SPRING DISCOUNT
Get 30% off on toolkits, course exams, and books.
Limited-time offer – ends May 26, 2022
Use promo code:
SPRING30

Expert Advice Community

New versions of ISO 27002 and 27001

  Quote
Nika Created:   Feb 04, 2022 Last commented:   Feb 10, 2022

New versions of ISO 27002 and 27001

Dear Team, first of all thanks a lot for your “Overview of new security controls in FDIS ISO 27002” – helps a lot to understand what is being changed. If we are currently in process of implementing ISO 27001, would you recommend to change our SoA according to the new version already? Thank you!
0 2

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Max Feb 06, 2022

I am interested in this too. I have a customer who would like to be certified in Q1 2024. Project will start in June 2022.

There seem to be 2 options:

  1. Go for version 27001:2013 certification in Q1 2024, and recertify in Q1 2027 on 27001:2019
  2. Go directly with 27001:2019

How would the pro & cons look like? Is option 1 even possible?

This is purely subjective, but somehow I imagine that once 2019 is out, 2019 audits will be more severe than 2013 audits because it's new. I imagine auditors being zealous with the updated standard ;-)

Max

Quote
0 0
Expert
Rhand Leal Feb 08, 2022

Dear Team,

first of all thanks a lot for your “Overview of new security controls in FDIS ISO 27002” – helps a lot to understand what is being changed.

If we are currently in process of implementing ISO 27001, would you recommend to change our SoA according to the new version already?

Thank you!

Changing SoA now is not recommended, because:- SoA is a requirement of ISO 27001, which will be updated only after controls in ISO 27001 Annex A are aligned with ISO 27002, which will happen somewhere during 2022. Besides that, no other change will be required.

After the release of the new ISO 27001, like the release of previous management systems standards, there will be a transition time (between one and two years) during which documents based on the previous version of the standard will be acceptable.

Considering that, you will have plenty of time to evaluate which changes will be required and to implement them.

Quote
0 3
Expert
Rhand Leal Feb 10, 2022
I am interested in this too. I have a customer who would like to be certified in Q1 2024. Project will start in June 2022. There seem to be 2 options:
    1. Go for version 27001:2013 certification in Q1 2024, and recertify in Q1 2027 on 27001:2019

    2. Go directly with 27001:2019

How would the pro & cons look like? Is option 1 even possible? This is purely subjective, but somehow I imagine that once 2019 is out, 2019 audits will be more severe than 2013 audits because it's new. I imagine auditors being zealous with the updated standard ;-)

Please note that in 2019 ISO 27001:2013 was confirmed without changes, so ISO 27001:2013 still is the current version of the standard.

A new version of ISO 27001 is expected to be released by the second half of 2022, reflecting the changes of new ISO 27002 in its Annex A, so if you want to be certified in 2024 it is better to go with the new set of controls, to avoid reworking on adapting implemented controls to the new version of ISO 27001 Annex A.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 04, 2022

Feb 10, 2022

Suggested Topics