ISO/IEC 27001:2022 | Information Security Management System
ISO 27001:2013 has been changed become ISO/IEC 27001:2022 (Information Security, Cyber Security and Privacy Protection — Information Security Management Systems — Requirements) on 25 October 2022. This is an international standard specifically structured on information's process of protection of information to ensure some of the following:
- Secrecy (confidentiality): ensuring that information can only be accessed by those who have the authority.
- Integrity (integrity): ensure that the information remains accurate and complete and that the information is not modified without explicit authorization.
- Availability (availability): ensuring that information is accessible to those who have the authority when needed.
Transition changes from Version 2013 to 2022
The text of the mandatory clauses 4 through 10 has changed only slightly, mainly to align with ISO 9001, ISO 14001, and other ISO management standards, and with Annex SL.
Overview of the changes in ISO 27001:2022:
- Clause 4.2 (Understanding the needs and expectations of interested parties), item (c) was added requiring an analysis of which of the interested party requirements must be addressed through the ISMS.
- Clause 4.4 (Information security management system), a phrase was added requiring planning for processes and their interactions as part of the ISMS.
- Clause 5.3 (Organizational roles, responsibilities and authorities), a phrase was added to clarify that communication of roles is done internally within the organization.
- Clause 6.2 (Information security objectives and planning to achieve them), item (d) was added that requires objectives to be monitored.
- Clause 6.3 (Planning of changes) was added, requiring that any change in the ISMS needs to be done in a planned manner.
- Clause 7.4 (Communication), item (e) was deleted, which required setting up processes for communication.
- Clause 8.1 (Operational planning and control), new requirements were added for establishing criteria for security processes, and for implementing processes according to those criteria. In the same clause, the requirement to implement plans for achieving objectives was deleted.
- Clause 9.3 (Management review), the new item 9.3.2 c) was added that clarifies that inputs from interested parties need to be about their needs and expectations, and relevant to the ISMS.
- Clause 10 (Improvement), the subclauses have changed places, so the first one is Continual improvement (10.1), and the second one is Nonconformity and corrective action (10.2), while the text of those clauses has not changed.
Changes in Annex A security controls
The changes in Annex A are only moderate because most of the controls have either stayed the same (35 of them) or have only been renamed (23). Another 57 controls were merged, which has reduced the number of controls, but the requirements within those controls remained almost the same.
11 new controls introduced in the ISO 27001:2022:
- A.5.7 - Threat intelligence
- A.5.23 - Information security for use of cloud services
- A.5.30 - ICT readiness for business continuity
- A.7.4 - Physical security monitoring
- A.8.9 - Configuration management
- A.8.10 - Information deletion
- A.8.11 - Data masking
- A.8.12 - Data leakage prevention
- A.8.16 - Monitoring activities
- A.8.23 - Web filtering
- A.8.28 - Secure coding
According to the document “Transition requirements for ISO/IEC 27001:2022” from the International Accreditation Forum (IAF), for companies that are already certified against ISO 27001:2013, the transition to ISO 27001:2022 needs to be completed by 31 October 2025 and must start certifying companies against ISO 27001:2022 latest by 31 October 2023.
If you already implemented the old version 2013, and want to make a transition to the 2022 , please feel free to contact our team.
Audit, certification and verification services are well known in the marketplace as a benchmark for assurance, giving you the confidence you need to access new markets and establish new business.
The ISO Strategy outlines our priorities for the next five years. It provides guidance and strategic direction, helping us to respond to a future where constant change will require us to continually improve the ISO system. It is a living document, and strategic directions are adjusted as required.
Sustainability standards and certifications are voluntary, usually third party-assessed, norms and standards relating to environmental, social, ethical and food safety issues, adopted by companies to demonstrate the performance of their organizations or products in specific areas.
There are perhaps up to 500 such standards and the pace of introduction has increased in the last decade.
71-75 Shelton Street, Covent Garden, London,
WC2H 9JQ - UK
+44 203 8688 511
+44 7833 3030 93
1 Scotts Road, #24-10,
+65 6591 8694
+65 8209 2100
South Quarter Tower
18th Floor - Suite 1801,
+62 811 358 1818