ISO 27001:2022 vs. ISO 27001:2013: Understanding the Differences
Discover the latest changes in ISO 27001:2022 and gain insights into key differences in ISO 27002:2022 from the 2013 version. Learn about the recertification process for organizations certified to ISO 27001:2013 and the steps needed to transition to ISO/IEC 27001:2022.
Table of Contents
Exploring the Latest Changes in ISO 27001:2022
ISO 27001 has come a long way since its first version was published in 1999. Since then, the standard has undergone several revisions to reflect the changing nature of cybersecurity threats and the evolving needs of organizations worldwide.
The previous version, ISO 27001:2013, was widely adopted and considered the state-of-the-art standard for cybersecurity for several years.
The new version, ISO 27001:2022, includes only marginal changes and updates.
It remains largely similar to the 2013 version. The main part of the standard with 10 clauses remains intact, with slight modifications made to clauses 4 through 10 to align them with other ISO management standards.
Changes for ISO 27001:2022 Clauses in Detail:
- Clause 4.2 - Understanding the needs and expectations of interested parties:
Only the wording has changed. - Clause 4.3 - Information security management system:
Processes and their interactions within the ISMS now need to be identified. - Clause 5.3 - Organizational roles, responsibilities and authorities:
Only the wording has changed. - Clause 6.1.3 - Information security risk treatment:
The wording was changed to clarify the reference to Annex A and ensure it is understood that more than the controls listed there can be implemented. - Clause 6.2 - Information security objectives and planning to achieve them:
A new section d) was added, which requires the ongoing monitoring of objectives and these objectives are available as documented information. - Clause 6.3 Planning of changes:
Is a new Clause which requires that all changes to the ISMS are done in a planned manner. - Clause 7.4 - Communication:
Section e) was removed, which required to define the processes of communication i.e. for Incidents or ISMS updates. - Clause 8.1 - Operational planning and control
Only the wording has changed. - Clause 5.3 - Monitoring, measurement, analysis and evaluation:
It was clarified that monitoring and performance evaluation should produce comparable results. - Clause 9.2 - Internal Audit
Was split into 9.2.1 - General and 9.2.2 - Internal audit programme to ease reading. No other changes. - Clause 9.3 - Management review:
Was split into 9.3.1 - General, 9.3.2 - Management review inputs and 9.3.3 - Management review results to ease reading. No other changes.
What is ISO 27001? Understanding the Information Security Standard
This article provides an overview of the data security standards ISO, specifically ISO/IEC 27001 and its importance for protecting businesses. It also covers the differences between ISO 27001 and 27002 standards. The advantages of ISO 27001 are also discussed.
AudIsoCon OÜ
Key Differences in ISO 27002:2022 - A Summary of Changes from the 2013 Version
The main affect of the changes in ISO 27002:2022 are:
- The 2022 update to ISO 27002 enforces the use of a SIEM (Security Information and Event Management) systems to monitor for and detect security incidents. (Control A.5.7, A.8.16)
- The new version also requires more rigorous Business Continuity measures to be put in place to ensure that organizations are adequately prepared for potential disruptions and can continue to operate effectively. A BIA (Business Impact Analysis) may be required. (A.5.30)
- Another important area of focus in the updated standard is the protection of personally identifiable information (PII) and protected health information (PHI) and alignment with GDPR requirements. (A.8.10, A.8.11, A.8.12)
- The new version has also been updated to reflect the rapid pace of IT developments in recent years, particularly in relation to cloud services. (A.5.23, A.7.4, A.8.9, A.8.28)
- Finally, the updated standard also requires more rigorous web filtering to protect against the risk of web-based attacks and to prevent users from accessing illegal or inappropriate materials. (A.8.23)
The new version of ISO 27002 which was published in February 2022, brings significant changes to the ISMS framework structure. These changes will have an impact on future ISO 27001 certifications or recertifications.
One of the most significant changes introduced with ISO 27002:2022 is the categorization of controls into four themes: Organizational, People, Physical, and Technological.
The old 14 ISO 27001:2022 Annex A Domains are no longer utilized and got replaced by the 4 categories.
Furthermore, the number of controls was reduced from 114 to 93, with 11 new controls, 24 merged controls, and 58 updated controls. So no controls got removed.
Therefore ISO27002:2022 has only 93 controls.
The replacement of the control objective with a "purpose" element and the introduction of "attributes" for each security control enhances the risk mitigation, assessment, and treatment processes.
To avoid control redundancy, a concerted effort was made to **streamline the control sets. **
What is ISO 27001? Understanding the Information Security Standard
This article provides an overview of the data security standards ISO, specifically ISO/IEC 27001 and its importance for protecting businesses. It also covers the differences between ISO 27001 and 27002 standards. The advantages of ISO 27001 are also discussed.
