When it comes to ISO/IEC 27002:2022 recently, it feels a bit like a game of Red Light, Green Light—you know, the childhood game where everyone runs to the finish line upon Green Light being called, but you had to stop on a dime when you heard “Red Light!” and await the next, random declaration of Green so you could move forward again.
On the playground, it was a game of anticipation, and for those of us monitoring this standard right now, it’s very similar. ISO/IEC 27002:2022 was released in February 2022, putting us all at the start line, and we don’t know when the green light will come to formally incorporate the updates made.
As much fun as it may have been to buzz with suspense during P.E. class, understanding the timeline for the related transition to ISO/IEC 27001:2022 is important for organizations undergoing ISO 27001 certification. Though you are not being certified against the already-published ISO 27002, you are being evaluated against the management system standard in ISO 27001, which, as of the date of this blog post, is still under the 2013 version.
As an ISO certification body, we understand how that makes things a bit complicated for you. What might help is knowing where things stand at the moment. Are there things you, as an organization in the middle of ISO 27001 certification, should or could be doing to prepare for the formal “Green Light” on the new standard?
In this article, we’ll detail the progress of the update to the ISO 27001 standard. Transition requirements have been outlined to an extent, and we’ll discuss the key takeaways so that you know more of what to expect as things move forward with implementation.
Where Does ISO/IEC 27001:2022 Currently Stand?
First things first: ISO 27002 was updated in February, but is the same for ISO 27001 on its way?
Right now, ISO/IEC 27001:2022 is within what is referred to as the Final Draft International Standard (FDIS) stage, which means the final text of the proposed updates is undergoing their final review and vote:
- This current FDIS stage for ISO/IEC 27001:2022—or ISO/IEC FDIS ISO 27001 as it’s being referred to—began back on July 28, 2022. The aforementioned final vote is scheduled to close on September 22, 2022, after the completion of what will have been an eight-week process.
- Based on the results of the voting, the standard will either:
- Undergo further updates and be recirculated for review/voting; or
- Be approved for publication.
In our experience, documents in the FDIS stage rarely undergo material updates that would require the 8-week voting process to be reinitiated, so we do believe that ISO/IEC 27001:2022 will be published sometime in Q4 of 2022.
What are the ISO/IEC 27001:2022 Transition Requirements?
Though the exact date is yet to be communicated and will depend on the results of the FDIS voting process, we do know that a Mandatory Document (MD) has been communicated in the meantime.
As per the International Accreditation Form (IAF), this MD outlines the transition requirements for migrating from ISO/IEC 27001:2013 to ISO/IEC 27001:2022 (once published) for both accreditation bodies (ABs) and accredited certification bodies (also referred to as conformity assessment bodies, or CABs).
Publicly available on the IAF’s website here as IAF MD 26:2022 “Transition Requirements for ISO/IEC 27001:2022,” this MD provides several clues as to what to expect from the new standard, whenever it does drop:
Learning More About ISO/IEC 27001:2022
Though we all still await the “Green Lighting” of ISO/IEC 27001:2022, we aren’t completely in the dark about what to expect. Thanks to IAF MD 26:2022, some transition requirements have been outlined that can help you take any necessary internal steps to prepare.
We’ve done what we can to disseminate the information we have for now, but once the new ISO/IEC 27001:2022 standard is officially published, Schellman plans to delve more into the details through more content—including a deeper look at the 11 “net new” controls to be introduced with ISO/IEC 27002:2022.
Until then, make sure you’re all caught up there by reading these:
Should you have any questions regarding what will be an important shift to the ISO landscape, please feel free to contact our team so that we can help you address any concerns you have during this pre-launch period.
About DANNY MANIMBO
Danny Manimbo is a Principal with Schellman based in Denver, Colorado. As a member of Schellman’s West Coast / Mountain region management team, Danny is primarily responsible for co-leading Schellman's ISO practice as well as the development and oversight of Schellman's SOC practice line as well as specialty practices such as HIPAA. Danny has been with Schellman for eight years and has over 11 years of experience in providing data security audit and compliance services.