The differences between ISO27001:2013 and ISO27001:2022?

End of October 2022, the International Organisation for Standardisation (ISO) published a new version of ISO/IEC 27001:2022, which is a moderate update from the previous version of the standard: ISO 27001:2013. They are both international standards for information security management systems (ISMS). These standards provide a set of best practices and guidelines for establishing and maintaining an ISMS, which is a framework of policies and procedures for protecting sensitive information.

The 2022 version includes several updates and improvements over the 2013 version, including new requirements and guidance on topics such as data governance, supply chain security, and the use of cloud services. I will be highlighting the significant changes and key differences between the 2013 version of the standard and the 2022 version of ISO 27001.

Clauses 4 to 10

The mandatory clauses 4 through 10 has changed slightly, mainly to align with ISO 9001, ISO 14001, and other ISO management standards, and with Annex SL:

    • Clause 4.2 (Understanding the needs and expectations of interested parties), item (c) was added requiring an analysis of which of the interested party requirements must be addressed through the ISMS.
    • Clause 4.4 (Information security management system), a phrase was added requiring planning for processes and their interactions as part of the ISMS.
    • Clause 5.3 (Organisational roles, responsibilities and authorities), a phrase was added to clarify that communication of roles is done internally within the organisation.
    • Clause 6.2 (Information security objectives and planning to achieve them), item (d) was added that requires objectives to be monitored.
    • Clause 6.3 (Planning of changes) was added, requiring that any change in the ISMS needs to be done in a planned manner.
    • Clause 7.4 (Communication), item (e) was deleted, which required setting up processes for communication.
    • Clause 8.1 (Operational planning and control), new requirements were added for establishing criteria for security processes, and for implementing processes according to those criteria. In the same clause, the requirement to implement plans for achieving objectives was deleted.
    • Clause 9.3 (Management review), the new item 9.3.2 c) was added that clarifies that inputs from interested parties need to be about their needs and expectations, and relevant to the ISMS.
    • Clause 10 (Improvement), the subclauses have changed places, so the first one is Continual improvement (10.1), and the second one is Nonconformity and corrective action (10.2), while the text of those clauses has not changed.

Changes in Annex A security controls

The changes in Annex A are only moderate because most of the controls have either stayed the same (35 of them) or have only been renamed (23). Another 57 controls were merged, which has reduced the number of controls, but the requirements within those controls remained almost the same. One control was split into two separate controls, while the requirements stayed the same.

New controls in Annex A

11 new controls, which were needed because of the trends in IT and security – which include:

    • A.5.7 Threat Intelligence: This control requires organisations to gather and analyse information about threats, so they can take action to mitigate risk.
    • A.5.23 Information Security for Use of Cloud Services: This control emphasises the need for better information security in the cloud and requires organisations to set security standards for cloud services and have processes and procedures specifically for cloud services. 
    • A.5.30 ICT Readiness for Business Continuity: This control requires organisations to ensure information and communication technology can be recovered/used when disruptions occur. 
    • A.7.4 Physical Security Monitoring: This control requires organisations to monitor sensitive physical areas (data centers, production facilities, etc.) to ensure only authorised people can access them — so the organisation is aware in the event of a breach. 
    • A.8.9 Configuration Management: This control requires an organisation to manage the configuration of its technology, to ensure it remains secure and to avoid unauthorised changes. 
    • A.8.10 Information Deletion: This control requires the deletion of data when it’s no longer required, to avoid leaks of sensitive information and to comply with privacy requirements. 
    • A.8.11 Data Masking: This control requires organisations to use data masking in accordance with the organisation’s access control policy to protect sensitive information. 
    • A.8.12 Data Leakage Prevention: This control requires organisations to implement measures to prevent data leakage and disclosure of sensitive information from systems, networks, and other devices.
    • A.8.16 Monitoring Activities: This control requires organisations to monitor systems for unusual activities and implement appropriate incident response procedures. 
    • A.8.23 Web Filtering: This control requires organisations to manage which websites users access, to protect IT systems. 
    • A.8.28 Secure Coding: This control requires secure coding principles to be established within an organisation’s software development process, to reduce security vulnerabilities. 

How much has changed & next steps?

Changes in the main part of the standard are only small and can be done rather quickly, with only slight changes in the documentation and processes. Changes in the Annex A controls are moderate and can be mostly dealt with by adding the new controls to the existing documentation.

This update does not impact existing certifications, where certification against ISO 27001:2013 are still allowed until April 30, 2024. But, companies should begin to update controls and processes, to comply with the requirements in this new revision as soon as possible.

Any company currently certified against ISO 27001:2013 has until October 31, 2025, to transition to the new revision. It is recommended to do:

    • A gap assessment: complete a gap/readiness assessment to map your existing controls to the newly revised standard and determine what changes your company will need to make to achieve certification under the new version of the standard.  
    • Implement new controls: Once that assessment is complete, focusing on implementing new standards.
    • Conduct a new audit: With diligent planning efforts, be ready to conduct an audit against the new standard, well before the ISO deadline of October 31, 2025.