ISO 27001:2013 has been the international security standard for data management for several years. The first version was released in 2005 (ISO/IEC 27001:2005), a revised version was released in 2013 (ISO/IEC 27001:2013), and now the most recent version is in 2022 (ISO/IEC 27001:2022).
The standard specifies the requirements for establishing, implementing, maintaining, and continually improving and Information Security Management System (ISMS) within the context of the organization. Most important are the requirements for management to assess and manage risks to information security and the treatment of risk tailored to the needs of the organization. The new iteration, ISO 27001:2022, is now entering the scene with some notable changes, although nothing too drastic. Here we’ll outline the differences and what they could mean for your organization.
Changes in ISO/IEC 27001:2022
After nearly a decade of the 2013 version, the ISO/IEC 27001:2022 provides updates for addressing the digital world’s most modern security challenges today. ISO/IEC 27001:2022 was published on October 25, 2022, including the title change, minor updates of clauses 4 through 10, and a significant change to Annex A. Additionally, ISO 27002:2022, the companion standard to ISO 27001:2022, was published in early 2022, impacting the modifications as seen in ISO 27001:2022 (particularly in Annex A).
What Are the Main Differences Between ISO 27001:2022 and ISO 27001:2013?
- The title has changed
- Some wording, terminology, and sentences structures have changed
- Clauses 4 through 10 have changed slightly, including added content
- Annex A controls have changed
- The total number of controls has reduced from 114 to 93
- 11 new controls were added
- No controls were deleted, but some were merged
- The 114 controls are grouped into four sections instead of the previous 14
The full title of the new standard was updated to ISO/IEC 27001:2022 Information Security, Cybersecurity and Privacy Protection.
ISO 27001:2022 still contains 11 clauses, although clauses 4 through 10 received some minor changes, including added content. However, the titles and order of the clauses remain the same. The changed clauses are:
- 4.2 Understanding the needs and expectations of interested parties
- Item (c) added: requires an analysis of which party requirements the ISMS must address
- 4.4 Information security management system
- Phrase added: requires planning for processes and their interactions as part of the ISMS
- 5.3 Organizational roles, responsibilities and authorities
- Phrase added: Clarifies that the communication of roles is internal
- 6.2 Information security objectives and planning to achieve them
- Item (d) added: requires monitoring of objectives
- 6.3 Planning of changes
- Clause was added: requires that ISMS changes must be done in a planned manner
- 7.4 Communication
- Item (e) deleted: required setting up communication processes
- 8.1 Operational planning and control
- New requirements added: establish security process and implementation criteria
- Requirement to implement plans for achievement of objectives deleted
- 9.3 Management review
- Item 9.3.2 c) added: clarifies that interested parties’ inputs must cover needs and expectations and be relevant to the ISMS
- 10 Improvement
- Subclauses switched while text remains unchanged: 10.1 is now “Continual improvement” and 10.2 is now “Nonconformity and corrective action.”
The total number of controls has reduced from 114 to 93 and are now grouped into four sections rather than the previous 14. The changes include:
- 35 controls remained the same
- 23 controls were only renamed
- 57 controls were merged into 24
- One control was split into two
- 11 new controls were added
The four control sections are:
A.5 Organizational controls (37 controls)
A.6 People controls (8 controls)
A.7 Physical controls (14 controls)
A.8 Technological controls (34 controls)
The 11 new security controls are:
A.5.7 Threat intelligence
A.5.23 Information security for use of cloud services
A.5.30 ICT readiness for business continuity
A.7.4 Physical security monitoring
A.8.9 Configuration management
A.8.10 Information deletion
A.8.11 Data masking
A.8.12 Data leakage prevention
A.8.16 Monitoring activities
A.8.23 Web filtering
A.8.28 Secure coding
How Does the New Standard Affect You?
The changes in the 2022 iteration are fairly minor and will not affect the current ISO 27001 certificate; however, your ISMS will need to transition to comply with the 2022 version before renewal of the certificate. While training courses will become available, it may take about six months from the ISO 27001:2022 publication date. But don’t worry about rushing; the 2013 version won’t be officially retired for another three years (on October 31, 2025), providing plenty of time to make the transition.
That said, waiting until the last minute is not advisable, and some certification bodies might stop offering the 2013 version certification sooner than the three-year deadline. To stay on the safe side, you should check if you should transition earlier, and you may want to already begin using the new Annex A controls.