Transition from 2013 to 2022
ISO 27001 Information Security Management Systems Certification
The ISO 27001:2022 update has introduced some changes to the international Information Security standard. There are some minor structural changes and a major overhaul of Annex A. The major changes include a category restructure, 11 new controls, 24 merged controls, and 58 updated controls.
The number of total controls in Annex A has also been reduced from 114 controls to just 93 controls. The controls are now grouped into 4 ‘themes’, as opposed to the 14 clauses in the previous version. The themes are:
- People (8 controls) – risks related to individuals, for example, remote work, employment screening, confidentiality, or non-disclosure agreements
- Organisational (37 controls) – risks related to the organisation, for example, information security policies, control and return of assets, and information security for the use of cloud services
- Technological (34 controls) – risks related to technology, for example, secure authentication, deletion of information, prevention of data breaches, or outsourced development
- Physical (14 controls) – risks related to physical objects, for example, storage media such as USBs, maintenance of equipment such as servers, securing offices, rooms and facilities, or physical security monitoring such as CCTV
The 11 new controls include:
- Threat intelligence
- Information security for the use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
While there have been some changes to the mandatory documentation required, producing a Statement of Applicability (SoA) to Annex A remains mandatory to be compliant with ISO 27001:2022.
Compass Assurance Services is accredited by JAS-ANZ to certify ISO 27001 Information Security Management Systems. Our accreditation number is M5310713AO
Download our free ISO 27001:2022 Transition Guide for all the updates and changes to the Information Security standard
I am certified to ISO 27001:2013, how do these changes affect me?
Businesses currently certified to ISO 27001:2013 will need to produce a Statement of Applicability (SoA) in alignment with ISO 27001:2022 as there have been changes to Annex A. Our free guide has mapped Annex A from ISO 27001:2013 to Annex A of ISO 27001:2022.
Allow for at least 1 day (8 hrs) of audit time when it is carried out as a separate audit or during your surveillance audit; and at least 0.5 day (4 hours) during your recertification audit. This transition audit can happen in conjunction with your upcoming surveillance or recertification audit, or at a separate time.
The transition to ISO 27001:2022 must happen before 25th October 2025
Download our Free ISO 27001:2022 Transition Guide below
Need a Quick Quote?
Request an obligation free quote today, tailored specifically to your business’ certification needs and industry.
Get Your Free ISO Checklist
Training Sessions
Contact Us
What is ISO 27001 Information Security?
ISO 27001 is part of the ISO 27000 certification family and includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation. It’s not all about risk though.
Why do I need ISO 27001 Certification?
The adoption of these accreditation processes gives you, your employees, regulators and clients the confidence that your information security risks are known and adequately managed.
What are the benefits of ISO 27001 Certification?
Companies often initially seek certification for external reasons such as getting on preferred supplier’s lists, improving company image and responding to customer demands. The benefits of this are obvious – more work.
How can I get certified?
Getting ISO certification is a lot easier than you might think, We take you through the three step audit process from your initial enquiry to the final certification decision.
Have you looked at our self assessment checklist yet?
We worked hard so you don’t have to. Our checklists break down the standard in plain English so you can understand the requirements and what your business needs to do to get certified.
Come along to one of our Workshops for ISO 27001 Information Security Essentials
Gaining ISO 27001 Information Security Management Systems certification doesn’t have to be a difficult or confusing process. We’ve developed our range of essentials training courses to de-mystify the requirements and provide a contextualised understanding of ISO 27001 to your business.
Our experienced trainers are our auditors too and focus on the areas of the standard they see business’ have difficulty with.
LEARN MORE
ISO 27001 Information Security Key Concerns
As organisations have become more connected with increased information flows productivity has improved dramatically. The flip side to all this is that we are now more reliant on this data and information than ever before. If our organisations data becomes corrupted, destroyed or falls into the wrong hands it can have serious commercial and legal consequences.
The adoption of an information security management system is a strategic decision for an organisation; it demonstrates a commitment to managing information appropriately and responsibly.
Certification to ISO 27001 provides you with an independent endorsement that your commitment to information security meets international standards. Clients, partners and other stakeholders can have confidence that your systems to protect information are appropriate, effective and have been audited regularly. Certification to ISO 27001 may help you access markets, grow your client base and improve your systems.
That’s where Compass Assurance Services comes in. We get it.
Eliminating all information security risks from your business is probably not achievable. The controls adopted should be proportional to the level of risk. One could implement very onerous controls in order to bring risk ratings down to a bare minimum only to find that we are no longer able to conduct business effectively. The key to it all is balance, and an awareness of what risks are out there.
Compass Assurance Services has experienced auditors with practical experience; we are able to work through the process, and the risk methodologies and controls you have applied to manage information security.
• You will have confidence that your processes to address your regulatory and legal obligations are appropriate
• You will have gained a powerful marketing tool, which may help you win new clients, enter new markets or put you in a different league to that of your competitors.
You will have gained significant insights into how your business manages one of its most valuable commodities – information.
Four ways to protect your Information Security
ISO 27001 certification/ accreditation is aimed at creating and establishing processes to safeguarding information your Information Security from unauthorised access, use, destruction, modification or disclosure. Information Security is an essential component to the successful operation of any organisation regardless of your size or industry.
Your business will deal with sensitive information of some sort be it employee or client details, financial information or even patents and other items of intellectual property. Here are four easy to implement tips to establish your Information Security procedures and protect your sensitive information from falling into the wrong hands.
Tip one: Know how to spot a fake email
This one may seem a little email 101 to most of us but it’s one that can be easy to disregard.
Fake emails often contain malicious attachments and web links that can contain spam or phishing content. Ensuring that all your staff are aware of the traits of a fake email and how to spot them is an essential first step to ensuring that your organisation isn’t caught out. Some things to keep an eye out for are;
- Calls for action – terms like ACT NOW or IMMEDIATE ACTION required are often seeking to confuse the reader
- Incorrect spelling or Grammar
- Be wary of giving out personal information
Tip Two: Keep your passwords close
Many people tend to use the same or similar passwords for multiple accounts, therefore if your password is compromised once there is a good chance other sensitive accounts could be compromised as well. Make sure your password isn’t one of these 25 most popular passwords. Maintaining good password hygiene and ensuring you aren’t sharing your passwords with others is a good place to start.
READ So why do we need to be concerned about digital security?
Tip Three: Keep your software up to date
Out of date software also makes your IT systems susceptible to malware attacks which can be a crippling occurrence to any business big or small. Software Updates often contain security patches to fend against evolving viruses and address issues and gaps within the software that such viruses can take advantage of.
Tip Four: Pay close attention when both sending and receiving invoices.
The New Zealand construction industry was recently the victim of an invoice fraud incident. Hackers were able to gain access to the email invoices from a NZ construction company and were able to reissue the invoices with fraudulent bank details. This resulted in customers paying over $100,000 into a false account. Read the full story here.
Be aware of changes to invoicing details and always seek to confirm these changes either in person if possible or over the phone with an established contact within the organisation. Care also needs to be taken when sending invoices – make sure your invoice details are correct and that invoices are being sent to the correct persons.
Want to speak to someone?
Contact Us
Contact us and speak to one of our helpful team about your ISO certification needs. We can offer certification to smaller, niche standards and to other non-accredited (non ISO) standards as well.
Request a Quote
Request an obligation free quote today, tailored specifically to your business’ certification needs and industry.