ISO 27001 Transition: What’s New, What’s Changed, and What You Need to Know from 2013 to 2022

14th Mar, 2023

“It takes 20 years to build a reputation and few second of cyber-incident to ruin it.” –

Stephane Nappo

In the digital age, protecting sensitive and confidential information has become more critical than ever before. Cyber attacks, data breaches, and other security incidents have become more frequent, leading to a loss of reputation and financial losses for businesses. To address these risks, the International Organization for Standardization (ISO) developed a set of standards for Information Security Management System (ISMS) known as ISO 27001. The latest version of the standard, ISO 27001:2022, was published in 25^th October 2022.

In this blog, we will explore the changes and updates in ISO 27001:2022.

Changes made in Mandatory Clauses

The latest version of ISO 27001 includes several changes and updates that organizations need to consider for transition of their existing ISMS to the new version.

Here are some of the notable changes in ISO 27001:2022:If we go clause wise there are no major changes but most of the changes are in Annex A.

Clause wise :

Clause 4 – Context of the organization: In ISO 27001:2022, the clause 4 has been expanded to include new requirements related to the organization’s internal and external context, risk management, and the scope of the ISMS.

Clause 5 – Leadership: In ISO 27001:2022, the clause 5 now requires top management to places greater emphasis on the leadership’s role in establishing, implementing, maintaining, and continually improving the information security management system.

Clause 6 – Planning: In ISO 27001:2022, the clause 6 has been updated to include new requirements related to risk assessment and risk treatment. The updated version requires the organization to identify, assess, and evaluate the risks associated with the information security management system. The organization must develop and implement a risk treatment plan to address the identified risks.

Clause 7 – Support: In ISO 27001:2022, the clause 7 has been revised to include new requirements related to human resources, competence, and awareness.

Clause 8 – Operation: In ISO 27001:2022, the clause 8 has been updated to include new requirements related to supply chain security, information security incident management, and protection of personal data. The standard requires the organization to assess the information security risks associated with outsourcing and to establish controls to manage those risks. The organization must also ensure that its suppliers and contractors comply with the information security requirements of the organization.

Clause 9 – Performance evaluation: In ISO 27001:2022, the clause 9 has been revised to include new requirements related to monitoring, measurement, analysis, and evaluation of the ISMS.

Clause 10 – Improvement: In ISO 27001:2022, the clause 10 has been updated to include new requirements related to continual improvement of the ISMS.

Changes in Annex A :

Annex A has changed a lot in terms of re-structuring:

• The number of controls are only 93 while earliest version had 114
• In 2013 version the controls were placed in 14 sections while in this 2022 version only 4 sections have placed controls.
• The best thing is controls are merged not deleted.
• New 11 controls are identified and added.
• Several clauses and notes make it clear that the Annex A controls are not exhaustive. You should use them as a baseline. However, all organizations should look at their environments to correctly identify any other necessary control, risks, etc.
• This controls and changes have made standard more concise and simple to implement. Most of the overlapping and repetitions have been eliminated in this updated version.

The new sections and controls of ISO 27002:2022 are:

• Section 5: Organizational (Total 37 controls)
• Section 6: People (Total 8 controls)
• Section 7: Physical (Total  controls)
• Section 8: Technology (Total 34 controls)

So if we summaries as whole 35 controls are unchanged, 23 controls were renamed, 57 controls were merged to form 24 controls, and 11 new controls were added, the list is here for reference with section details.

• 5.23  Information security for use of cloud services
• 5.30  ICT readiness for business continuity
• 5.7   Threat Intelligence
• 7.4   Physical security monitoring
• 8.1   Data masking
• 8.9   Configuration management
• 8.10  Information deletion
• 8.12  Data leakage prevention
• 8.16  Monitoring activities
• 8.23  Web filtering
• 8.28  Secure coding

The controls now also have five types of ‘attribute’ to make them easier to categorize:

• Control type (preventive, detective, corrective)
• Information security properties (confidentiality, integrity, availability)
• Cyber security concepts (identify, protect, detect, respond, recover)
• Operational capabilities (governance, asset management, etc.)
• Security domains (governance and ecosystem, protection, defence, resilience)

Key benefits of changes:

The changes made to the ISO 27001 standard in its 2022 version provide several benefits to organizations that adopt the new standard. Some of the key benefits are:

• Enhanced risk management: The new version of the standard places greater emphasis on the risk-based approach which ensures that organizations allocate their resources to where they are most needed, making the information security management process more efficient and effective.
• Increased flexibility: The new standard provides greater flexibility in how organizations can implement the standard, allowing organizations to tailor the standard to their specific needs and context.
• Improved alignment with other standards: The new version of the standard is more closely aligned with other ISO management system standards, such as ISO 9001 and ISO 14001. This alignment makes it easier for organizations to integrate their information security management with other management systems, enhancing overall organizational performance.
• Improved communication: The new standard places greater emphasis on communication and collaboration, both within the organization and with external stakeholders. This emphasis on communication ensures that everyone involved in the information security management process is on the same page, improving overall information security governance and reducing the risk of information security incidents.
• Increased emphasis on supply chain security: The new version of the standard place’s greater emphasis on supply chain security, ensuring that organizations are aware of the potential information security risks associated with their supply chain partners.

 Timeline for Transition process:

The new changes in ISO/IEC 27001:2022 will not affect the current ISO/IEC 27001 certificate.

Based on the guidelines provided by the International Accreditation Forum “Transition requirements for ISO/IEC 27001:2022” for companies, the transition to ISO 27001:2022 needs to be completed by October 31st, 2025. So you have enough time to study and impellent changes. So the certification body also has not started yet certifying against new requirements.

For recertification – The best time to start the implementation is before you go for your next internal audit.

The internal ISO 27001:2022 audit involves a detailed assessment of your organization’s ISMS to ensure that it complies with the new standard’s criteria with effective implementation of its controls. This will also check your system implementation based on new standard documentation, implementation and certification requirements.

How 4C Can Help Your Organization for Transition of ISO 27001:2022?

To help your organization receive all the benefits of ISO 27001:2022, our team of certified consultants is equipped to provide you exceptional consulting as well as training. Our team of experts at 4C have helped 150+ clients gain international recognition, credibility, and trust from customers, powered by 5000+ training hours. For implementation & transition of ISO 27001 certification in your organization, Contact us now