One of the most leading security standards did get an updated version in 2022, on October 25. The revision of the ISO 27001:2022 version has only gotten a few updates, but it is also important to look at them and study them closely.

In this article, let’s talk about the major changes made in ISO 27001:2022 vs 2013

ISO 27001 is an information security management system (ISMS) that provides a framework for organizations to manage and protect their sensitive information. The International Standard Organization (ISO) first introduced this standard. ISO is a non-governmental organization that develops international standards for various industries. The British Standards Institution (BSI), which published the earlier BS 7799-2 standard in 1999, replaced it with ISO 27001 in 2005. All types and sizes of organizations can use ISO 27001, a globally recognized standard for information security management. ISO 27001 gives a systematic approach for managing sensitive information, which also includes risk management processes, policies, and procedures and the implementation of controls to get rid of risks that are noticed.

HISTORY OF ISO 27001 AND ISO 27002

Both ISO 27001 and ISO 27002 are internationally recognized standards related to Information Security Management.

ISO 27001, which is also called “information security management systems,” was first published in 2005. The British Standard Institution (BSI) initially released it in 1999. BS 7799-2 provides guidelines for establishing, implementing, maintaining, and improving an ISMS. The International Organization for Standardization (ISO) adopted BS 7799-2 as ISO 27001 in 2005, following the global recognition of information security. ISO 27001 underwent revisions in 2013 and 2022 to address evolving security challenges and align with the other management system standards under Annex SL.

ISO 27001 helps organizations constantly improve their ISMS. It sets out the requirements for identifying information security risks, implementing controls, and monitoring the effectiveness of the system. In 2005, ISO/IEC 17799 was reissued as ISO/IEC 27002 to align with the newly adopted ISO 27001 Standard. The purpose of ISO 27002 is to provide a comprehensive set of best practices and guidelines for information security controls. It covers various areas of information security, including organizational security, asset management, human resources security, physical and environmental security, communications and operations management, and more. Unlike ISO 27001, ISO 27002 is not a mandated standard. Instead, it acts as a guide that companies may use to choose and put into place the best security measures in accordance with their unique demands, risks, and legal and regulatory requirements.

Both ISO 27001 and ISO 27002 provide recommendations on the choice and execution of information security measures, with ISO 27001 giving the criteria for creating an ISMS. Together, these standards give businesses a methodical way to manage information security and safeguard their priceless assets.

COMPARING ISO 27001:2013 vs. 27001:2022:

In this comparative analysis, we will explore and compare ISO 27001:2013 and ISO 27001:2022, highlighting the potential changes, enhancements, and implications of the newer version. By examining the key differences between these two versions, organizations can gain insights into how the standard has evolved and understand its potential impact on their information security management practices. We will delve into the revised structure, modified requirements, updated controls, and any new additions or deletions.

Let’s check out the major changes that have been made in ISO 27001:2022 compared to the 2013 revision.

Comparison of 27001

Old revision (2013):

The ISO 27001:2013 revision was published on September 25, 2013. This revision consists of a set of principles and orders; we will check them out.

  • ISO 27001:2013 consists of 10 clauses in the main part of the ISO standard, which include introduction, scope, normative references, terms and definitions, context of the organization, leadership, planning, support, operation, performance evaluation, and improvement.
  • In ISO 27001:2013, Annex A contains a list of 114 security controls that can be selected and implemented to address information security risks. 
  • These sections are divided into 14 domains.

New revision (2022):

The ISO 27001:2022 revision has gone through a few major changes in 2022 compared to its predecessor. They are:

  • Reduced Control Count: ISO 27001:2022 presents 93 controls, a decrease from ISO 27001:2013’s 114.
  • Revised Control Grouping: ISO 27001:2022 organizes these controls into 4 ‘themes’ instead of 14 clauses. I.e., People (8 controls), Organizational (37 controls), Technological (34 controls), Physical (14 controls)
  • Additions to Controls: ISO 27001:2022 introduces 11 new controls.
  • Enhanced Control Categorization: The controls in ISO 27001:2022 now feature five attribute types for improved categorization.

CHANGES MADE IN THE ISO 27001 MANAGEMENT SYSTEM IN 2022

The obligatory clauses 4 through 10 have undergone relatively minor wording revisions to better conform to Annex SL, ISO 9001, ISO 14001, and other ISO management standards. The number of controls has decreased from 114 to 93. Of the overall number of controls, 35 have remained the same, 23 have had their names changed, and 57 have been combined. Two different controls were created from one control. To handle new IT and security trends, 11 additional controls have also been developed.

On August 15, 2021, ISO 27001:2022, the most recent revision, was made public. We will get to know the ISO 27001 difference between 2013 and 2022. Following are the primary variations between ISO 27001:2013 and ISO 27001:2022:

  • Clause 4.2: Now includes item (c), which calls for a study of which of the interested parties’ criteria the ISMS must adhere to.
  • Clause 4.4: Requires an organization to have an information security management system that is established, implemented and continually improved.
  • Clause 5.3: To make it clear that role communication takes place internally inside the organization, a term was added to clause 5.3 (organizational roles, duties, and authorities).
  • Clause 6.2: Item (d), which calls for objectives to be monitored, was added to clause 6.2 (Information security objectives and planning to accomplish them).
  • Clause 6.3: Any update to the ISMS must now comply with Clause 6.3 (Planning of Changes), which stipulates that it must be done in a planned way.
  • Clause 7.4: Item (e), which called for establishing communication procedures, was removed from clause 7.4 (Communication).
  • Clause 8.1: There are new requirements for creating criteria for security procedures and for carrying out activities in accordance with those criteria in paragraph 8.1 (operational planning and control). The necessity to implement strategies for accomplishing objectives was removed from the same clause.
  • Clause 9.3: The addition of new item 9.3.2 (c) to clause 9.3 (management review) makes it clear that suggestions from interested parties must address their requirements and expectations and be pertinent to the ISMS.
  • Clauses 10.1 and 10.2: The subclauses in clause 10 (Improvement) have been rearranged such that the first one is now Continuous Improvement (10.1), and the second one is now Nonconformity and Corrective Action (10.2), even if the language of those clauses has remained the same.

