Information about the ISO27001:2022 transition

Through this last newsletter of this year, we would like to update you on the transition of your certified ISMS to the new ISO27001:2022 version.

The newsletter is primarily intended for DigiTrust customers who have ISO27001 and/or NEN7510 certification. But also for all DigiTrust relations who want to know how the transition works. We are also organising some TEAMS sessions, in which you can participate for free.

The new version of ISO27001 and ISO27002 are available in both Dutch and English. These standards can be ordered via the NEN website.

NEN7510 has not yet been updated and will follow later.

The Transition Audit

To transition your certified information security management system (ISMS) to the new ISO27001:2022 version, DigiTrust will need to perform a transition audit on you. Deadlines have been set for this. Which deadline applies to you depends on when you obtained your initial certification. See the table below with all the details.

What do you need to prepare?

To successfully pass the transition audit, you need to adapt your ISMS. What are the actions for you to take?

1. Gap analysis

You should perform a gap analysis. In this analysis, you should record which parts of your ISMS are affected by this new standard. Consider your handbook, risk analysis, risk treatment plan, VVT and design of the new and changed controls.

To make it easy for you, we have prepared a template for performing the gap analysis. You can use it or use your own similar method. You will find this template at the bottom of this newsletter.

> During the transition audit, we will review your gap analysis.

2. Action plan

Then, from the established gap analysis, you will identify actions for each topic. How will you shape the change, who will do it and when should it be ready.

> During the transition audit, we will review your action plan.

3. Adjust risk analysis and treatment plan

Within your ISMS, you have performed a risk analysis and treatment plan. In it, you have recorded what measures you have taken yourself to mitigate the risks. These measures taken should be compared to the Annex A, to verify that no necessary measures have been forgotten. As the Annex A has changed, you will have to adapt this mechanism to the new Annex A.

> During the transition audit, we will review your risk assessment and treatment plan.

4. Adapt Annex A controls

The new standard has 11 new controls and several measures from the old standard have been merged. Of course, you will have to take a closer look at whether these controls apply to you and how you will interpret them in relation to your own risk analysis. The new ISO27002 gives you a lot of 'best practice' guidance in this respect.

> During the transition audit, we will assess your evidence on the operation of the new and adjusted (merged) control measures.

5. Adjusting VVT

In line with the standard requirements, you will need to prepare a Statement of Applicability (VVT). Since Annex A has changed, you will need to revise the VVT in its entirety.

> During the transition audit, we will assess your VVT.

6. Internal audit

Before DigiTrust comes to you to perform the transition audit, you should have performed an internal audit yourself. As a minimum, you should perform this on the risk analysis + treatment plan, including new and changed (merged) controls from Annex A.

> During the transition audit, we will review your internal audit report.

7. Management review

Conduct management review in accordance with par 9.3. Part of this includes discussing the results of the internal audit.

> During the transition audit, we will review your (additional) conducted management review.

Conducting transition audit by DigiTrust

If you transition during your certification cycle, the transition audit is 8 hours.

If your upcoming audit is a HER certification, and you are transitioning to the new standard then the transition audit is 4h.

During this audit, the above 7 topics will be assessed. This audit will be carried out remotely by the DigiTrust auditor together with your CISO or another contact person within your organisation. In principle, we will not conduct interviews with employees within your organisation, unless the auditor considers it necessary.

It is important that you have prepared well from the above issues and have the evidence available for a smooth conduct of this transition audit.

After the audit, the DigiTrust auditor will make a report of this (2h). The file will be reviewed internally (1h) and if everything is approved, DigiTrust will prepare your new ISO27001:2022 certificate and send it to you. (1h)

Cost

The cost of this transition audit is;

During the certification cycle, the audit itself is 4h and the other 4h are for reporting and formatting the new certificate. The total cost will be 1 day, at the daily rate from your agreement. That includes the audit reporting, formatting and publication of your new certificate.

When HER certification is combined, the transition audit is 4h, toe the prevailing daily rate.

Combination of ISO27001 and NEN7510

If you have certification for both ISO27001 and NEN7510, it is also possible to switch to the new version of the standard already with your ISO27001 certification. You should realise that this will increase the complexity of your own ISMS. After all, the new and old controls will mix.During the NEN7510 audit, we will look at the old Annex A.

Timeline of this transition

The transition deadline (when you need to transition at the latest) depends on your specific situation. Check the table, when you obtained your initial ISO27001 certification. Then you can see which scenario applies to you.

• Blue = DigiTrust can and may still run your ISMS against the old version of the standard.
• Green = DigiTrust needs your ISMS against the new ISO27001:2022 standard.

In 2025, you must have transitioned by 1/11/2025.

Of course, you may already transition to the new standard and schedule your transition audit prior to your upcoming audit. The table only lists deadlines. Please contact our back office about this in good time.

Schedule transition audit

If you wish to have this transition audit carried out, please notify our back office. To do so, please send e-mail to; backoffice@digitrust.nl

Our back office will contact you to schedule the audit. The audit itself will take 4h and will be conducted remotely. It is important that you do this in good time, due to the availability of the auditors.

The Tranisition audit must be scheduled, during the current cycle, at least 2 weeks prior to your regular audit. In these 2 weeks, we can finalise your transition file and prepare your new certificate. So that your regular audit can then be conducted against the new standard.

With HER certification, the transition audit can be combined.

Content standard changes

The main change in ISO27001:2022 is that Annex A has been modified. The current ISO27001 contained 114 controls divided into 14 chapters (Annex 5 to Annex 18). This is reduced to four chapters and 93 controls in the new ISO27001:2022.

5 Organisation 37 controls

6 Employees 8 controls

7 Physical security 14 controls

8 Technology 34 controls

Handy to know is that cross tables are available (via the DigiTRust back-office) between the new and old controls.

Annex A changes

New management measures; there are 11 new management measures.

New control Management measure

• A.5.7 Threat information and analysis
• A.5.23 Information security for the use of cloud services
• A.5.30 ICT readiness for business continuity
• A.7.4 Monitoring physical security
• A.8.9 Configuration management
• A.8.10 Deletion of information
• A.8.11 Masking of data
• A.8.12 Prevention of data leakage (data leakage prevention)
• A.8.16 Monitoring activities
• A.8.23 Applying web filters
• A.8.28 Secure encryption

It is important to consult ISO27002:2022. This describes best-practice, which you can use to set up control in such a way as to mitigate the associated risk (in your own risk analysis).

Changed management measures

In addition, several controls from the old standard have also been merged into the new standard. You can see which ones in the cross-tabs. So in your ISMS, these should be merged.

HLS changes

There are also some minor changes in the HLS topics. (Chapter 4 to chapter 10). No major changes, but do update your ISMS handbook and policies.

• 4.1 Context Sharpening
• 4.2 Stakeholders Sharpening
• 4.4 ISMS tightening
• 6.1.3 Risk treatment tightening
• 6.2 Objectives Sharpening
• 6.3 Change management Addition
• 7.4 Communication tightening
• 8.1 Operational planning Rewritten
• 9.1 Monitoring tightening
• 9.2 General and Audit Programme Split
• 9.3 General, input and output Splitting
• 10.1 Improvements and Deviations & Corrective Measures Change in numbering