At the end of October 2022, the International Organization for Standardization (ISO) published a new version of ISO/IEC 27001:2022. ISO 27001 is the world’s leading information security standard, providing control requirements to create an Information Security Management System (ISMS).
ISO 27001:2022 is a moderate update from the previous version of the standard: ISO 27001:2013. The bulk of changes are related to the Annex controls and align to ISO/IEC 27002:2022 updates, which were published earlier in 2022. The Annex controls have been grouped differently, new Annex controls have been added, and others have been merged or renamed.
In this blog, we highlight the significant changes and key differences between the 2013 version of the standard and the 2022 version of ISO 27001.
If you haven’t made the transition and want to determine your next steps, read our blog, ISO 27001 Transition: What Now?
Updates to Clauses 4-10
ISO 27001:2022 includes the same number of clauses as ISO 27001:2013, but the text has changed slightly. The changes help align ISO 27001 with other ISO management standards.
Significant changes largely revolve around planning and defining process criteria, as well as monitoring standards. Specifically:
- Clause 4.2 Understanding the Needs and Expectations of Interested Parties: A new subclause was added requiring an analysis of which of the interested party requirements are going to be addressed through the ISMS.
- Clause 4.4 Information Security Management System: New language was added, which requires organizations to identify necessary processes and their interactions within the ISMS. Essentially the ISMS must include the processes underpinning the ISMS, not just the ones specifically called out in the Standard.
- Clause 6.2 Information Security Objectives and Planning to Achieve Them: Now includes additional guidance on the information security objectives. This gives more clarity about how objectives should be monitored regularly and formally documented.
- Clause 6.3 Planning of Changes: This clause was added to set a standard around planning for changes. It states that if changes are needed to the ISMS, they shall be adequately planned for.
- Clause 8.1 Operational Planning and Control: Additional guidance was added for operational planning and control. The ISMS now needs to establish criteria for actions identified in Clause 6 and control those actions in accordance with the criteria.
Additional minor changes include:
- Clause 5.3 Organizational Roles, Responsibilities, and Authorities: A minor update to the language clarified that communication of roles relevant to information security are to be communicated within the organization.
- Clause 7.4 Communication: Subclauses a-c remain the same. But subclauses d (who should communicate) and e (the process by which communication should be affected) have been simplified and combined into a newly renamed subclause d (how to communicate).
- Clause 9.2 Internal Audit: This clause was changed, but not materially. It essentially just combined what already existed between Clause 9.2.1 and 9.2.2 into one section.
- Clause 9.3 Management Review: A new item was added to clarify that the organization’s management review shall include consideration of any changes to the needs and expectations of interested parties. It’s important to note any changes, as they are instrumental to the scope of the ISMS that’s determined in Clause 4 (and based on those needs and expectations). For example, if an organization’s Board of Directors wants to go public, organizations must consider how the change in priorities would impact the ISMS.
- Clause 10 Improvement: Structural changes to this clause now list Continual Improvement (10.1) first, and Nonconformity and Corrective Action (10.2) second.
Changes to Annex A Control Structure
In ISO 27001:2022 structural changes were made to the Annex A controls. Control groups have been reorganized and the overall number of controls has decreased.
At a high level:
- 11 new controls were introduced
- 57 controls were merged
- 23 controls were renamed
- 3 controls were removed
In ISO 27001:2013, controls were organized into 14 different domains. In the new update, controls are placed into the following four themes instead:
- People controls (8 controls)
- Organizational controls (37 controls)
- Technological controls (34 controls)
- Physical controls (14 controls)
The nomenclature change promotes a better understanding of how Annex A controls help secure information. The previous domain names were written for IT professionals — rather than management. Companies will need to update their Statement of Applicability to match this new structure, as they look to achieve certification under ISO 27001:2022.
Additional attribute values were also added to better describe the Annex A controls and help categorize them, but these are only available in ISO 27002.
New Controls within ISO 27001:2022 Annex A
The largest change within Annex A is around the 11 new controls which were introduced. Organizations that are currently certified under ISO 27001:2013 will need to ensure proper processes are in place to meet these new requirements or will need to create new processes to incorporate these controls into their existing ISMS.
Notably “threat intelligence” requires organizations to gather and analyze information about threats, so organizations can take action to mitigate risk. Companies certified under ISO 27001:2013 may not have this element in place. This is a relevant change and speaks to the idea that threats are ever-evolving. Therefore, mitigating risk is a continuous process, not a “one-and-done” task. This tracks back to an update in ISO 27002 which was introduced earlier in 2022. ISO 27002 can provide more clarity on this, as it includes additional implementation guidance.
Additional new controls within ISO 27001:2022 include:
- A.5.7 Threat Intelligence: This control requires organizations to gather and analyze information about threats, so they can take action to mitigate risk.
- A.5.23 Information Security for Use of Cloud Services: This control emphasizes the need for better information security in the cloud and requires organizations to set security standards for cloud services and have processes and procedures specifically for cloud services.
- A.5.30 ICT Readiness for Business Continuity: This control requires organizations to ensure information and communication technology can be recovered/used when disruptions occur.
- A.7.4 Physical Security Monitoring: This control requires organizations to monitor sensitive physical areas (data centers, production facilities, etc.) to ensure only authorized people can access them — so the organization is aware in the event of a breach.
- A.8.9 Configuration Management: This control requires an organization to manage the configuration of its technology, to ensure it remains secure and to avoid unauthorized changes.
- A.8.10 Information Deletion: This control requires the deletion of data when it’s no longer required, to avoid leaks of sensitive information and to comply with privacy requirements.
- A.8.11 Data Masking: This control requires organizations to use data masking in accordance with the organization’s access control policy to protect sensitive information.
- A.8.12 Data Leakage Prevention: This control requires organizations to implement measures to prevent data leakage and disclosure of sensitive information from systems, networks, and other devices.
- A.8.16 Monitoring Activities: This control requires organizations to monitor systems for unusual activities and implement appropriate incident response procedures.
- A.8.23 Web Filtering: This control requires organizations to manage which websites users access, to protect IT systems.
- A.8.28 Secure Coding: This control requires secure coding principles to be established within an organization’s software development process, to reduce security vulnerabilities.
What Should I do Next?
It’s important to note that this new update does not impact your existing certification. Certification against ISO 27001:2013 is still allowed until April 30, 2024. But, companies should begin to update controls and processes, as to comply with the requirements in this new revision as soon as possible.
Any company currently certified against ISO 27001:2013 has until October 31, 2025, to transition to the new revision. To ensure you are ready, our experts recommend:
- A gap assessment in 2023: Our experts can complete a gap/readiness assessment to map your existing controls to the newly revised standard and determine what changes your company will need to make to achieve certification under the new version of the standard.
- Implement new controls throughout 2023: Once that assessment is complete, we recommend focusing on implementing new standards throughout 2023.
- Conduct a new audit: With diligent planning efforts throughout 2023, you’ll be ready to conduct an audit against the new standard as early as 2023, well before the ISO deadline of October 31, 2025.
Are you an existing customer who is ready to conduct your readiness assessment? Contact your account manager today.
New to ISO 27001? Contact a member of our team to get a certification plan in place.