A complete guide to ISO/IEC 27001:2022
- Cybersecurity
As the worldwide digital terrain transforms, modern business strategies like remote work, “bring your own device” policies, and the advent of Industry 4.0, among others, have become the norm. Core business operations are progressively leaning on cloud-based solutions and digital dependencies.
To keep pace with this digital transformation, both the ISO 27001 Information Security Management and ISO 27002 Controls for Information Security standards have been revamped. These revisions introduce sturdier controls, empowering your organisation to tackle the escalating complexity of security risks, maintain operational consistency, and achieve a competitive edge. The new version’s complete title is ISO/IEC 27001:2022 Information Security, Cybersecurity and Privacy Protection.
Promptly assimilating these amendments and their ramifications on your organisation will not only safeguard your information but also enhance and uphold your competitive stance.
What is ISO/IEC 27001:2022?
ISO/IEC 27001:2022 is the updated version of ISO/IEC 27001:2013 or just plain old ISO 27001.
ISO 27001 is one of the most recognised global standards for Information Security Management Systems (ISMS), outlining the essential requirements for an ISMS. It’s a universal guide for organisations of any size and from all industries to establish, implement, sustain and consistently enhance an information security management system.
Adherence to ISO 27001 shows that an organisation or business has instituted a robust system to manage the risks associated with the security of its data, whether owned or managed, aligning with the best practices and principles codified in this International Standard.
On 25th October 2022, the final version of ISO/IEC 27001: 2022 was published. The International Accreditation Forum (IAF) agreed and set out its mandatory requirements to enable the swift and timely transition to the new version of the standard.
So what’s the difference between ISO 27001:2013 and ISO/IEC 27001:2022? The latter includes a variety of updates to reflect the ever-changing digital landscape. Further details of the changes can be found in the sections below or you can download our Transition Guide.
Why is ISO/IEC 27001:2022 Important?
ISO/IEC 27001:2022 is especially important today with our ever-changing digital environment. Implementation of ISO/IEC 27001:2022 has the following benefits:
Ensure Adherence to the Latest Standard
The ISO/IEC 27001:2022 standard remains the most recent and all-encompassing framework for an ISMS. A Lead Implementer for ISO/IEC 27001:2022 is equipped to guarantee that the organisation remains in line with the current prerequisites of the standard.
Streamlined Implementation
The deployment of an ISMS can be a complicated endeavour, but a Lead Implementer for ISO/IEC 27001:2022 possesses the insight and proficiency to make the process as streamlined as possible. They can assist in pinpointing deficiencies in the organisation’s existing security initiatives and provide counsel on the integration of new controls.
Risk Management
An ISMS, grounded in the ISO/IEC 27001:2022 standard, is formulated to detect, evaluate, and manage information security risks. The Lead Implementer can aid the organisation in uncovering potential risks and formulating strategies to lessen them.
Enhance Reputation
The deployment of an ISMS, based on the ISO/IEC 27001:2022 standard, can bolster the organisation’s standing and instil customers with the confidence that their information is safe. Your Lead Implementer can affirm that the system is efficacious and satisfies the expectations of the organisation’s stakeholders.
What are the main changes in ISO/IEC 27001 2022?
35 controls remain unchanged, 57 have been merged, 23 others have been renamed and 11 new ones have been introduced. This takes the controls from 114 to 93, spread over 4 categories.
- The term “International standard” has been replaced with “document” throughout
- Some English phrases have been amended to allow for easier translation
- There are also changes to align with the ISO harmonised approach:
- Numbering re-structure
- The requirement to define processes needed for implementing the ISMS and their interactions
- The explicit requirement to communicate organisational roles relevant to information security within the organisation
- New clause 6.3 – Planning of Changes
- New requirement to ensure the organisation determines how to communicate as part of clause 7.4
- New requirements to establish criteria for operational processes and implement control of the processes
- The most significant modifications in this revision occur in Annex A, mirroring the alterations made in ISO/IEC 27002:2022. These include:
- A restructured format consolidates the content into four main categories: Organisational, People, Physical, and Technological, a reduction from the prior 14 sections.
- The quantity of controls has been trimmed down from 114 to 93.
- There’s been a remix of controls – some have amalgamated, some have been eliminated, new ones have surfaced, and others have received updates.
- Introduction of the attribute concept.
- Aligning with the prevalent terminology within the realm of digital security, the five attributes introduced are: Control type, Information security properties, Cybersecurity concepts, Operational capabilities, and Security domains.
Find out more about the ISO/IEC 27001:2022 transition.
