The ISO 27001:2022 Update – Everything You Need To Know With Changes Listed

The release of the newly revised and renamed ISO 27001:2022 has been highly anticipated, although it doesn’t include any drastic changes from the previous version of the standard. The ISO 27001 new version was published on October 25, 2022; the last revision of the standard was back in 2013. 

Given the rapidly evolving nature of the digital world, it is somewhat surprising that ISO 27001 stood the test of time for 9 years, all the while being highly regarded as the standard in information security. This only serves to emphasize the stability and endurance of this international standard.

The Benefits of ISO 27001

“Amid the Fourth Industrial Revolution, systemic interdependence creates both downside costs of cyber-risk and holds a much greater upside value,” says Andreas Wolf, group leader of the experts that developed the standard. “The organizations that will lead us into the digital future are those that are not only vulnerable enough to admit they can’t do it alone but are also confident and savvy enough to realize that it’s better for businesses to not even attempt it.” 

To address these cybersecurity challenges, organizations must enhance their resilience and implement cyber risk mitigation techniques. Here are some of the benefits ISO/IEC 27001 offers your organization.

• Secure information in all forms, including non-digital hard copies, cloud-based and digital data 
• Increase cyber resilience
• Provide a centrally managed framework that consolidates all information in one place 
• Ensure overall protection, including against digital risks and other threats 
• Stay up to date and respond to evolving security threats 
• Invest in defense technologies that offer good ROI (return on investment) 
• Protect the integrity, confidentiality, and availability of data 

The ISO 27001 update 2022 specifies the requirements for establishing, implementing, maintaining, and continually monitoring and improving an ISMS (information security management system). The documentation also includes requirements for the assessment and strategy implementation of information security risks that apply generically to all organizations, large and small, across the globe, and in all industries. Claiming conformity to the ISO 27001 new standard requires compliance with mandatory clauses 4 to 10.

What Has Changed?

To keep up with the latest technology and security threats, the ISO/IEC 27002 was recently revised to continue to protect the three main tenets of an organization’s information assets: confidentiality, integrity, and availability. Much to the satisfaction of organizations that invested tremendous resources into compliance with the ISO 27001 standard, the new version does not require a complete overhaul of the certification process- far from it.

Briefly, the main ISO 27001 revisions include a major change of Annex A and minor updates of the mandatory clauses. Notably, the changes to Annex A are a reflection of the new version of ISO/IEC 27002 that has been published at the beginning of 2022. 

Also, the name of the standard has changed and is now titled ISO/IEC 27001:2022 Information Security, Cybersecurity and Privacy Protection.

Annex A Changes

The part that has undergone the most significant change is Annex A of ISO/IEC 27001 which is a replication of the ISO/IEC 27002:2022 Annex A updates, published earlier this year.

Annex A of ISO/IEC 27001:2022 contains changes in the number of controls and how they’re categorized into groups. 

The title of this Annex has also changed. Originally called “Reference control objectives and controls”, they are now referred to as “Information security controls reference”.

The number of Annex A controls has decreased from 114 to 93. 35 controls have remained the same, 23 controls were renamed, 57 controls were merged into 24 controls, and one control has been divided into two. In addition, 11 new controls were added to Annex A. We will list them below. 

In the 2013 version, the controls were categorized into 14 families. Now, the 93 controls have been restructured into four broader control groups or sections.

The Four New Control Groups

1. Organizational controls –  contains 37 controls
2. People controls – contains 8 controls
3. Physical controls – contains 14 controls
4. Technological controls – contains 34 controls

Some controls were removed by consolidating them into other controls. They include:

• Password management system
• Delivery and loading areas
• Unattended user equipment
• Policies for information security
• Protection of log information
• Removal of assets
• Handling of assets
• Restrictions on software installation
• Electronic messaging
• Securing application services on public networks
• System acceptance testing
• Technical compliance review
• Protecting application services transactions
• Ownership of assets
• Reporting information security weaknesses
• Mobile device policy

11 completely new controls were added to Annex A:

1. Threat intelligence
2. Information security for the use of cloud services
3. ICT readiness for business continuity
4. Physical security monitoring
5. Configuration management
6. Information deletion
7. Data masking
8. Data leakage prevention
9. Monitoring activities
10. Web filtering
11. Secure coding

The controls now also have five attributes to make them easier to categorize and describe:

• Control type 
• Information security properties
• Cybersecurity concepts 
• Operational capabilities 
• Security domains

ISO 27002 as a Reference to Annex A Controls

The problem with Annex A is that it only provides a brief overview of each control. While this is good for reference use, it’s not helpful when actively implementing the control.

That’s where ISO 27002 comes into the picture. It’s a supplementary standard and offers a detailed overview of information security controls. The 27002 standard dedicates about one page to each control, explaining how it works and how to implement it. The controls in Annex A of ISO 27001 align with the 93 security controls listed in the revised version of ISO 27002, published in February 2022.

Mandatory Clauses

As for other parts of the standard, mandatory clauses 4 to 10 have undergone several minor changes. Additional content was added to clauses 4.2, 6.2, 6.3, and 8.1. Other updates include minor changes in the terminology and word restructuring. However, the titles and grouping of these mandatory clauses remain the same:

List of Mandatory Clauses

• Clause 4- Context of the organization
• Clause 5- Leadership
• Clause 6- Planning
• Clause 7- Support
• Clause 8- Operation
• Clause 9- Performance evaluation
• Clause 10- Improvement

What Has Changed in the Mandatory Clauses?

• 4.4- Information security management system – This new clause requires that processes and “their interactions” are identified. You are required to identify the scope of relevant requirements of interested parties and determine which ones will be addressed through the ISMS.

• 6.2- Information security objectives – Objectives must be documented and made available as “documented information” for all stakeholders. This is a new section on the topic of planning changes to the ISMS, but it does not demonstrate a specific process.

• 8.1- Operational planning and control – This requirement replaces the original requirement to plan how to achieve information security objectives.  Organizations must now define criteria for operational processes and control those processes according to the criteria.

• 9- Performance evaluation – Methods to evaluate and monitor your controls should be comparable and reproducible so the organization can analyze trends. 

• 9.2- Internal audits – Internal assessments must cover all requirements of the organization, not only the ISO 27001 standard. 

Transition Period

According to ISO documentation, the transition to the new revision for companies that are already certified against ISO 27001:2013 needs to take place by October 31, 2025.  The transition deadline is fixed for any businesses certified before the update.

To update your information security management system you will need to update your risk treatment process with the new controls delineated in the above blog, update your statement of applicability, and update relevant sections of your current policies and procedures.

How will this affect organizations that are in the process of implementing ISO 27001 or haven’t started yet?

Certification bodies are unlikely to offer certification to ISO 27001:2022 for at least six months after the publication and ISO 27001:2013 will not be obsolete for another three years.  Any work you have done to implement ISO 27001:2013 has not been wasted.

At this point, you may wish to refer to the new Annex A controls from ISO 27001:2022 and conform to the newest publication of ISO 27001.

How to Achieve Compliance?

Organizations seeking to comply with the ISO/IEC 27001 must undergo certification audits and implement an extensive list of requirements. These mandatory requirements include ISMS scope definition, security policy definition, risk assessment process, evidence of competence, evidence of monitoring, evidence of audits, and many more.

The Centraleyes platform provides a unified approach to information security that streamlines and supports the process of achieving certification. With our prebuilt questionnaires and integrated tools, you will be able to take inventory of all your assets, assess their risks, and get certified as quickly as possible.

In addition, your organization will also gain full visibility of its cyber risk levels to fully prepare for the necessary audits. 

Book a demo today!