The release of the third edition of ISO/IEC 27001:2022 and ISO/IEC 27002:2022 opens up a scenario of opportunities and changes for both certified and non-certified companies.
For certified companies, a Transition Period begins, ending in October 2025. During this period, already certified companies will have to review their Information Security Management System to incorporate the changes made to the standard and especially the new organisation of the controls in Annex A of the standard. The new controls are now organised through 5 attributes (defined in ISO/IEC 27002) that allow for a reasoned choice against the company’s business and information security strategies.
For non-certified companies, the opportunity arises to adopt a mature standard that has been consolidated in more than 15 years of application (the first version of ISO/IEC 27001 dates back to 2005) and to start a certification process oriented towards new information security issues.
Among the major innovations introduced in the latest version of ISO/IEC 27001 is certainly the orientation also towards the themes of Privacy, Data Protection and Cybersecurity.
The renewal thus acknowledges market developments by trying to orient the standard towards a broader use of information security.
Rexilience has already started projects on the basis of the new standard, supporting companies interested in first-time certification and companies that intend to convert their Information Security Management System to the new version of ISO/IEC 27001.
A set of related services has also been developed to support these projects:
- regulatory gap analysis
- ISO/IEC 27001 audits
- training sessions on the standard and controls
- thematic awareness sessions
- customised consultancy packages for certification
- integration of information security with IT/OT cybersecurity
- integration of management systems with different standards (ISO, NIST, IEEE, IEC, etc.)
- integration of information security with business continuity (ISO 22301) and IT services (ISO/IEC 20000-1) etc.
Which are added to the catalogue of services already present in Rexilience.
Fabrizio Cirilli
Senior Partner Rexilience
Member of UNINFO UNI/CT 510 “Sicurezza Informatica” and of ISO/IEC JTC1 SC27/WG1