Some controls seemingly converge in this edition, while others emerge as new entities that may necessitate slight adjustments to your current system – that is if you opt to incorporate them into your Statement of Applicability.
| ISO/IEC 27001:2022 | ISO/IEC 27001:2013 equivalent |
| A.5.7 Threat intelligence | A.6.1.4 Contact with special interest groups |
| A.5.16 Identity management | A.9.2.1 User registration and de-registration |
| A.5.23 Information security for use of cloud services | A.15 Supplier relationships |
| A.5.29 Information security during disruption | A.17.1 Information security continuity |
| A.5.30 ICT readiness for business continuity | A.17.1.3 Verify, review and evaluate information security continuity |
| A.7.4 Physical security monitoring | A.9.2.5 Review of user access rights |
| A.8.9 Configuration management | A.14.2.5 Secure system engineering principles |
| A.8.10 Information deletion | A.18.1.3 Protection of records |
| A.8.11 Data masking | A.14.3.1 Protection of test data |
| A.8.12 Data leakage prevention | A.12.6.1 Management of technical vulnerabilities |
| A.8.16 Monitoring activities | A.12.4 Logging and monitoring |
| A.8.23 Web filtering | A.13.1.2 Security of network services |
| A.8.28 Secure coding | A.14.2.1 Secure development policy |
Changes in detail
Clause 3 “Definitions”
This segment now incorporates references to the ISO online browsing platform and the IEC Electropedia, which host the terminology databases. The inclusion of these hyperlinks significantly simplifies the process of reviewing terminology to obtain a clearer understanding of clauses and controls.
Clause 4.2 “Understanding the needs and expectations of interested parties”
The inclusion of item (c) stipulating “which of these requirements will be addressed through the information security management system” indicates that greater clarity will be required concerning the expectations of interested parties.
Clause 4.4 “Information security management system”
Supplementary wording has been added, necessitating the inclusion of “the processes required [for the maintenance and improvement of the ISMS] and their interactions, in accordance with the requirements of this document.” This adjustment facilitates alignment with other ISO standards, such as ISO 9001:2015 and ISO 22301:2019.
Clause 5.3 “Organisational roles, responsibilities and authorities”
This clause has been amended to read, “Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated within the organisation,” providing clearer direction regarding who should receive these communications.
Clause 6.1.3 “Information security risk treatment”
The update to Note 2 now states “Annex A contains a list of possible information security controls,” replacing the original “comprehensive list of control objectives and controls.” This adjustment underscores the possibility of considering additional controls as part of your ISMS.
Clause 6.2 “Information security objectives and planning to achieve them”
Item (d) has been added, requiring objectives to be monitored throughout the certification lifecycle. While not previously specified in ISO 27001:2013, this requirement now ensures that progress (or lack thereof) against objectives is tracked.
Clause 6.3 “Planning of Changes”
An entirely new clause that encapsulates the prior requirements of Change Control, it’s titled “Planning of Changes.” It ensures that any changes to the information security management system required by the organisation are executed in an orderly fashion.
Clause 7.4 “Communication”
A further modification has led to the removal of item (e), the requirement for establishing communication processes, suggesting that the method of communication delivery doesn’t significantly impact its reception.
Clause 8.1 “Operational planning and control”
This now states “The organisation shall ensure that externally provided process, products or services that are relevant to the ISMS are controlled.” The revised wording of this control offers clearer guidance for implementing an ISMS compared to the original phrasing. Also, the requirement to implement plans for achieving objectives was removed, as it’s covered in Clause 6.2.
Clause 9.1 “Monitoring, measurement analysis and evaluation”
Transferring the note from the existing standard stating “The methods selected should produce comparable and reproducible results to be considered valid” to the main body of the text lends crucial clarity about what qualifies as a “valid” result according to the standard.
Clause 9.3 “Management Review”
The reorganisation of this clause has resulted in three sub-clauses. Item (c) was added to 9.3.2 Management review inputs, now including “changes and needs and expectations of interested parties that are relevant to the information security management system.”
Clause 10 “Improvement”
The arrangement of this clause has been inverted, so 10.1 is now “Continual Improvement” and 10.2 is now “Nonconformity and Corrective Action.”
Will ISO/IEC 27001:2022 changes affect my current ISO/IEC 27001 certificate?
First of all, don’t panic. The recent modifications in ISO/IEC 27001:2022 won’t have an impact on the existing ISO/IEC 27001 certificate. For those aspiring to obtain certification against the new standard, the British Assessment Bureau has introduced the ISO/IEC 27001 Transition training course, along with updated ISO/IEC 27001 Lead Auditor and Lead Implementer training programs.
What does this mean if you’re already working towards ISO/IEC 27001?
If you’re on the path towards certification, there’s no need for a shift in your strategy. We foresee minimal technical adjustments will be necessary.
The expected modifications will largely comprise:
- Undertaking a gap analysis of your present ISMS in contrast with the fresh set of controls
- Refreshing risk treatment procedures to synchronise with the new controls
- Revamping the Statement of Applicability
- Revising certain segments of existing policies and procedures to allude to new or modified controls
How can British Assessment Bureau help?
As per our transition policy and as per IAF MD26, issue 2, we can offer initial certification to 2013/17 until the end of March next year after which point, all initials and reverts will have to be to the 2022 version.
As well as our ISO/IEC 27001:2022 Transition Guide, we will be organising training for clients. Sign up for our ISO/IEC 27001:2022 training here.
Find out more about our ISO/IEC 27001:2022 Transition Course and how it helps you and your organisation.