AudIsoCon OÜEverything else you need to know about the standard:
What's New in ISO 27002 2022: The complete List of the 11 New Security Controls
- A.5.7 - Threat intelligence:
Gather and analyze information about potential threats, such as types of attacks, methods, and trends, from internal and external sources, to take appropriate mitigation actions. - A.5.23 - Information security for use of cloud services:
Set security requirements for the purchasing, using, managing, and terminating of cloud services to better protect information in the cloud. - A.5.30 - ICT readiness for business continuity:
Ensure your information and communication technology is ready for potential disruptions, including business continuity planning, implementation, maintenance, and testing. - A.7.4 - Physical security monitoring:
Monitor sensitive areas, such as offices, production facilities, warehouses, and other premises, to enable only authorized access. - A.8.9 - Configuration management:
Manage the security configuration for technology within its complete lifecycle to ensure proper security levels and prevent unauthorized changes, including configuration definition, implementation, monitoring, and review. - A.8.10 - Information deletion:
Delete data when no longer needed to prevent leakage of sensitive information and comply with privacy and other requirements. - A.8.11 - Data masking:
Use data masking and access control to limit the exposure of sensitive information, primarily personal data but also other categories of sensitive data. - A.8.12 - Data leakage prevention:
Apply measures to prevent unauthorized disclosure of sensitive information and detect incidents in a timely manner. - A.8.16 - Monitoring activities:
Monitor systems to recognize unusual activities and activate appropriate incident response. - A.8.23 - Web filtering:
Manage website access to protect IT systems from malicious code and prevent users from accessing illegal materials from the internet. - A.8.28 - Secure coding:
Establish secure coding principles and apply them to software development activities to reduce security vulnerabilities in the software, including activities before, during, and after the coding process.
ISO 27002:2022 Updated Controls - The List of all 5 controls with significant changes
- 5.9 Inventory of information and other associated assets - (8.1.1 Inventory of assets in 2013 version)
has been updated to include all associated assets, not just IT assets. Guidance clarifies that the inventory can be dynamic and that the location of the asset should be documented. - 5.10 Acceptable use of information and other associated assets - (8.1.3 Acceptable use of assets in 2013 version)
has been expanded with clear guidance on what needs to be addressed in the acceptable use policy. - 5.18 Access rights - (9.2.1 User registration and de-registration in 2013 version)
now includes physical access rights and the need to maintain a central register of access rights to track user access rights. - 5.19 Information security in supplier relationships - (15.2.1 Monitoring and review of supplier services in 2013 version)
has been significantly elaborated to detail the duties of planning and monitoring supplier services throughout the entire engagement lifecycle. A central vendor register is now necessary. - 5.24 Information security incident management planning and preparation - (A.16 Information security incident management)
has been expanded to include the need for incident management preparation, including planning incidents and their response with an information security incident management plan.
Mapping between controls in ISO 27001:2022 and ISO 27002:2013
| ISO 27002:2013 ID | ISO 27002:2022 ID | Control name according to ISO/IEC 27002:2013 |
| 5 | Information security policies | |
| 5.1 | Management direction for information security | |
| 5.1.1 | 5.1 | Policies for information security |
| 5.1.2 | 5.1 | Review of the policies for information security |
| 6 | Organization of information security | |
| 6.1 | Internal organization | |
| 6.1.1 | 5.2 | Information security roles and responsibilities |
| 6.1.2 | 5.3 | Segregation of duties |
| 6.1.3 | 5.5 | Contact with authorities |
| 6.1.4 | 5.6 | Contact with special interest groups |
| 6.1.5 | 5.8 | Information security in project management |
| 6.2 | Mobile devices and teleworking | |
| 6.2.1 | 8.1 | Mobile device policy |
| 6.2.2 | 6.7 | Teleworking |
| 7 | Human resource security | |
| 7.1 | Prior to employment | |
| 7.1.1 | 6.1 | Screening |
| 7.1.2 | 6.2 | Terms and conditions of employment |
