11 September 2023

Five questions about the revised ISO 27001:2022

The recent revision of ISO 27001:2022 has led to changes and new opportunities for organizations involved in information security. We asked Marjolein Veenstra, Kiwa's scheme manager for ISO 27001, to delve deeper into the implications and benefits of this revision.

How do you, as a scheme manager, look back on the developments surrounding ISO/IEC 27001:2022 over the past few months?

More and more organizations are transitioning to ISO 27001:2022. They have gone through the seven steps for the transition to ensure it can be assessed during the transition audit. Customer feedback has been positive. Our customers find that the changes in the standard have led to a more logical and efficient setup of their ISMS. At Kiwa, we continue to work on increasing knowledge, creating added value and involving our customers in the developments in this field. We are therefore proud to have extended our accreditation to the revised standard on 1 February 2023.

What are the positive aspects of the revision?

I believe the revision contains several important improvements. Certificate holders familiar with multiple standards and ISO's Harmonized Structure (HS) will notice that ISO 27001:2022 is more aligned with other standards, such as ISO 9001 and ISO 14001. Additionally, changes in Annex A have led to restructuring fourteen chapters into four chapters and the number of information security controls  has been reduced from 114 to 93. This has resulted in a more pragmatic consolidation of these controls . The new structure has also led to a logical grouping of new controls  into categories: organizational, human-oriented, physical and technological. The revision places more emphasis on vulnerabilities, which requires adjustments for some organizations but is generally seen as a positive development.

What should certificate holders focus on when complying with ISO 27001:2022?

Certificate holders may encounter various challenges in complying with the standard. This may include the need for the security officer to expand their knowledge. Furthermore, existing certificate holders need to consider possible structural adjustments and the effective implementation of new controls . In the context of internal audits, it's important for these audits to include the updated risk analysis, the associated treatment plan and the newly added or modified controls  from Annex A. Additionally, adjustments to both the Statement of Applicability and the management review will be necessary to adequately reflect the new elements.

When is the best time for certificate holders to transition to ISO/IEC 27001:2022?

Certificate holders have a transition period of three years, until 1 November 2025, to complete the transition. Within this period, they can decide when they want to make the transition. Several options are available: a re-assessment audit with an additional half audit day, a follow-up audit with one extra audit day and a special transition audit with one and a half extra audit days. Certificate holders are encouraged to communicate their transition plans in a timely manner to ensure smooth planning.

Timeline revision ISO 27001 and ISO 27002.png

Download the timeline ISO 27001:2022 (version 28 June 2024).

How does Kiwa support organizations during this transition?

With the revision of ISO 27001:2022, new opportunities arise for more effective information security. Kiwa assists organizations in a seamless transition. Our planning department is ready to help organizations plan the transition within the specified timeframe. Additionally, in the upcoming revision of NEN 7510, Kiwa will continue to provide information and support.