The New ISO 27001:2022

Table of Contents

ISO 27001 is the international standard for information security management systems (ISMS). It provides a framework for organizations to identify, assess, and manage the risks to their information assets and implement appropriate controls to protect them. ISO 27001 is revised periodically to reflect the changing needs and expectations of the stakeholders and the evolving best practices in the field. The latest revision, ISO 27001:2022, was published in October 2021 and replaces the previous version, ISO 27001:2013. In this blog post, we will highlight some of the main differences between the two versions and what they mean for your organization.

ISO27001:2022 Structure

The structure of ISO 27001:2022 is aligned with the common high-level structure (HLS) that applies to all ISO management system standards. This makes it easier to integrate ISO 27001 with other standards, such as ISO 9001 (quality management) or ISO 14001 (environmental management). The HLS consists of 10 clauses that cover the following topics:

1. Scope
2. Normative references
3. Terms and definitions
4. Context of the organization
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement

Structural differences - ISO27001:2013 to ISO27001:2022

ISO 27001: 2013 had a similar structure, but with some differences in the numbering and wording of the clauses. For example, clause 4 was “Context of the organization” in ISO 27001:2013, but it is now “Understanding the organization and its context” in ISO 27001:2022. Clause 6 was “Planning” in ISO 27001:2013, but it is now “Planning for the ISMS” in ISO 27001:2022.

Another difference between ISO 27001:2022 and ISO 27001:2013 is the introduction of new concepts and requirements that reflect the current trends and challenges in information security. Some of these are:

• The concept of interested parties, which are individuals or organizations that can affect or be affected by the ISMS. The organization needs to identify and communicate with these parties and consider their needs and expectations when establishing and maintaining the ISMS.
• The concept of information security opportunities, which are positive outcomes that can be achieved by implementing information security controls or improving information security performance. The organization needs to identify and pursue these opportunities as part of its risk management process.
• The requirement to consider human behavior and competence when designing and implementing information security controls. The organization needs to ensure that its personnel have the necessary skills, knowledge, and awareness to perform their roles and responsibilities related to information security.
• The requirement to establish an information security culture within the organization that supports the ISMS objectives and values. The organization needs to promote a positive attitude and behavior towards information security among its personnel and interested parties.
• The requirement to monitor and measure the effectiveness and efficiency of the ISMS using appropriate indicators and methods. The organization needs to collect and analyze data on its information security performance and evaluate its achievement of the ISMS objectives.
• The requirement to continually improve the ISMS by identifying and implementing corrective actions, preventive actions, and opportunities for improvement. The organization needs to review its ISMS at planned intervals and take actions to address any gaps or weaknesses.

Annex A - additional categories

One of the most noticeable changes between ISO 27001:2022 and ISO 27001:2013 is the update of Annex A, which contains a list of information security controls that can be implemented by organizations as part of their ISMS. Annex A has been restructured and expanded from 114 controls in 14 categories in ISO 27001:2013 to 130 controls in 18 categories in ISO 27001:2022. Some of the new or revised categories are:

• A.7 Human resource security
• A.8 Asset management
• A.9 Access control
• A.10 Cryptography
• A.11 Physical and environmental security
• A.12 Operations security
• A.13 Communications security
• A.14 System acquisition, development, and maintenance
• A.15 Supplier relationships
• A.16 Information security incident management
• A.17 Information security aspects of business continuity management
• A.18 Compliance
• A.19 Information security governance
• A.20 Information security risk management
• A.21 Information security audit
• A.22 Information security awareness, education, and training
• A.23 Information security innovation
• A.24 Outsourcing

Why upgrade to ISO27001:2022 ?

The new or revised controls cover topics such as cloud computing, mobile devices, biometric authentication, encryption algorithms, malware protection, software development lifecycle, supplier agreements, incident response plans, business continuity strategies, governance structures, risk assessment methods, audit programs, awareness campaigns, innovation processes, and outsourcing arrangements.

The changes between ISO 27001:2022 and ISO 27001:2013 are significant but not radical. They aim to make the standard more relevant, flexible, and user-friendly for organizations of different sizes, sectors, and contexts. Organizations that are already certified to ISO 27001:2013 have a transition period of three years to migrate to ISO 27001:2022. Organizations that are planning to implement or certify to ISO 27001 should use the latest version of the standard to ensure compliance and alignment with the best practices in information security management.