ISO 27001:2022 Published! A summary of the changes to the Information Security Management Systems Standard

Reading Time: 9 minutes
Published on: October 31, 2022

Every five years each ISO Standard goes through a review cycle in order to ensure they continue to reflect current industry best practices, or to determine if they require an update. For Information Security related standards, this has been especially important, so they’re kept up to date with the constantly evolving cyber threat landscape in the current digital world. Continual improvement of the standards is essential to outline the current best practices for protecting organisations’ data.

Information Security is rising in importance on almost every business agenda. With new cyber scenarios and data breaches occurring daily, urgency is changing. Between the increased adoption of cloud based systems, remote work, and automation of technologies, cybersecurity, and privacy, dealing with sensitive information in a structured and trusted way has never been so important. Businesses that implement a framework that protects their information assets and achieve Certification will benefit from gaining the trust of their stakeholders, as they will feel assured that their information is protected.

With the last version of ISO 27001 released in 2013, a new version of the Information Security Management System Standard was necessary to help organisations navigate new scenarios and threats, and make sure relevant and current security controls are in place. As a result, on 25 October 2022, ISO announced that the new version has been published: ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection – Information security management systems – Requirements.

What is ISO/IEC 27001?
The ISO 27001 Information Security Management Systems Standard provides requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS) within your business. It helps organisations protect the confidentiality, integrity, and availability of their information assets through effective risk management.

What’s changed from the ISO 27001:2013 edition to the ISO 27001:2022 edition?

The first noticeable change of the updated standard is the name, now titled: ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection – Information security management systems – Requirements. This updated title more comprehensively reflects the standard’s purpose via the updated information security controls.

Before we continue with the changes in the requirements and clauses, it’s important to note that there are some slight wording changes throughout the body of the standard. These wording changes don’t change the overall meaning of the standard, but rather clarify areas which were ambiguous in the 2013 edition.

The most significant change in ISO 27001:2022 is the update of Annex A, to reflect the ISO 27002:2022 Guidelines update made earlier this year. Annex A outlines all Information Security Controls, which need to be applied to an organisation’s ISMS. The changes within Annex A include:

  • Security Controls: 24 merged controls, 58 updated controls, 11 new controls
  • Control categories: Category restructure
  • Control attributes: Addition of attributes to Annex A

Let’s have a look at these changes in a bit more detail:

Security Controls

The previous version of Annex A contained 114 controls, which has now been reduced to 93. Technically, the new version contains fewer controls, but much of that decrease comes from redundant controls which have been removed or merged. In fact, there were actually 11 new controls added to Annex A, which include:

  1. Threat intelligence
  2. Information security for the use of cloud services
  3. ICT readiness for business continuity
  4. Physical security monitoring
  5. Configuration management
  6. Information deletion
  7. Data masking
  8. Data leakage prevention
  9. Monitoring activities
  10. Web filtering
  11. Secure coding

These additional controls add new layers of information security to the standard to reflect the current state of cyber security.

Control Categories

The new 2022 standard edition now organises the controls into 4 categories, in place of the 14 domains from the 2013 edition:

  • People (8 controls)
  • Organisational (37 controls)
  • Technological (34 controls)
  • Physical (14 controls)

This change comes from an objective to make the control categories more modernised, simplified, and versatile. This allows the standard to be more ‘user-friendly’ and useful, as the previous control categories were found to be complex to navigate on a day-to-day basis, making it inefficient.

Control Attributes

The updated version also provides a new organisational scheme for the controls. Attributes can be used to filter, sort or present controls in different views for different audiences. The security controls are now sorted by five attributes:

  • Control type
  • Cybersecurity concepts
  • Information security properties
  • Operational capabilities
  • Security domains

These new attributes help businesses prioritise the correct controls for their context. For example, if your primary concern is confidentiality, you can use these attributes to sort the controls by that one information security property.

