ISO/IEC 27001:2022 | Information Security Management System

ISO/IEC 27001:2022 | Information Security Management System

ISO 27001:2013 has been changed become ISO/IEC 27001:2022 (Information Security, Cyber Security and Privacy Protection — Information Security Management Systems — Requirements) on 25 October  2022. This is an international standard specifically structured on information's process of protection of information to ensure some of the following:

• Secrecy (confidentiality): ensuring that information can only be accessed by those who have the authority.
• Integrity (integrity): ensure that the information remains accurate and complete and that the information is not modified without explicit authorization.
• Availability (availability): ensuring that information is accessible to those who have the authority when needed.

Transition changes from Version 2013 to 2022

The text of the mandatory clauses 4 through 10 has changed only slightly, mainly to align with ISO 9001, ISO 14001, and other ISO management standards, and with Annex SL.

Overview of the changes in ISO 27001:2022:

• Clause 4.2 (Understanding the needs and expectations of interested parties), item (c) was added requiring an analysis of which of the interested party requirements must be addressed through the ISMS.
• Clause 4.4 (Information security management system), a phrase was added requiring planning for processes and their interactions as part of the ISMS.
• Clause 5.3 (Organizational roles, responsibilities and authorities), a phrase was added to clarify that communication of roles is done internally within the organization.
• Clause 6.2 (Information security objectives and planning to achieve them), item (d) was added that requires objectives to be monitored.
• Clause 6.3 (Planning of changes) was added, requiring that any change in the ISMS needs to be done in a planned manner.
• Clause 7.4 (Communication), item (e) was deleted, which required setting up processes for communication.
• Clause 8.1 (Operational planning and control), new requirements were added for establishing criteria for security processes, and for implementing processes according to those criteria. In the same clause, the requirement to implement plans for achieving objectives was deleted.
• Clause 9.3 (Management review), the new item 9.3.2 c) was added that clarifies that inputs from interested parties need to be about their needs and expectations, and relevant to the ISMS.
• Clause 10 (Improvement), the subclauses have changed places, so the first one is Continual improvement (10.1), and the second one is Nonconformity and corrective action (10.2), while the text of those clauses has not changed.

Changes in Annex A security controls

The changes in Annex A are only moderate because most of the controls have either stayed the same (35 of them) or have only been renamed (23). Another 57 controls were merged, which has reduced the number of controls, but the requirements within those controls remained almost the same. 

11 new controls introduced in the ISO 27001:2022:

• A.5.7 - Threat intelligence
• A.5.23 - Information security for use of cloud services
• A.5.30 - ICT readiness for business continuity
• A.7.4 - Physical security monitoring
• A.8.9 - Configuration management
• A.8.10 - Information deletion
• A.8.11 - Data masking
• A.8.12 - Data leakage prevention
• A.8.16 - Monitoring activities
• A.8.23 - Web filtering
• A.8.28 - Secure coding

Transition period

According to the document “Transition requirements for ISO/IEC 27001:2022” from the International Accreditation Forum (IAF), for companies that are already certified against ISO 27001:2013, the transition to ISO 27001:2022 needs to be completed by 31 October  2025 and must start certifying companies against ISO 27001:2022 latest by 31 October 2023.

If you already implemented the old version 2013, and want to make a transition to the 2022 , please feel free to contact our team.