ISO 27001 is one of the most recognized standards for information security management, it helps organizations protect sensitive data and manage risks effectively. In 2022, an updated version of this standard ISO 27001:2022 was released, replacing the previous ISO 27001:2013 version.

 

This update brought key changes and improvements to reflect the evolving landscape of cybersecurity and data protection. But what exactly has changed between ISO 27001:2013 and ISO 27001:2022?

 

In this blog, we’ll break down the differences between the two versions, highlight the new requirements, and explain what these changes mean for your business. Let’s explore how the updated standard helps organizations stay secure in today’s increasingly complex digital world.

 

Why was there a need to update ISO 27001:2013?

 

Cyberattacks on businesses have become more targeted, frequent, and complex. Statista states cybercrime is expected to increase rapidly in the coming years. The need to address cybersecurity challenges and mitigate rapidly evolving cyber threats while improving digital presence demands updated standards and frameworks for information security management that helps organizations secure their information assets. 

 

Organizations need to enhance their cyber resilience and implement threat mitigation efforts. The updated version of ISO/IEC 27001 has been released to address the growing and evolving security challenges the world faces today. This version has been updated to better align with the current security landscape. 

 

The ISO/IEC 27001 has been updated to benefit organizations in the following ways:

 

• Protect all types of information, including electronic, cloud-based, and physical documents.
• Enhance defense against cyber threats.
• Implement a centralized system for securing all information.
• Guarantee comprehensive protection for the entire organization, including against technological hazards and other potential risks.
• Adapt to changing security concerns.
• Lower expenses by eliminating unnecessary security technology.
• Maintain the accuracy, privacy, and accessibility of data.

 

What has been changed in ISO 27001:2022?

 

The new update includes changes in the standard’s title, minor clause updates, and some major significant changes in Annex A. Let’s explore what has been changed in these sections.

 

 

Title update

 

The new version of ISO/IEC 27001 has been renamed as “Information security, cybersecurity, and privacy protection – Information security management systems – Requirements,” which aligns with the title of ISO/IEC 27002:2022 (Information security, cybersecurity, and privacy protection – Information security controls).

 

Clause updates

 

In addition to the title change, clauses 4 to 10 have undergone several minor modifications, particularly clauses 4.2, 6.2, 6.3, and 8.1, which have new additional content. There are also minor adjustments in the terminology and rephrasing of sentences and clauses. However, the title and structure of these clauses remain unchanged:

 

• Clause 4 Context of the organization
• Clause 5 Leadership
• Clause 6 Planning
• Clause 7 Support
• Clause 8 Operation
• Clause 9 Performance evaluation
• Clause 10 Improvement

 

New subclauses have also been added in ISO 27001:2022.

 

6.3	Planning of changes
9.2.1	General
9.2.2	Internal audit program
9.3.1	General
9.3.2	Management review inputs
9.3.3	Management review results.

 

Changes in Annex A of ISO 27001:2022

 

Annex A of ISO/IEC 27001:2022 has seen changes in the number of controls and their grouping. The title of this Annex has also been changed from “Reference control objectives and controls” to “Information security controls reference.” As a result, the reference objectives of each control group present in the previous version of the standard have been removed.

 

The number of Annex A controls has been reduced from 114 to 93. The majority of this decrease has come from merging several controls. 35 controls have remained unchanged, 23 controls have been renamed, 57 controls have been consolidated into 24 controls, and one control has been split into two. The 93 controls have been reorganized into four control groups or sections.

 

The new control groups in ISO/IEC 27001:2022 are :

 

A.5 Organizational controls – 37 controls

A.6 People controls – 8 controls 

A.7 Physical controls – 14 controls

A.8 Technological controls – 34 controls

 

The 11 new controls added in Annex A are:

 

• A.5.7 Threat intelligence
• A.5.23 Information security for the use of cloud services
• A.5.30 ICT readiness for business continuity
• A.7.4 Physical security monitoring
• A.8.9 Configuration management
• A.8.10 Information deletion
• A.8.11 Data masking
• A.8.12 Data leakage prevention
• A.8.16 Monitoring activities
• A.8.23 Web filtering
• A.8.28 Secure coding

 

The revised Annex A of ISO/IEC 27001:2022 is designed to align with the information security controls outlined in ISO/IEC 27002:2022. This is the most notable change in the new edition of the standard. Additionally, changes have been made to clauses 4-10 to improve consistency with other management system standards; these changes are mostly editorial in nature.

 

Read also: ISO 27001 certification cost: Complete guide 

 

FAQs

 

Will ISO/IEC 27001:2022 changes affect my current ISO/IEC 27001 certificate?

 

The updates to ISO/IEC 27001:2022 will not affect the validity of existing ISO/IEC 27001 certificates. Organizations already certified to the previous edition will not be required to recertify to the new edition at least until 2024.

 

Will I get audited on the new version of ISO 27001?

 

The industry is not yet ready to conduct official audits against the new version of the standard. It is unlikely that organizations will be audited against ISO/IEC 27001:2022 until the end of 2023. Organizations already certified to the previous version would not be required to recertify to the new version if they got assessed for 2013 before October 2022.

 

Can I still become certified to ISO 27001:2013?

 

Organizations that haven’t achieved ISO 27001 yet can implement the previous version and get certified before October 31, 2023. Then they would have 2 years to adapt to the new version of the standard.

 

Automate ISO 27001:2022 with CyberArrow GRC

 

The transition from ISO 27001:2013 to ISO 27001:2022 reflects the growing need for organizations to adapt to new security challenges. These updates emphasize a more dynamic approach to managing risks and securing information. Staying compliant with ISO 27001:2022 is essential for protecting your business, gaining customer trust, and avoiding potential penalties.

 

To simplify the process, CyberArrow GRC can help you automate your ISO 27001 compliance and make it easier to meet the new requirements.

 

With CyberArrow GRC, you can:

 

• Automate compliance: Save time by automating up to 90% of the ISO 27001 compliance tasks, including evidence collection and control implementation.

 

• Cross-standard mapping: Achieve multiple certifications (e.g., ISO 27001, ISO 9001) with pre-built cross-standard mappings, streamlining the compliance process.

 

• Monitor risks continuously: Automate risk assessments and track your organization’s compliance status in real time with powerful dashboards.

 

• Pre-approved templates: Use auditor-approved document templates, reducing the burden of manually creating compliance documentation.

 

• Expert support: Work with a dedicated team throughout your compliance journey, including access to expert advice from a virtual CISO.

 

See what Emirates have to say about CyberArrow GRC: 

 

 

Read full case study: How Emirates enhanced Information Security by automating ISO 27001 with CyberArrow