Changes to the ISO 27001:2022 edition

Some other minor changes in the 2022 edition include:

  • In clause 4.2 Understanding the needs and expectations of interested parties a new item (c) was added requiring an analysis of which of the interested party requirements must be addressed through the ISMS.
  • In clause 4.4 Information security management system it now specifically notes that the ISMS needs to include “…the processes needed and their interactions…”. Even though this was implied in the previous version, it’s now specifcally noted in relation to the entirety of the ISMS.
  • In clause 5.1 Leadership and commitment a new note was added to clarify that “Reference to “business” in this document can be interpreted broadly to mean those activities that are core to the purpose of the organisation’s existence.”
  • In clause 5.3 Organisational roles, responsibilities and authorities a phrase in the first paragraph of the 2022 edition was added to clarify that roles are assigned and communicated “within the organisation” to avoid ambiguity.
  • In clause 6.13 Information security risk treatment a new note was added to clarify “The information security controls listed in Annex A are not exhaustive and additional information security controls can be included if needed.”
  • In clause 6.2 Information security objectives and planning to achieve them two additional items were added. Item (d) requires objectives to be monitored, and item (g) requires objectives to be available as documented information.
  • Clause 6.3 Planning of changes was added, requiring that any change in the ISMS needs to be carried out in a planned manner, which is now aligned with the ISO 9001:2015 Quality Management Systems Standard clause 6.3.
  • In clause 7.4 Communication items (d) and (e) were deleted, and replaced with a new item (d) which requires the organisation to determine how it will communicate with internal and external parties.
  • In clause 8.1 Operational planning and control new requirements were added for establishing criteria for security processes, and for implementing processes according to those criteria, moving the focus away from simply keeping “documented information” and integrating into day-to-day business. In addition, the terminology in relation to “outsourced processes” was updated to better match ISO 9001:2015 with “externally provided processes, products or services”.
  • Clause 9.2 Internal audit has been restructured into two subsections, but still has the same content as the 2013 edition.
  • Clause 9.3 Management review has been structured into three subsections, with the same content as the 2013 edition, plus one new input item at 9.3.2 (c) which requires that the management review considers changes in the needs and expectations of interested parties that are relevant to the ISMS.
  • In Clause 10 Improvement the subclauses have switched places, so the first one is now Continual improvement (10.1), and the second one is now Nonconformity and corrective action (10.2), while the content of those clauses has not changed.

These changes have been primarily made to align with other core ISO Management System Standards such as ISO 9001:2015 for Quality, ISO 45001:2018 for Occupational Health and Safety, and ISO 14001:2015 for Environmental. This allows for easier implementation of Integrated Management Systems.

How will these changes affect my current Certification to ISO 27001:2013?

There is a three-year transition period from the publication date of ISO 27001:2022. This means businesses will need to meet the requirements and get certified to the new version by October 2025.

If your business is already certified to ISO 27001:2013, you can continue to have your audits conducted against the 2013 standard requirements during the transition period, but you will need to update your ISMS, be audited against the new 2022 requirements and achieve Certification to ISO 27001:2022 before October 2025.

Keep in mind that by implementing the requirements of the ISO 27001:2022 Standard sooner rather than later, you’ll enjoy the benefits of the new Standard which should make your ISMS easier to manage. This is also a great opportunity to update your organisation’s controls to reflect the current demands for business Information Security.

History with other updates of Standards has shown us that waiting until the last minute to transition your Certification may result in your Certification lapsing, because the Certification Bodies become very heavily booked towards the end of the three-year transition period, meaning they may not have capacity to conduct your transition audit at the last minute. If your certification lapses, your business will have to go through stage 1 and stage 2 audits again, subsequently resulting in higher Certification costs. Don’t wait until it’s too late, start the transition process for the new version now to prepare.

