ISO/IEC 27001 - What are the main changes in 2022?
The new ISO/IEC 27001:2022 has been published on October 25, 2022. Some of the main new updates of ISO/IEC 27001:2022 include a major change of Annex A, minor updates of the clauses, and a change in the title of the standard.
The latest version of ISO/IEC 27002 has been published at the beginning of 2022, and its latest changes have also impacted ISO/IEC 27001.
The new changes of ISO/IEC 27001:2022
As the world is facing new evolving security challenges, the internationally recognized standard ISO/IEC 27001, which aims to protect the confidentiality, availability, and integrity of organisations’ information assets has been updated and its new more relevant, and up-to-date edition has been published.
Different from ISO/IEC 27001:2013, the new version’s complete title is ISO/IEC 27001:2022 Information Security, Cybersecurity and Privacy Protection.
The part that has gone under the most significant changes is Annex A of ISO/IEC 27001 which is aligned with the ISO/IEC 27002:2022 updates, published earlier this year.
As for other parts, clauses 4 to 10 have undergone several minor changes, especially in clauses 4.2, 6.2, 6.3, and 8.1 where additional new content has been added. Other updates include minor changes in the terminology and restructuring of sentences and clauses. However, the title and order of these clauses remain the same:
Clause 4 Context of the organization
Clause 5 Leadership
Clause 6 Planning
Clause 7 Support
Clause 8 Operation
Clause 9 Performance evaluation
Clause 10 Improvement
What are the main control changes in Annex A?
Annex A of ISO/IEC 27001:2022 contains changes in both, the number of controls, and their listing in groups. The title of this Annex has also changed from Reference control objectives and controls to Information security controls reference. Therefore, the reference objectives of each control group that were present in the previous version of the standard, now have been removed.
The number of Annex A controls has decreased from 114 to 93. The decrease in the number of controls has mostly come from merging many of them. 35 controls have remained the same, 23 controls were renamed, 57 controls were merged into 24 controls, and one control has been divided into two. The 93 controls have been restructured to four control groups or sections.
The new control groups of ISO/IEC 27001:2022 are:
A.5 Organizational controls - contains 37 controls
A.6 People controls - contains 8 controls
A.7 Physical controls - contains 14 controls
A.8 Technological controls - contains 34 controls
ISO/IEC 27001:2022 has also added the below-mentioned 11 new controls to its Annex A:
Information security for the use of cloud services
ICT readiness for business continuity
Physical security monitoring
Data leakage prevention
Will ISO/IEC 27001:2022 changes affect my current ISO/IEC 27001 certificate?
The new updates do not impact your existing certification against the ISO 27001 standard. Instead, the accreditation bodies will jointly work with the certification companies on a transition period to allow organisations with ISO 27001 certification to shift to the newer version efficiently.
Still, even now that the updated version of ISO 27001 has been released, your Statement of Applicability (SoA) should refer to the controls contained in Annex A of ISO 27001:2013. ISO 27002:2022 should only be used as a reference to other controls and as guidance to understand the changes.
Planning to certify to ISO 27001? Should you wait until the certification bodies can certify to the new version?
No! Even though the new 2022 version is published, you shouldn’t wait to certify. Waiting for the ability to get certified against the new standards will likely leave your organisation at a greater risk.
The transition timeline is set to be 3 years. Current 2013-certificates therefore need to be transitioned to the new version before November 2025.
If you wish to discuss your information security requirements, you can contact our ISMS Lead Implementer Scott Naisbett - https://www.isosystems.org.uk/contact