Technology changes fast. A decade in technology is a long time. While there are many considerations to be made for each organization, it’s generally a good idea to begin working towards ISO 27001:2022 adoption, now.
Considering the small number of major changes, it should not require a major effort for organizations already certified against the 2013 standard. However, the latest an organization can certify against ISO 27001:2013 is October 31, 2023, and the deadline to fully transition to the ISO 27001:2022 standard is October 31, 2025.
Let’s look at some of the key differences between the 2013 and 2022 versions of the standard and address some of the new requirements that will need to be met to attain and retain an ISO 27001:2022 certification.
Key Differences Between ISO 27001:2013 and ISO 27001:2022
The biggest differences between the 2013 and 2022 versions are as follows:
- The total number of controls has decreased from 114 to 93.
- The number of sections for controls has decreased from 14 to 4.
- The controls in 2022 are broken down as follows:
- 35 were left unchanged from 2013.
- 23 were renamed from 2013.
- 57 were merged from 2013 into 24 in 2022.
- 1 was split from a single control in 2013 into 2 controls in 2022.
- 11 are new to 2022.
- 0 were removed.
- Very few changes were made to Clauses 4-10, with most simply being slight changes to terminology and sentence structure. In the next section we’ll talk through the new content that was added to clauses 4.2, 6.2, 6.3, and 8.1, which should be reviewed in detail.
What’s New in 2022?
The new sections of controls are as follows:
- A.5 Organizational controls – 37 controls
- A.6 People controls – 8 controls
- A.7 Physical controls – 14 controls
- A.8 Technological controls – 34 controls
As mentioned above, there are 11 new controls in the 2022 version. A summary of each one is as follows:
- A.5.7 Threat Intelligence
- A.5.23 Information Security for use of cloud services
- A.5.30 ICT readiness for business continuity
- A.7.4 Physical security monitoring
- A.8.9 Configuration management
- A.8.10 Information deletion
- A.8.11 Data masking
- A.8.12 Data leakage prevention
- A.8.16 Monitoring activities
- A.8.23 Web filtering
- A.8.28 Secure coding
Additionally, changes were made in clauses 4-10, as summarized below:
- Clause 4.4 (Information security management system) – Text added requiring planning for processes and their interactions as part of the ISMS.
- Clause 5.3 (Organizational roles, responsibilities, and authorities) – Text added clarifying that communication of roles is done internally within the organization.
- Clause 6.2 (Information security objectives and planning to achieve them) – Item (d) added, which requires objectives to be monitored.
- Clause 6.3 (Planning of changes) – An added clause, which requires any change to the ISMS be done in a planned manner.
- Clause 7.4 (Communication) – Item (e) deleted, which required setting up processes for communication.
- Clause 8.1 (Operational planning and control) – New requirements added for establishing criteria for security processes and implementing processes according to those criteria. Additionally, the requirement to implement plans for achieving objectives has been deleted.
- Clause 9.3 (Management review) – New item 9.3.2 c) added that clarifies that inputs from interested parties must be about their needs and expectations, and relevant to the ISMS.
- Clause 10 (Improvement) – The two subclauses have been flipped. Continual improvement is now 10.1 and Nonconformity and corrective action is now 10.2, with the text of each staying the same.
Now that we’ve covered the new material in ISO 27001:2022 and the differences which will need to be covered to certify against the new version of the standard, reach out to us so we can help assess your organization’s current state evaluated against ISO 27001 certification and provide a roadmap to get you certified. If you’re already certified, Seiso can assist in implementing the new requirements in 2022 to get your organization over to the new standard as well.