| 7.2 | During employment | |
| 7.2.1 | 5.4 | Management responsibilities |
| 7.2.2 | 6.3 | Information security awareness. education and training |
| 7.2.3 | 6.4 | Disciplinary process |
| 7.3 | Termination and change of employment | |
| 7.3.1 | 6.5 | Termination or change of employment responsibilities |
| 8 | Asset management | |
| 8.1 | Responsibility for assets | |
| 8.1.1 | 5.9 | Inventory of assets |
| 8.1.2 | 5.9 | Ownership of assets |
| 8.1.3 | 5.1 | Acceptable use of assets |
| 8.1.4 | 5.11 | Return of assets |
| 8.2 | Information classification | |
| 8.2.1 | 5.12 | Classification of information |
| 8.2.2 | 5.13 | Labelling of information |
| 8.2.3 | 5.1 | Handling of assets |
| 8.3 | Media handling | |
| 8.3.1 | 7.1 | Management of removable media |
| 8.3.2 | 7.1 | Disposal of media |
| 8.3.3 | 7.1 | Physical media transfer |
| 9 | Access control | |
| 9.1 | Business requirements of access control | |
| 9.1.1 | 5.15 | Access control policy |
| 9.1.2 | 5.15 | Access to networks and network services |
| 9.2 | User access management | |
| 9.2.1 | 5.16 | User registration and de-registration |
| 9.2.2 | 5.18 | User access provisioning |
| 9.2.3 | 8.2 | Management of privileged access rights |
| 9.2.4 | 5.17 | Management of secret authentication information of users |
| 9.2.5 | 5.18 | Review of user access rights |
| 9.2.6 | 5.18 | Removal or adjustment of access rights |
| 9.3 | User responsibilities | |
| 9.3.1 | 5.17 | Use of secret authentication information |
| 9.4 | System and application access control | |
| 9.4.1 | 8.3 | Information access restriction |
| 9.4.2 | 8.5 | Secure log-on procedures |
| 9.4.3 | 5.17 | Password management system |
| 9.4.4 | 8.18 | Use of privileged utility programs |
| 9.4.5 | 8.4 | Access control to program source code |
| 10 | Cryptography | |
| 10.1 | Cryptographic controls | |
| 10.1.1 | 8.24 | Policy on the use of cryptographic controls |
| 10.1.2 | 8.24 | Key management |
| 11 | Physical and environmental security | |
| 11.1 | Secure areas | |
| 11.1.1 | 7.1 | Physical security perimeter |
| 11.1.2 | 7.2 | Physical entry controls |
| 11.1.3 | 7.3 | Securing offices. rooms and facilities |
| 11.1.4 | 7.5 | Protecting against external and environmental threats |
| 11.1.5 | 7.6 | Working in secure areas |
| 11.1.6 | 7.2 | Delivery and loading areas |
| 11.2 | Equipment | |
| 11.2.1 | 7.8 | Equipment siting and protection |
| 11.2.2 | 7.11 | Supporting utilities |
| 11.2.3 | 7.12 | Cabling security |
| 11.2.4 | 7.13 | Equipment maintenance |
| 11.2.5 | 7.1 | Removal of assets |
| 11.2.6 | 7.9 | Security of equipment and assets off-premises |
| 11.2.7 | 7.14 | Secure disposal or reuse of equipment |
| 11.2.8 | 8.1 | Unattended user equipment |
| 11.2.9 | 7.7 | Clear desk and clear screen policy |
| 12 | Operations security | |
| 12.1 | Operational procedures and responsibilities | |
| 12.1.1 | 5.37 | Documented operating procedures |
| 12.1.2 | 8.32 | Change management |
| 12.1.3 | 8.6 | Capacity management |
| 12.1.4 | 8.31 | Separation of development. testing and operational environments |
| 12.2 | Protection from malware | |
| 12.2.1 | 8.7 | Controls against malware |
| 12.3 | Backup | |
| 12.3.1 | 8.13 | Information backup |
| 12.4 | Logging and monitoring | |
| 12.4.1 | 8.15 | Event logging |
| 12.4.2 | 8.15 | Protection of log information |
| 12.4.3 | 8.15 | Administrator and operator logs |
| 12.4.4 | 8.17 | Clock synchronization |
| 12.5 | Control of operational software | |
| 12.5.1 | 8.19 | Installation of software on operational systems |
| 12.6 | Technical vulnerability management | |
| 12.6.1 | 8.8 | Management of technical vulnerabilities |
| 12.6.2 | 8.19 | Restrictions on software installation |
| 12.7 | Information systems audit considerations | |
| 12.7.1 | 8.34 | Information systems audit controls |
| 13 | Communications security | |
| 13.1 | Network security management facilities. | |
| 13.1.1 | 8.2 | Network controls |
| 13.1.2 | 8.21 | Security of network services |
| 13.1.3 | 8.22 | Segregation in networks |
| 13.2 | Information transfer | |
| 13.2.1 | 5.14 | Information transfer policies and procedures |
| 13.2.2 | 5.14 | Agreements on information transfer |
| 13.2.3 | 5.14 | Electronic messaging |
| 13.2.4 | 6.6 | Confidentiality or nondisclosure agreements |
| 14 | System acquisition. development and maintenance | |
| 14.1 | Security requirements of information systems | |
| 14.1.1 | 5.8 | Information security requirements analysis and specification |
| 14.1.2 | 8.26 | Securing application services on public networks |
