Request for guidance
I frequently come across an article that I find extremely helpful, and now I would greatly appreciate your guidance on the following matter. Our organization has already implemented ISO 27001:2013, a new version has been introduced. Currently, I have a Statement of Applicability (SOA) that is based on 114 controls from ISO 27002:2013. My question is whether I should create a new SOA consisting of 93 controls in accordance with ISO 27002:2022, and subsequently make the necessary updates on my current SOA . Your advice and support in this matter would be greatly appreciated.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
To be compliant with the 2022 revision of ISO 27001, you need to make a new Statement of Applicability with 93 controls.
From your question, it is not clear if your Information Security Management System (ISMS) is certified or not. In case you are searching for certification, you can certify your ISMS against ISO 27001:2013 until October 31, 2023, and there is no need to change your SoA. For certifying after October 31, 2023, you need to be compliant with ISO 27001:2022, and for that, you will need to update your SoA to the 93 control version.
For further information, see:
- ISO 27001 2013 vs. 2022 revision – What has changed? https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/
This material can also help you:
- How to Make the Transition From 2013 to 2022 Revision of ISO 27001 https://advisera.com/27001academy/webinar/transition-iso-27001-2013-to-iso-27001-2022-free-webinar-on-demand/
- ISO 27001:2022 Transition Course https://advisera.com/training/iso-27001-transition-course/
Comment as guest or Sign in
Jun 20, 2023