ISO 27001:2022 update: What are the changes in 2022? 2013 vs. 2022 revision

Information security, sometimes shortened to infosec, is the practice of protecting information by mitigating information risks. It includes procedures or measures used to protect electronic data from unauthorised access. Information security controls are devices or software used to enforce security policies in order to protect sensitive information from unauthorised access.

An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information so that it remains secure. The goal of an ISMS is to minimise the risk of data breaches and other security incidents by identifying, assessing, and treating information risks.

ISO/IEC 27001  provides a framework for organisations to manage their information security risks through an Information Security Management System (ISMS) within the context of the organisation. The new ISO/IEC 27001:2022 was published on the 25^th of October 2022, with some minor changes to the clauses but major changes to Annex A. In this blog, we will review the changes and how they will affect your organisation.

What are the main changes in the clauses of the ISO 27001:2022 standard?

In line with the High-Level Structure of the Management System Standards, some minor changes have been introduced to ISO 27001:2022.

These changes include:

4. Context of the organisation

The “relevant” requirements of interested parties should be identified and determined through the Information Security Management System(ISMS).

5. Leadership

No major change

6. Planning

Information security objectives are now considered “documented information” and shall be monitored and made available. There is a new section on planning changes to the ISMS as “6.3 Planning of changes”

7. Support

Merging 7.4.d and 7.4.e regarding how to communicate as a part of the communication plan

8. Operation

There is a requirement to establish criteria for processes to implement process control in accordance with the criteria. There is a requirement to control “externally provided processes, products or services” relevant to the ISMS instead of just processes.

9. Performance evaluation

·There is a requirement for comparability and reproducibility of the methods of monitoring, measuring, analysing, and evaluating the effectiveness of the ISMS Clause 9.2. Internal audit is now split into 9.2.1 General and 9.2.2 Audit program. Clause 9.3. Management Review is now split into 9.3.1 General, 9.3.2 Management review inputs, and 9.3.3. Management Review outputs. The changes in the needs and expectations of interested parties should be considered in the management review input

10. Improvement

No major change

What are the main control changes in Annex A of the ISO 27001:2022 aligned with the ISO 27002?

Aligned with the new revision of the ISO/IEC 27002, the guidance for implementing the Information Security Controls, updated in February 2022,  Annex A of the ISO/IEC 27001 has been changed in the 2022 version of this standard. A summary of these changes to the IS 27001:2022 controls includes:

• Reducing the number of categories of controls from 14 to 4
• Reducing the number of controls from 114 to 93
• Updating 58 of the existing controls
• Merging 24 of the existing controls
• Introducing 11 new controls

The 93 controls are categorised into the 4 categories listed below:

• 5. Organisational (37 controls)
• 6. People (8 controls)
• 7. Physical (14 controls)
• 8. Technological (34 controls

Here is a list of newly-added controls in Annex A of the ISO/IES 27001:2022:

• Threat intelligence
• Information security for use of cloud services
• ICT readiness for business continuity
• Physical security monitoring
• Monitoring activities
• Web filtering
• Secure coding
• Configuration management
• Information deletion
• Data masking
• Data leakage prevention

How will these changes affect your organisation and what should you do during the transition period?

Similar to other standards, there is a three-year transition period. So, as the new revision was published in October 2022, the transition to the new revision should be completed by October 2025.

To obtain an ISO 27001 certificate, organisations must undergo a certification process that includes auditing their ISMS against the requirements of ISO 27001. The certification process is conducted by third-party certification bodies that are accredited by national accreditation bodies such as JAS-ANZ.

If you have already certified for the 2013 version of this standard, your next audit can be conducted against the 2013 or 2022 version of this standard, but from the 1st of November 2023, all audits should be conducted by the certification bodies against ISO/IES 27001:2022.

If you are planning to certify your Information Security Management System, your ISMS can still be audited against either ISO/IES 27001:2023 or ISO/IES 27001:2022 by the 31st of October 2023.

How ISO Consulting Services can help you

We have designed our exclusive gap assessment tool against the requirements of ISO 27001:2022 which provides you not only the gaps and the area where you need to improve but also numerical and graphical analysis of your current compliance level and how you can improve that. We can also assist you with documentation and implementation of the requirements and getting ready for your ISO 27001 audit.

Please fill out the Questionnaire or contact us if you need our hands to assist you in developing and establishing your ISMS in compliance with the requirements of ISO 27001:2022 standard.