Unveiling ISO 27001:2022: The 9 Critical Updates You Need to Know

We are thrilled to announce that A-LIGN has received ISO/IEC 27001:2022 accreditation (ISO 27001) from the ANSI National Accreditation Board (ANAB) on May 17, 2023.  This accreditation expands A-LIGN’s portfolio of ISO certification service offerings, which includes ISO/IEC 27001:2013 (ISO 27001 2013), ISO/IEC 27701:2019 (ISO 27701) and ISO 22301:2019 (ISO 22301) and allows us to remain at the forefront of industry standards.

Curious about the key differences between ISO 27001 2013 and the new 2022 edition? We’ve got you covered with a quick summary of the 9 most important changes. If you’re hungry for more details, tune in to our webinar from April.

1. Updated context and scope

ISO 27001:2022 places increased emphasis on understanding the context of the organization, including its internal and external factors that may impact the information security management system (ISMS). This update encourages organizations to conduct a comprehensive analysis of interested parties, necessary processes, and roles within the ISMS.

2. Statement of Applicability (SoA)

While the requirements for the SoA itself remain largely unchanged, the updated controls in ISO 27001:2022 necessitate a revised SoA. Organizations should review their existing SoA from the 2013 version and make adjustments to incorporate a mapping of the 2022 controls. This demonstrates preparedness for the revised standard and facilitates effective communication with stakeholders.

3. Controlled changes to the ISMS

A notable addition in ISO 27001:2022 is Clause 6.3, which focuses on controlled changes to the ISMS. It requires organizations to carry out planned changes to the ISMS when the need arises, emphasizing the importance of a structured and systematic approach to managing changes within the system.

4. Enhanced operational planning and control

ISO 27001:2022 introduces additional guidance in Clause 8.1 for operational planning and control. Organizations are now required to establish criteria for actions identified in Clause 6 and control those actions accordingly. The standard also highlights the need to control any externally provided processes, emphasizing the importance of managing third-party relationships.

5. Reorganization and reduction of annex controls

One of the most significant changes in ISO 27001:2022 is the reorganization and reduction of annex controls. The number of controls has been reduced from 114 to 93, simplifying the categories and aligning them more effectively with the current hybrid and remote work environments. This update acknowledges the evolving nature of technology and aims to ensure the standard remains relevant and efficient.

6. Introduction of new controls

ISO 27001:2022 introduces 11 new controls in the annex section, covering areas that were already being practiced by organizations but are now formally included in the standard. These new controls address emerging threats and challenges, such as threat intelligence, information security for the use of cloud services, ICT readiness for business continuity, and more.

7. Recategorization of controls

To improve clarity and organization, the controls in ISO 27001:2022 have been recategorized into four main categories: organizational, people, physical, and technological. This reorganization simplifies the structure and enhances the standard’s usability, allowing organizations to more easily identify and implement the relevant controls.

8. Emphasis on needs and expectations of interested parties

ISO 27001:2022 adds a requirement in Clause 9.3 for management review to consider changes in the needs and expectations of interested parties. This highlights the significance of aligning the ISMS with the evolving priorities and requirements of stakeholders, enabling organizations to adapt and respond effectively to changes in their operating environment.

9. New controls for current challenges

The updated standard introduces controls that address current challenges and technologies. As these challenges continue to evolve in the industry, updates focus on staying current and relevant.  For example, controls such as threat intelligence, web filtering, and secure coding.

What’s next?

All organizations that hold a current ISO 27001:2013 certification are required to undergo a transition audit to be certified to the 2022 version. Certification and recertification against ISO 27001:2013 are allowed until April 30, 2024. However, companies should begin to update their ISMS to comply with the requirements in this new revision as soon as possible. Any company currently certified against ISO 27001:2013 must transition no later than October 31, 2025.

To ensure a successful transition, organizations are required to:

• Perform a gap assessment: Map your existing controls to the newly revised standard and determine what changes your ISMS will need to make to achieve certification under the new version of the standard.  
• Update the SoA: This document serves as a catalog of controls relevant to the ISMS. At a minimum, the SoA is required to include necessary controls, justification for inclusion, implementation status and justification for exclusion of controls. The SoA may also include risk mapping, control owners, and operating frequencies.
• Update the risk treatment plan: The risk treatment plan should include the risks relevant to implemented controls, risk responses, risk mitigation owners and administrative items such as timelines, budgets, etc.
• Implement and verify effectiveness of information security controls: The implementation and effectiveness of new or changed information security controls selected by your organization will be evaluated to ensure they meet the requirements of ISO/IEC 27001:2022.

For more information about the updated ISO 27001 standard and A-LIGN’s certification services, we invite you to watch our webinar or contact us today. Our team of experienced auditors is here to guide you through the certification process and ensure the security and resilience of your organization’s information assets.

At A-LIGN, we are committed to helping our clients achieve their certification goals and maintain the highest standards of information security. With our expanded certification services and expertise in ISO/IEC 27001:2022, we look forward to assisting organizations in their journey towards a more secure future.

Get started by downloading our ISO 27001 checklist.