Expert Advice Community

Guest

ISO 27001 change process: 2013 to 2022

  Quote
Guest
Guest user Created:   Dec 01, 2022 Last commented:   Dec 13, 2022

ISO 27001 change process: 2013 to 2022

If certified ISMS is changed from being compliant with ISO 27001 2013, to be compliant with the new ISO 27001 2022, is it still (in theory) actually going to be compliant with both versions? also 2013 version? and suitable being audited against old version too? My point is, that could give flexibility for the change process, and it could be started straight away.

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Dec 01, 2022

In theory, an ISMS compliant with ISO 27001:2022 is still compliant with ISO 27001:2013. The 2022 version, when compared to the 2013 version, did not significantly change any requirements from clauses 4 to 10, and controls from Annex A, besides the new 11 controls added, were only reorganized.

Considering that, this ISMS compliant with ISO 27001:2022 can be audited against ISO 27001:2013, but this does not make much practical sense. If you already made a full transition, you can be audited against ISO 27001:2022. In case your transition is partial by the time of a surveillance audit, you need to align that with your certification body, so the audit plan can consider this.

Please note that organizations have a three-year period (i.e., until October 31, 2025) to make the transition to ISO 27001:2022, so you can start your transition right now, but have plenty of time to make the transition.

For further information, see:

Quote
0 1
Guest
Sarah Dec 07, 2022

We have documents which currently align to the old ISO 27001:2013 strutcture and reference the old annex numbers. For the 2022 update will we need to align our documentation with the new groupings i.e. the 4 groups rather than the 14 annex areas or can we simply update documentation to include any new controls but within existing policies.

For example, we have controls about physical security and monitoring in our physical security policy which previously sat under annex 11. Can we incproprate any new physical security controls into our existing documentation or do we need ot change the structure so that all physical security controls sit under the new annex 7  

Quote
0 0
Expert
Rhand Leal Dec 13, 2022

ISO 27001 does not prescribe how to format documentation, so organizations are free to format them as best fit their needs.

Considering that, there is no need to change the structure of your documentation. You only need to make sure references to specific controls are updated accordingly (e.g., a reference to control A.11.1.1 Physical security perimeter should be updated to A.7.1 Physical security perimeters). Regarding new controls, you can incorporate them into our existing documentation as it is.

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Dec 01, 2022

Dec 13, 2022

Suggested Topics

Nataliya Created:   May 30, 2023 ISO 27001 & 22301
Replies: 1
0 0

Scope. ISO 27001

Guest user Created:   May 26, 2023 ISO 27001 & 22301
Replies: 1
0 0

ISO 27001 compliance process