After almost 9 years, ISO27001 new version 2022 is released and I am not surprised that there is a big hoopla about it. Industry was definitely waiting for it, and is eager to understand it and implement it. But, is it a right approach to do so immediately? Here are some thoughts, purely based on experience.
I studied information security way back in 1999. That time there was no ISO standard per say. Everyone talked about BS7799. It then became ISO27001:2005. Eventually it was revised to ISO27001:2013. I am sure, like me, many of us have been through the migrations of all these versions for tons of implementations and audits. Each migration journey was tough , because the standard changes to keep up with time. The real question comes for those who are in the midst of implementing ISO27001:2013, and the 2022 version popped up. Now they are confused which one to go for – its a tough decision ahead of them.
Here are some pointers to think about before jumping on the newer version of ISO27001. One should not go for it just because it is out there.
1. Its advised to wait at least for an year before going to next version. That is because ISO standards often go through major or minor revisions, which includes changes and sometimes that disrupts the implementation. This further results into waste of lot of time and money. Its important to remember that the standard also takes bit of a time to get to a maturity level.
2. The ISO expects that the migration should happen in 3 years so there is ample of time for migration. They do not expect anyone to go for it immediately.
3. Hardly anyone is certified for this new standard as of today so the overall awareness is less.
4. New version does not cancel the previous version, it actually only strengthens and expands the information security. So there is no harm in waiting a bit.
5. When a standard is revamped, it takes time for industries to implement it. That sometimes exposes shortcomings of the standard itself. So waiting helps us learn from people’s hurdles.
6. Auditors of certification body take time to get ready to new standard.
7. Many consultants want to implement it in a haste – sometimes because they want to learn it but dont exactly know how to implement it. So they end up experimenting with someone’s information security without being accountable for the flaws they might create. The point is its wiser to think about the motive behind going for implementation.
8. An unprepared implementation takes a toll in the long run on the company. It results in a higher cost of fixation, as opposed to doing it right in the first go.
With all these reasons, while implementing ISO27001:2022, it is recommended to wait, study the standard properly, understand its applicability for your organisation, plan for challenges and mitigation, and then move towards implementation. If you are in midst of ISO27001:2013, it does not matter, you should continue doing so and then plan a migration to 2022 next year. A quick chat with experts will help take the right decision.