What is the difference between ISO 27001:2013 and ISO 27001:2022?

After 9 years, ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) finally reviewed and revised the ISO 27001 and published the new standard in October 2022. This third edition of ISO 27001 cancels and replaces the second edition (ISO/IEC 27001:2013)

As expected, the standard text has been aligned with the harmonized structure for management system standards and ISO/IEC 27002:2022.

First change, the standard has a new name!

Compared with the old edition, the number of controls in ISO/IEC 27002:2022 decreases from 114 controls in 14 domains to 93 controls in 4 domains. For the controls in ISO/IEC 27002:2022, 11 controls are new, 24 controls are merged from the existing controls, and 58 controls are updated. Moreover, the control structure is revised, which introduces “attribute” and “purpose” for each control and no longer uses “objective” for a group of controls.

Summary of changes in new ISO 27001 – Part 1; Management System Requirements

The title and order of standard clauses (4-10) remain the same, in line with the HLS requirements. However, there are several minor changes introduced, especially in clauses 4.2, 6.2, 6.3, 8.1 and 9.3.2 where additional new requirements have been added. There are also other updates including some changes in the terminology rephrasing.

4.2 Understanding the needs and expectations of interested parties

Added: C) Requirements of interested parties shall be addressed through the information security management system.

6.2 Information security objectives and planning to achieve them

Added: The information security objectives shall be d) be monitored and g) be available as documented information.

6.3 Planning of changes (new clause)

New clause added: “When the organization determines the need for changes to the information security management system, the changes shall be carried out in a planned manner.”

8.1 Operational planning and control

Added: Establishing criteria for the processes

Added: Implementing control of the processes in accordance with the criteria

Changed: The organization shall ensure that externally provided processes, products or services that are relevant to the information security management system are controlled.

  • “Outsourced” has been replaced by “externally provided”
  • “Products or services” has been added to the requirements

9.1 Monitoring, measurement, analysis and evaluation

Added: The organization shall evaluate the information security performance and the effectiveness of the information security management system.

9.3 Management review

Added: (input for management review) c) changes in needs and expectations of interested parties that are relevant to the information security management system.

Summary of changes – Part 2; Annex A controls

Following ISO 27002:2022, ISO 27001:2022 also lists 93 controls rather than previous 114. In the new and improved version of ISO/IEC 27001, controls are grouped into 4 categories instead of previous 14 clauses. They are:

  1. Organizational, 37 controls,
  2. People, 8 controls,
  3. Physical 14 controls, and
  4. Technological, 34 controls

Annex A of the new ISO/IEC 27001:2022 version now includes a total of 93 controls, of which the following 11 controls are new:

5.7 Threat Intelligence
5.23 Information security for the use of cloud services
5.30 ICT readiness for business continuity
7.4 Physical security monitoring
8.9 Configuration management
8.10 Deletion of information
8.11 Data masking
8.12 Data leak prevention
8.16 Activity monitoring
8.23 Web filtering
8.28 Secure coding

The controls need to be considered in the light of ISO 27002:2022, as each control is assigned five attributes that needs review of different views and perspectives for each of them. The five attributes are:

  1. Control type (Preventive, Detective, Corrective)
  2. Information security properties (CIA)
  3. Cybersecurity concepts (Identify, Protect, Detect, Respond and Recover)
  4. Operational capabilities
  5. Security domains

GCC Transition policy and timelines for upgrading to ISO 27001:2022

  • GCC has already updated its policy and procedures, educated staff and auditors and established its transition arrangement for ISO/IEC 27001:2022 considering the requirements of IAF MD 26:2022 – TRANSITION REQUIREMENTS FOR ISO/IEC 27001:2022 and the transition arrangement of the JAS-ANZ
  • GCC has already started providing certification according to ISO/IEC 27001:2022 in line with JAS-ANZ transition policy
  • GCC will not offer ISO 27001:2013 certification to the new clients after April 2024.
  • The transition audit may be conducted during the surveillance audit, recertification audit or through a separate audit.
  • All ISO 27001 certified clients must upgrade to new version within 36 months from publishing of the new ISO 27001.
  • All certificates of ISO/IEC 27001:2013 will be withdrawn at the end of the transition period, October 2025.

How to get prepared for ISO 27001:2002 Certification? How to get a copy of ISO 27001:2022?

  • Purchase a copy of the new ISO 27001 standard and identify organisational gaps which need to be addressed to meet new requirements (You can get a copy of ISO 27001 here)
  • If you need an ISO 27001:2022 Checklist, contact GCC office and get a free checklist.
  • Develop an implementation plan
  • Update the statement of applicability (SoA)
  • Update the risk treatment plan (if required)
  • Implement the new or changed controls
  • Provide appropriate training and awareness for all parties that have an impact on the effectiveness of the organisation
  • Update the existing management system to meet the revised requirements and provide verification of effectiveness
  • Liaise with GCC for ISO 27001:2022 transition arrangements

Global Compliance Certification – Straightforward ISO certification for your business

From your initial application to maintaining your certification, GCC makes it easy to receive ISO 27001 certification and all the associated benefits for your business. Our clients find us professional, open communicators, and we pride ourselves on delivering a smooth, informative audit and certification experience. Get started with a quote today if you’re ready to give your business an edge over the competition. In less than a minute, you’ll be on your way to ISO certification for your small business.

Read More:

  • What is ISO 27701? Can I get ISO 27701 certification along with ISO 27001? Read here.
  • Getting certified under the DESE Information Security Management Systems. Read here.
  • Why is ISO 27001 important? Read here.