New versions of ISO 27002 and 27001

I am interested in this too. I have a customer who would like to be certified in Q1 2024. Project will start in June 2022.

There seem to be 2 options:

1. Go for version 27001:2013 certification in Q1 2024, and recertify in Q1 2027 on 27001:2019
2. Go directly with 27001:2019

How would the pro & cons look like? Is option 1 even possible?

This is purely subjective, but somehow I imagine that once 2019 is out, 2019 audits will be more severe than 2013 audits because it's new. I imagine auditors being zealous with the updated standard ;-)

Max

Dear Team,

first of all thanks a lot for your “Overview of new security controls in FDIS ISO 27002” – helps a lot to understand what is being changed.

If we are currently in process of implementing ISO 27001, would you recommend to change our SoA according to the new version already?

Thank you!

Changing SoA now is not recommended, because:- SoA is a requirement of ISO 27001, which will be updated only after controls in ISO 27001 Annex A are aligned with ISO 27002, which will happen somewhere during 2022. Besides that, no other change will be required.

After the release of the new ISO 27001, like the release of previous management systems standards, there will be a transition time (between one and two years) during which documents based on the previous version of the standard will be acceptable.

Considering that, you will have plenty of time to evaluate which changes will be required and to implement them.

I am interested in this too. I have a customer who would like to be certified in Q1 2024. Project will start in June 2022.

There seem to be 2 options:

1. Go for version 27001:2013 certification in Q1 2024, and recertify in Q1 2027 on 27001:2019

2. Go directly with 27001:2019

How would the pro & cons look like? Is option 1 even possible?

This is purely subjective, but somehow I imagine that once 2019 is out, 2019 audits will be more severe than 2013 audits because it's new. I imagine auditors being zealous with the updated standard ;-)

Please note that in 2019 ISO 27001:2013 was confirmed without changes, so ISO 27001:2013 still is the current version of the standard.

A new version of ISO 27001 is expected to be released by the second half of 2022, reflecting the changes of new ISO 27002 in its Annex A, so if you want to be certified in 2024 it is better to go with the new set of controls, to avoid reworking on adapting implemented controls to the new version of ISO 27001 Annex A.