In 2022, a significant update to the ISO 27001 standard was published, outlining new requirements for organisations certified to ISO 27001:2013. These organisations must migrate to the ISO 27001:2022 version by October 2025 to remain compliant.
However, shortly after, in 2023, a new version of the standard appeared, leading to confusion for some. So, what exactly is ISO 27001:2023, and do you need to make changes to your ISMS?
Is there a new edition of ISO 27001?
To clarify, the latest official version of ISO 27001 published by ISO is ISO 27001:2022. This update introduced several notable changes, including:
- 11 new security controls added to strengthen organisational defences against emerging risks.
- A reorganised Annex A, aligning with the latest guidance from ISO 27002:2022, which provides detailed information on best practice security controls.
These changes reflect the evolving threat landscape and aim to help organisations enhance their information security measures.
So, why the 2023 edition of ISO 27001?
Here’s where the confusion comes in: the ISO 27001:2023 edition is not actually a new version of the standard. In fact, there are no material differences between the 2022 and 2023 versions. The reason behind the 2023 version’s existence is tied to the adoption of the standard in Europe.
In 2023, the European Committee for Standardisation (CEN) adopted ISO 27001:2022, which led to a renaming of the standard in Europe. As a result, the British Standards Institution (BSI) updated the standard’s name from BS ISO/IEC 27001:2022 to BS EN ISO/IEC 27001:2023 to reflect its European adoption.
It’s important to note that while the name has changed in Europe, the content of the standard remains the same. ISO 27001:2023 is essentially the same document as ISO 27001:2022, but under a different title.
Do I need to transition to ISO 27001:2023?
If you are already in the process of implementing ISO 27001:2022 or have transitioned your ISMS to meet the 2022 requirements, there is no need to acquire or implement ISO 27001:2023. Certification bodies, such as ISOQAR, will continue referencing the 2022 version for audits and certifications.
What this means in practical terms is that if your organisation is ISO 27001:2022 compliant, you are already up to date, and there is no requirement to make any additional changes to your ISMS beyond what was necessary for the 2022 version.
What should my organisation do now?
The key takeaway here is that the focus should remain on migrating to ISO 27001:2022 by the October 2025 deadline. This transition ensures that your ISMS remains compliant with the most recent changes to the standard, providing your organisation with enhanced security measures and continuing your certification.
At ISOQAR, as a UKAS-accredited certification body, we are here to guide you through this process. Our team of expert auditors can assist in ensuring your transition to the updated standard is seamless, keeping your organisation secure and compliant. If you’re already ISO 27001:2022 compliant, rest assured that no additional action is required regarding the 2023 version.
If you’re unsure about your organisation’s current compliance or need support with the transition, we recommend reaching out to us for expert advice.