The information security management standard ISO 27001 and its companion standard ISO 27002 were updated in 2022.
Buy your copy of ISO 27001:2022 here
Buy your copy of ISO 27002:2022 here
This page explains the notable changes introduced by the new versions of ISO 27001 and ISO 27002, and how these changes affect organizations that are certified or planning to certify to ISO 27001.
Learn more about implementing ISO 27001
What’s changed in ISO 27001?
ISO 27001:2022 is not significantly different from ISO 27001:2013, but there are some notable changes that align it better to other recent ISO management system standards:
Context and scope
You must now identify the “relevant requirements” of interested parties and determine which of those requirements will be addressed through the ISMS (information security management system).
The ISMS now explicitly includes the “processes needed and their interactions.”
Information security objectives must now be monitored and “be available as documented information.” This is in addition to retaining documented information on the objectives.
There is a new subclause on planning changes to the ISMS. This does not specify any processes that must be included, so you should determine how you can demonstrate that changes to your ISMS have indeed been planned.
The requirements to define who will communicate and the processes for effecting communication have been replaced by a slightly simplified requirement to define “how to communicate.”
The requirement to plan how to achieve information security objectives has been replaced by a requirement to establish criteria for processes to implement actions identified in Clause 6, and to control those processes in line with those criteria.
Organizations are now required to control “externally provided processes, products or services” relevant to the ISMS rather than just outsourced processes.
Annex A has been revised to align it with ISO 27002:2022. The Annex A controls are discussed in the section below.
Free green paper: ISO 27001 and ISO 27002 – Transitioning to the 2022 standards
Updated versions of ISO 27001 and ISO 27002 were published in 2022. Download this free green paper for an overview of the key changes introduced by the new standards, an examination of the changes to the Annex A controls, and what the new standards mean for organizations that are certified to ISO 27001.
What’s changed in ISO 27002?
First, the phrase “code of practice” has been dropped from the title of the updated ISO 27002 standard. This better reflects its purpose as a reference set of information security controls.
The 2022 Standard itself is significantly longer than the 2013 edition, and the controls have been reordered and updated. Some controls have been merged, while 11 have been added:
- Even though no controls have been removed, ISO 27002:2022 only lists 93 controls rather than ISO 27002:2013’s 114. This is due to the large number of merged controls (56 into 24).
- These controls are grouped into 4 ‘themes’ rather than 14 clauses. They are:
- People (8 controls)
- Organizational (37 controls)
- Technological (34 controls)
- Physical (14 controls)
- The completely new controls are:
- Threat intelligence
- Information security for use of Cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
- In ISO 27002, the controls now also have five types of ‘attribute’ to make them easier to categorize:
- Control type (preventive, detective, corrective)
- Information security properties (confidentiality, integrity, availability)
- Cybersecurity concepts (identify, protect, detect, respond, recover)
- Operational capabilities (governance, asset management, etc.)
- Security domains (governance and ecosystem, protection, defence, resilience)
When can I achieve certification to ISO 27001:2022?
Certification bodies are already offering certification to ISO 27001:2022, and must offer certification to only the 2022 edition of ISO 27001 from April 30, 2024.
This means that you can achieve certification against ISO 27001:2013 until April 29, 2024. However, all ISO 27001:2013 certifications will expire or be withdrawn on October 31, 2025, irrespective of how long they have been in place. The IAF (International Accreditation Forum) confirms this timescale in its revised guidance document.
Can I implement the ISO 27001:2022 controls now?
Yes. In fact, we recommend you do, as we believe ISO 27001:2022 to be an improvement on the 2013 edition. For a start, it’s (unsurprisingly) better suited to today’s security landscape. It’s also much more comprehensive and provides clearer guidance on control selection and implementation. Furthermore, because the 2022 controls are identifiable by attribute, it’s easier to focus your selections. This could reduce the compliance burden or help you see how to better integrate your security processes, thereby making your ISMS easier to implement and manage.
We have everything you need to implement an ISO 27001-compliant ISMS and achieve certification to either edition of the Standard.
Learn more about implementing ISO 27001
Speak to an ISO 27001 expert
For more information about ISO 27001 and how we can help you implement an ISMS – whatever your size, budget, or level of expertise – get in touch with one of our experts today.