What Do the ISO 27001 Updates Mean for Your Business?

Cliff Huntington
Author: Cliff Huntington
Date Published: 23 November 2022

Editor’s note: The following is a sponsored blog post from OneTrust:

Looking at the security and compliance landscape a decade ago versus what we see today, it’s clear the velocity of frameworks, standards and regulations has intensified. It shows that security and privacy assurance (like audits and certifications) are becoming more important given the environment of growing security hacks and consumer data loss, as well as misuse of personally identifiable information (PII) data.

If your business is looking for meaningful, productive interaction with other organizations, you need to assure them you’re a good steward of their data first. An ISO 27001 certification is a great way to get this done.

From our vantage point, pursuing a re-certification or new certification for the widely used framework is a worthwhile venture. Let’s take a deeper look.

What are the benefits of an ISO 27001 certification?

Large or small, organizations seeking ISO 27001 certification are being intentional about taking the time to fully audit their security posture and show to their internal and external stakeholders that physical and digital security is a priority.

Here are some of the benefits of working through the ISO 27001 certification process:

  • Safeguard your own and your client’s valuable data and intellectual property rights
  • Adopt a risk-based approach that informs senior-level decision making
  • Remove the need for the completion of customer security questionnaires
  • Build trust and confidence with customers and business partners
  • Win new business opportunities/retain your existing customer base
  • Reduce the need for receiving audits and the associated overheads
  • Mitigate the risk of large financial penalties — both regulatory fines and contractual
  • Comply with business, legal, contractual and regulatory obligations
  • Support a continuous cycle of improvement throughout the organization
  • Motivate senior leadership to maintain focus in information security
  • Differentiate your organization in the market as ISO 27001 compliant
  • Enhance the effective and efficient use of business information

Changes bring questions

When speaking with business partners we’re frequently asked questions around the certification process and what the updates mean for organizations that are either in the midst of obtaining the certification or planning on going through the process. Here are a few of those inquiries and how we address them.

Q. What is the difference between ISO 27001 and ISO 27002?

A. ISO 27001 is the international standard for information security management that organizations certify against. ISO 27002 is a supporting standard that provides guidance on how information security controls can be implemented. This hasn’t changed with the update. It will still be the case that organizations certify to ISO 27001 and use 27002 as supporting guidance. It is only possible to certify to ISO standards that end in a “1.”

Q. Is there a transition period to move from ISO 27001:2013 to ISO 27001:2022?

A. Yes, there will be a transition period of three years for currently certified companies, as is the norm with any ISO standard. This period has now begun since ISO 27001:2022 has officially been updated.

Q. Will the certification body check the changes in our ISMS and the documentation?

A. Yes, if your company is already certified, your certification body will conduct the necessary check on your ISMS and the related documentation during the transition period. This transition will occur during your surveillance audits and a separate audit schedule is not required.

Q. Are there any excluded controls from ISO 27002:2022?

A. Although the number of controls has been reduced, no controls were excluded in this new version, only merged for the sake of better understanding.

The road ahead
To this end, your business may be dealing with several other frameworks or standards that could be state or federally mandated. Aligning your organization with professionals who can consult on framework mapping or cross-walking — helping you to navigate intersections of these standards — will save you and your teams plenty of time and frustration.