Expert Advice Community

Guest

New implementation: ISO 27001:2013 + ISO 27002:2022

  Quote
Guest
Guest user Created:   May 22, 2022 Last commented:   May 27, 2022

New implementation: ISO 27001:2013 + ISO 27002:2022

Hi iso people. I'm in a middle of ISO 27001:2013 implementation. I'm just finishing chapter 9. Now I've read ISO 27002:2022 and I would like to implement the new controls instead of Annex from ISO 27001:2013. Will that get me in trouble if I write that we've decided to use the new set of controls and excluded Annex from 2013 completely?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal May 22, 2022

This will depend on the date you want to be certified. In case you want to be certified before March 2023 - go with 2013 revision, after March 2023 go with 2022 revision.

Please note that after the release of the new version of ISO 27001, any required changes will have a transition period to be implemented (in general this transition period is of two years after a change in a management system standard is released, which is plenty of time to do this transition for most controls).

For further information, see:
- 11 most important facts about changes in ISO 27001/ISO 27002 https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/ 
- Should you start implementing ISO 27001 2013 or 2022 revision? https://advisera.com/insight/chatbot-implement-iso-27001-2013-or-2022-revision/

Quote
0 0
radsec May 23, 2022

To clear things up, I was talking about getting certified in the old ISO 27001:2013, but excluding the annex and implementing controls from the new ISO 27002:2022.

In my opinion you should be able to exclude the whole annex, justify with "New controls fit the organization better". Then implement controls from the new ISO 27002:2022 (justified with risk assessment).

My question is then, is my justification for exclusion likely to be accepted by an external auditor?

Quote
0 0
Expert
Rhand Leal May 27, 2022

First of all, sorry for this confusion.

Regarding your justification, the best course of action is to ask your certification body if it is acceptable to it because you are talking about using a 2022 set of controls for an ISO 27001:2013 certification (in theory this is acceptable, but your certification body will have the final decision).

Our previous answer took into consideration you stated that you are finishing section 9, and unless it is imperative you implement the new controls before March 2023 (e.g., there is a legal requirement, or it will bring you a greater competitive advantage), a smoother transition would be more recommendable, and it is possible.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

May 22, 2022

May 27, 2022

Suggested Topics

Guest user Created:   Dec 06, 2022 ISO 27001 & 22301
Replies: 1
0 0

Assets

Guest user Created:   Dec 06, 2022 ISO 27001 & 22301
Replies: 1
0 0

ISO 27001 Auditor Question