Summary of Major Changes in ISO 27001:2013 and ISO 27001:2022

The majority of ISO 27001:2022’s changes are quite minimal and may be rapidly implemented with small modifications to documentation and procedures. Enhancing risk assessment and management, offering more customization choices, and stressing supply chain security are the key goals of the modifications.

CHANGES MADE IN ANNEX A SECURITY CONTROLS:

Changes made in annex

ISO/IEC 27001:2022 brings forth notable revisions to Annex A, resulting in substantial changes to both the quantity and arrangement of security controls. Alongside these updates, the title of the Annex has transitioned from “Reference control objectives and controls” to “Information security controls reference,” reflecting the revised approach.

One of the primary alterations is the reduction in the total count of Annex A controls, from 114 controls in the previous version to 93 controls in ISO/IEC 27001:2022. This reduction is primarily achieved through the consolidation of multiple controls. As a result, 35 controls have remained unchanged, while 23 controls have undergone renaming for improved clarity and alignment with industry terminology.

Significantly, 57 controls have been merged into 24 consolidated controls, aiming to streamline and eliminate redundancies. This consolidation facilitates a more efficient implementation process and improves the overall effectiveness of the controls. Additionally, one control has been split into two separate controls, further refining the granularity and specificity of the control set.

The restructured controls are now organized into four distinct control groups or sections, known as themes. These themes are people, organizational, technological, and   control. Each group encompasses controls related to specific aspects of information security, promoting a more organized and coherent control framework.

These revisions in ISO/IEC 27001:2022’s Annex A reflect a concerted effort to enhance the clarity, effectiveness, and adaptability of the standard’s control framework. By aligning with evolving industry practices and requirements, the updated controls provide improved usability and flexibility in implementing robust information security measures. These enhancements empower organizations to better address emerging threats and secure their information assets with greater confidence and efficiency.

New Security Controls:

  • Threat intelligence
  • Information security for the use of Cloud services
  • ICT readiness for business continuity
  • Physical security monitoring
  • Configuration management
  • Information deletion
  • Data masking
  • Data leakage prevention
  • Monitoring activities
  • Web filtering
  • Secure coding

CertPro offers comprehensive support to achieve ISO 27001 compliance.

CertPro is a reputable partner that helps businesses successfully achieve ISO 27001 compliance. CertPro provides a wide range of beneficial services thanks to their knowledge and experience. They carry out in-depth gap analyzes to pinpoint areas that require improvement and create specialized action plans. CertPro leads organizations through the implementation process while ensuring compliance with ISO 27001 requirements. To empower staff members and foster a security-conscious culture, they offer rigorous training and awareness initiatives. Additionally, CertPro offers assistance with conducting risk analyses, setting up reliable information security procedures, and creating the relevant documentation. Through their thorough support, CertPro provides businesses with the resources and training necessary to effectively achieve ISO 27001 compliance.

FAQ

Are ISO 27001:2022's modifications major or minimal?

The key modifications to the standard are rather minor and may be rapidly adopted with minor changes to procedures and documentation. The controls in Annex A have undergone modest modifications, with some remaining the same, some getting new names, and a few new controls being introduced.

What separates ISO 27001:2022 from ISO 27001:2013?

The primary distinction is that ISO 27001:2022 places a greater focus on risk assessment and management. The revised edition incorporates criteria for supply chain security and gives firms more freedom to modify their information security management systems (ISMS).

Are the changes made to ISO 27001:2022 noteworthy?

While the majority of the standard has undergone relatively minor changes, the controls listed in Annex A have undergone more significant alterations, making them more obvious. Anyway, it is important to know about the changes made in ISO 27001:2022.

Is it necessary for organizations certified under ISO 27001:2013 to transition to ISO 27001:2022?

Indeed, it is important to be certified under the 2013 revision in order to preserve their certification. Firms accredited under ISO 27001:2013 must upgrade to ISO 27001:2022 before the end of their current certification period.

What new clauses are included in ISO 27001 2022?

The 2022 update to ISO 27001 contains a few minor adjustments to Clause 7.4. One may consider the adjustments to be a simplification. It eliminates the requirement to demonstrate the procedures by which communication will be carried out and replaces it with instructions on how to communicate.

SUBBAIAH KU

About the Author

SUBBAIAH KU

Subbaiah Ku is the Regional Director for CertPro in Oman, bringing a wealth of expertise in process and system auditing. As a seasoned lead assessor, Subbaiah is dedicated to ensuring the highest standards in compliance and security. His unique blend of technical acumen, rooted in Mechanical Engineering, is complemented by a diverse range of certifications and extensive training.

IS SOC 2 THE SAME AS ISO 27001?

IS SOC 2 THE SAME AS ISO 27001?

In today's digital landscape, ensuring the safeguarding of client data is paramount for businesses. Adhering to recognized compliance standards is vital to meeting this demand. ISO 27001 vs. SOC 2 represent two prominent benchmarks in the realm of data security with...

read more
WHO NEEDS ISO 27001 CERTIFICATION AND WHY?

WHO NEEDS ISO 27001 CERTIFICATION AND WHY?

The esteemed ISO 27001 security framework is designed to evaluate the effectiveness of an organization's Information Security Management System (ISMS) in safeguarding its data. Obtaining ISO 27001 certification is a practical way for a corporation to demonstrate its...

read more

Get In Touch 

have a question? let us get back to you.