One of the main differences between ISO/IEC 27001:2022 and ISO/IEC 27001:2013 is that ISO/IEC 27001:2022 includes a new risk assessment process that is based on the ISO 31000 risk management standard. This updated risk assessment process is more flexible and adaptable than the one used in ISO/IEC 27001:2013, and it allows organizations to tailor their risk management strategies to their specific needs and circumstances.

ISO/IEC 27001:2022 includes the same number of clauses as ISO/IEC 27001:2013, but the text has changed slightly. The changes help align ISO/IEC 27001 with other ISO management standards. Significant changes largely revolve around planning and defining process criteria, as well as monitoring standards. Specifically:

Clause 4.2 Understanding the Needs and Expectations of Interested Parties: A new subclause was added requiring an analysis of which of the interested party requirements are going to be addressed through the ISMS.

Clause 4.4 Information Security Management System: New language was added, which requires organizations to identify necessary processes and their interactions within the ISMS. Essentially the ISMS must include the processes underpinning the ISMS, not just the ones specifically called out in the Standard.

Clause 6.2 Information Security Objectives and Planning to Achieve Them: Now includes additional guidance on the information security objectives. This gives more clarity about how objectives should be monitored regularly and formally documented.

Clause 6.3 Planning of Changes: This clause was added to set a standard around planning for changes. It states that if changes are needed to the ISMS, they shall be adequately planned and reviewed before implementation.

Clause 8.1 Operational Planning and Control:  It has additional guidance for operational planning and control. The ISMS now needs to establish criteria for actions identified in Clause 6 and control those actions under the criteria.

Additional minor changes include:

Clause 5.3 Organizational Roles, Responsibilities, and Authorities: A minor update to the language clarified that communication of roles relevant to information security is to be communicated within the organization.

Clause 7.4 Communication: Subclauses a-c remain the same. But subclauses d (who should communicate) and e (the process by which communication should be affected) have been simplified and combined into a newly renamed subclause d (how to communicate).

Clause 9.2 Internal Audit: This clause was changed, but not materially. It essentially just combined what already existed between Clause 9.2.1 and 9.2.2 into one section.

Clause 9.3 Management Review: A new item was added to clarify that the organization’s management review shall include consideration of any changes to the needs and expectations of interested parties.

Clause 10 Improvement: Structural changes to this clause now list Continual Improvement (10.1) first, and Nonconformity and Corrective Action (10.2) second.

In ISO 27001:2022 structural changes were made to the Annex A controls. Control groups have been reorganized and the overall number of controls has decreased.

At a high level:

11 new controls were introduced

57 controls were merged

23 controls were renamed

3 controls were removed

In ISO 27001:2013, controls were organized into 14 different domains. In the new update, controls are placed into the following four themes instead:

People control (8 controls)

Organizational controls (37 controls)

Technological controls (34 controls)

Physical controls (14 controls)

The nomenclature change promotes a better understanding of how Annex A controls help secure information. The previous domain names were written for IT professionals rather than management. Companies will need to update their Statement of Applicability to match this new structure, as they look to achieve certification under ISO 27001:2022.

Additional attribute values were also added to better describe the Annex A controls and help categorize them, but these are only available in ISO 27002.

The largest change within Annex A is around the 11 new controls which were introduced. Organizations that are currently certified under ISO 27001:2013 will need to ensure proper processes are in place to meet these new requirements or will need to create new processes to incorporate these controls into their existing ISMS.

Notably “threat intelligence” requires organizations to gather and analyze information about threats, so organizations can take action to mitigate risk. Companies certified under ISO 27001:2013 may not have this element in place. This is a relevant change and speaks to the idea that threats are ever-evolving. Therefore, mitigating risk is a continuous process, not a “one-and-done” task.

Additional new controls within ISO 27001:2022 include:

A.5.7 Threat Intelligence: This control requires organizations to gather and analyze information about threats, so they can take action to mitigate risk.

A.5.23 Information Security for Use of Cloud Services: This control requires organizations to ensure that information security is addressed when using cloud services.

A.5.30 ICT Readiness for Business Continuity: This control requires organizations to ensure that information and communication technology can be recovered and used when disruptions occur.

A.7.4 Physical Security Monitoring: This control requires organizations to monitor sensitive physical areas (data centers, production facilities, etc.) to ensure only authorized people can access them — so the organization is aware in the event of a breach.

A.8.9 Configuration Management: This control requires an organization to manage the configuration of its technology to ensure it remains secure and to avoid unauthorized changes.

A.8.10 Information Deletion: This control requires the deletion of data when it’s no longer required to avoid leaks of sensitive information and comply with privacy requirements.

A.8.11 Data Masking: This control requires organizations to use data masking following the organization’s access control policy to protect sensitive information.

A.8.12 Data Leakage Prevention: This control requires organizations to implement measures to prevent data leakage and disclosure of sensitive information from systems, networks, and other devices.

A.8.16 Monitoring Activities: This control requires organizations to monitor systems for unusual activities and implement appropriate incident response procedures.

A.8.23 Web Filtering: This control requires organizations to manage which websites users access to protect IT systems.

A.8.28 Secure Coding: This control requires secure coding principles to be established within an organization’s software development process to reduce security vulnerabilities.

General:

The main part of ISO 27001, i.e., clauses 4 to 10, has changed only slightly.

The changes in Annex A security controls are moderate.

The number of controls has decreased from 114 to 93.

The controls are placed into four sections instead of the previous 14.

There are 11 new controls, while none of the controls have been removed.