The best time to arrange your transition audit is at one of your scheduled Surveillance or Re-Certification audits. However, if this timing doesn’t work out, it can be through a separate audit. The transition audit needs to include:

  1. An assessment against ISO 27001:2022, and the need for changes to your ISMS;
  2. The updating of the statement of applicability (SoA);
  3. If applicable, the updating of the risk treatment plan; and
  4. The implementation and effectiveness of the new or changed controls chosen.

As a minimum, the transition audit needs to include at least an additional 0.5 auditor day.

It’s important to note that all certifications based on ISO 27001:2013 will expire or be withdrawn at the end of the transition period (by 24 October 2025).

For businesses that are looking to get certified to the ISMS Standard for the first time, you can still achieve your initial certification to ISO 27001:2013, but you will also need to transition to ISO 27001:2022 before the end of the transition period. If you’re just starting out with developing your ISMS, we advise you start with ISO 27001:2022.

How should I prepare to make the transition to ISO 27001:2022

Transitioning to ISO 27001:2022

Before attending your next ISO audit (Re-certification, Surveillance or Transition audit), where you may choose to now be audited against the requirements of the 2022 edition of ISO 27001, you will need to ensure that your ISMS meets the updated requirements. You can make this transition by:

  1. Reviewing the new ISO 27001:2022 Management System Standard document, and familiarising yourself and your team with the changes.
  2. Conducting a gap analysis. This should include reviewing the security controls, as many of them have been merged, updated, and also new additions. This will help you determine what will be affected, and what needs to be adjusted. Ideally an expert consultant like ISO Certification Experts can conduct this to provide you with a report containing all the gaps and recommendations to best upgrade your system to the new changes.
  3. Updating your ISMS and implementing the changes. Many businesses will opt to use a Consultant to help them with this process. Consultants can assist businesses implement the new requirements in a way that suits their existing ISMS, and works for their current business practices. Engaging a consultant will also help minimise the risk of getting Non-Conformances during external audits, and losing your certification from not addressing the new requirements.
  4. Completing an Internal Audit to help identify if your Management System meets the updated ISO 27001:2022 requirements, or if it still requires further improvements. It is important to note that Internal Audits must be conducted by somebody who is trained and competent, to ensure your business gets the most out of this process.
  5. Conducting a Management Review to evaluate whether the ISMS is performing effectively after the changes have been implemented, and if its suitability and adequacy have remained. A consultant can also help you conduct and document Management Review meetings.

You will also need to update your Statement of Applicability (SoA) to reflect the 2022 edition. The SoA is a document which states the security controls and policies that are being applied by the organisation. Essentially, the SoA allows businesses to omit particular security controls when they are not relevant to the scope of their business.

Organisations must review their existing controls listed in their SoA, and align them with a current risk assessment of their information security environment, threats and vulnerabilities. As per clause 6.1.3 item (d) in the ISO 27001:2022 Standard document, the SoA must contain:

  • The necessary controls;
  • Justification for their inclusion;
  • Whether the necessary controls are being implemented or not; and
  • Justification for excluding any of the security controls.
Do you need help or advice with the transition to ISO 27001:2022? Our expert consultants can assist you with updating and implementing your ISMS to meet the updated requirements! Call us now on 1300 614 897, email us, or book your online FREE strategy session to start your transition today.

About the author

Consulting Manager at ISO Certification Experts

Anthony is the Consulting Manager at ISO Certification Experts. He is a Certified Implementer and Auditor for ISO 27001, ISO 9001, ISO 14001 and ISO 45001.

All information on this blog site is for informational purposes only. As this information is based on our professional experience, opinion, and knowledge, we make no representations as to the suitability of this information for your individual business circumstances. Especiality Pty Ltd trading as ISO Certification Experts and all related businesses and brands will not be liable for any errors, omissions, legal disputes or any damage arising from its display or use. All information is provided as is, with no warranties and confers no rights.

We will not be responsible for any material that is found at the end of links that we may post on this blog site. The advice, ideas, and strategies should never be used without first assessing your own personal business situation or seeking professional and/or legal advice. Information may also change from time to time to suit industry and business needs, requirements and trends.