| 14.1.3 | 8.26 | Protecting application services transactions |
| 14.2 | Security in development and support processes | |
| 14.2.1 | 8.25 | Secure development policy |
| 14.2.2 | 8.32 | System change control procedures |
| 14.2.3 | 8.32 | Technical review of applications after operating platform changes |
| 14.2.4 | 8.32 | Restrictions on changes to software packages |
| 14.2.5 | 8.27 | Secure system engineering principles |
| 14.2.6 | 8.31 | Secure development environment |
| 14.2.7 | 8.3 | Outsourced development |
| 14.2.8 | 8.29 | System security testing |
| 14.2.9 | 8.29 | System acceptance testing |
| 14.3 | Test data | |
| 14.3.1 | 8.33 | Protection of test data |
| 15 | Supplier relationships | |
| 15.1 | Information security in supplier relationships | |
| 15.1.1 | 5.19 | Information security policy for supplier relationships |
| 15.1.2 | 5.2 | Addressing security within supplier agreements |
| 15.1.3 | 5.21 | Information and communication technology supply chain |
| 15.2 | Supplier service delivery management | |
| 15.2.1 | 5.22 | Monitoring and review of supplier services |
| 15.2.2 | 5.22 | Managing changes to supplier services |
| 16 | Information security incident management | |
| 16.1 | Management of information security incidents and improvements | |
| 16.1.1 | 5.24 | Responsibilities and procedures |
| 16.1.2 | 6.8 | Reporting information security events |
| 16.1.3 | 6.8 | Reporting information security weaknesses |
| 16.1.4 | 5.25 | Assessment of and decision on information security events |
| 16.1.5 | 5.26 | Response to information security incidents |
| 16.1.6 | 5.27 | Learning from information security incidents |
| 16.1.7 | 5.28 | Collection of evidence |
| 17 | Information security aspects of business continuity management | |
| 17.1 | Information security continuity | |
| 17.1.1 | 5.29 | Planning information security continuity |
| 17.1.2 | 5.29 | Implementing information security continuity |
| 17.1.3 | 5.29 | Verify. review and evaluate information security continuity |
| 17.2 | Redundancies | |
| 17.2.1 | 8.14 | Availability of information processing facilities |
| 18 | Compliance | |
| 18.1 | Compliance with legal and contractual requirements | |
| 18.1.1 | 5.31 | Identification of applicable legislation and contractual requirements |
| 18.1.2 | 5.32 | Intellectual property rights |
| 18.1.3 | 5.33 | Protection of records |
| 18.1.4 | 5.34 | Privacy and protection of personally identifiable information |
| 18.1.5 | 5.31 | Regulation of cryptographic controls |
| 18.2 | Information security reviews | |
| 18.2.1 | 5.35 | Independent review of information security |
| 18.2.2 | 5.36 | Compliance with security policies and standards |
| 18.2.3 | 5.36, 8.8 | Technical compliance review |
Certified to ISO 27001:2013 - Do I Need to Recertify immediately?
The easy answer is No. You have plenty of time.
The updated standard allows for a three-year transition period.
However, it is not recommended to wait until the last minute to meet the new obligations.
Instead, it is advisable to implement the new control set sooner rather than later to be prepared for new cyber threats and attack scenarios. The new standard is also more streamlined and easier to assess, making it a worthwhile investment in the long run.
Consider upgrading to the 2022 version when it's time for recertification.
While it is still possible to apply for new certification to the 2013 version until the end of April 2024, it is not a good idea.
Transitioning Timeline for ISO 27001:2022
- 31.10.2022
Transition period began - 01.05.2024
All new certifications need to be against ISO/IEC 27001:2022 - 31.10.2025
Transition period ends. ISO/IEC 27001:2013 certificates will no longer be valid after this date.
The Ultimate 10-Step Plan for Transitioning to ISO 27001:2022
- Get yourself a copy of the new standard (here)
- Determine if you can do it on your own or need help of an consultant
- Map controls of ISO 27002:2013 and ISO 27002:2022 within a spreadsheet (use new controls as master)
- Perform a Gap analysis against the changed and new controls (there are only 16! Security controls which are completely new or changed)
- Update Risk Assessment to incorporate new controls
- Update the Statement of Applicability (Use the Spreadsheet which you have created for the GAP)
- Implement missing Controls (Policy, procedures, Systems)
- Perform an Internal Audit against ISO 27001:2022
- Contact your Certification body to prepare for the transition
- Get an external Audit performed be your certification bodies personnel