ISO 27001 and ISO 27002 2022 updates

The information security management standard ISO 27001 and its companion standard ISO 27002 were updated in 2022.

 Buy your copy of ISO 27001:2022 here

 Buy your copy of ISO 27002:2022 here

This page explains the notable changes introduced by the new versions of ISO 27001 and ISO 27002, and how these changes affect organizations that are certified or planning to certify to ISO 27001.

 Learn more about implementing ISO 27001

What’s changing in ISO 27001?

ISO 27001:2022 is not significantly different from ISO 27001:2013, but there are some notable changes:

• Context and scope

  You must now identify the “relevant requirements” of interested parties and determine which of those requirements will be addressed through the ISMS (information security management system).

  The ISMS now explicitly includes the “processes needed and their interactions.”

• Planning

  Information security objectives must now be monitored and made “available as documented information.” This is in addition to retaining documented information on the objectives.

  There is a new section on planning changes to the ISMS. This does not specify any processes that must be included, so you should determine how you can demonstrate that changes to your ISMS have indeed been planned.

• Support

  The requirements to define who will communicate and the processes for effecting communication have been replaced by a slightly simplified requirement to define “how to communicate.”

• Operation

  The requirement to plan how to achieve information security objectives has been replaced by a requirement to establish criteria for processes to implement actions identified in Clause 6, and to control those processes in line with those criteria.

  Organizations are now required to control “externally provided processes, products or services” relevant to the ISMS rather than just outsourced processes.

• Performance and evaluation

  Methods of monitoring, measuring, analyzing, and evaluating the effectiveness of the ISMS now need to be comparable and reproducible. This was previously just a note, not a requirement of the Standard.

  The management review must now also consider changes in the needs and expectations of interested parties.

• Annex A

  Annex A has been revised to align it with ISO 27002:2022. The Annex A controls are discussed in the section below.

What’s changing in ISO 27002?

First, the phrase “code of practice” has been dropped from the title of the updated ISO 27002 standard. This better reflects its purpose as a reference set of information security controls.

The Standard itself is significantly longer than the previous version (159 vs 94 pages), and the controls have been reordered and updated. Some controls have been merged or removed, and some have been added:

• ISO 27002:2022 lists 93 controls rather than ISO 27002:2013’s 114.
• These controls are grouped into 4 ‘themes’ rather than 14 clauses. They are:
  • People (8 controls)
  • Organizational (37 controls)
  • Technological (34 controls)
  • Physical (14 controls)
• The completely new controls are:
  • Threat intelligence
  • Information security for use of cloud services
  • ICT readiness for business continuity
  • Physical security monitoring
  • Configuration management
  • Information deletion
  • Data masking
  • Data leakage prevention
  • Monitoring activities
  • Web filtering
  • Secure coding
• The controls now also have five types of ‘attribute’ to make them easier to categorize:
  • Control type (preventive, detective, corrective)
  • Information security properties (confidentiality, integrity, availability)
  • Cybersecurity concepts (identify, protect, detect, respond, recover)
  • Operational capabilities (governance, asset management, etc.)
  • Security domains (governance and ecosystem, protection, defence, resilience)

How will this affect organizations implementing ISO 27001?

Certification bodies are unlikely to offer certification to ISO 27001:2022 for at least six months after the Standard’s publication and ISO 27001:2013 will not be retired for another three years, so there is no need to worry that any work you have done to implement ISO 27001:2013 has been wasted.

Depending on how far your ISO 27001:2013 implementation project has progressed, you may wish to use the new Annex A controls from ISO 27001:2022 as an alternative control set, although you will still need to compare these with the 2013 Annex A controls in your SoA (Statement of Applicability). As ISO 27002:2022 has an annex that compares its controls with the 2013 iteration of the Standard, this should be relatively straightforward.

Before renewing your ISO 27001 certification after three years, you will need to transition your ISMS to comply with the 2022 iteration of the Standard. We have everything you need to implement an ISO 27001-compliant ISMS and achieve certification to the Standard

  Learn more about implementing ISO 27001

What does this mean for organizations that are already certified to ISO 27001:2013?

There is a three-year transition period for certified organizations to revise their ISMS to conform to the new version of ISO 27001, so there is plenty of time for you to make the necessary changes. However, some certification bodies might stop offering certification to the 2013 iteration of the Standard before that point, so it is worth checking if you need to transition earlier.

It is inadvisable to leave it until the last minute to meet your new obligations, so if you are due to renew your certification during the transition period, you could work against the new control set.

One advantage of implementing the new controls is that, because they are identifiable by attribute, it is easier to focus your selections. This could reduce the compliance burden or help you see how to better integrate your security processes, thereby making your ISMS easier to implement and manage.

We have everything you need to implement an ISO 27001-compliant ISMS and achieve certification to the Standard.

  Learn more about implementing ISO 27001