ISO 27001:2013 vs. ISO 27001:2022
ISO 27001 is an internationally acknowledged Information Security Management Systems (ISMS) standard that systematically protects sensitive company information. It offers a comprehensive framework for the creation, implementation, maintenance, and ongoing improvement of an ISMS, focusing on evaluating and managing information security risks tailored to the organization’s specific needs. Over the years, the ISO 27001 standard has been periodically revised with the evolving nature of information security threats, technological advancements, and changes in regulatory environments.
The progression from ISO 27001:2013 to ISO 27001:2022 marks a significant development in the standard to tackle the complexities of information security in today’s digital environment. While the 2013 edition established a framework for information security management best practices, the latest 2022 update expands upon these principles with revised guidelines that address the current and emerging threats in the field.
How is ISO 27001:2022 Different from ISO 27001:2013?
Let us examine the differences between ISO 27001 versions, ISO 27001:2013 vs. 2022, based on the clauses.
| Clause (4-10) | ISO 27001:2013 | ISO 27001:2022 |
| 4.2 Understanding the Needs and Expectations of Interested Parties | Not explicitly requiring an analysis of interested parties’ requirements to be addressed through the ISMS. | Introduced a new item (c) mandating an analysis to determine which requirements from interested parties needs and expectations to be managed through the ISMS. |
| 4.4 Information Security Management System | Less specific language around the identification of necessary processes within the ISMS. | A new phrase was added that requires organizations to identify relevant processes and their interactions within the ISMS, emphasizing a more comprehensive approach. |
| 5.3 Organizational Roles, Responsibilities, and Authorities | Contained general instructions on communicating roles related to information security. | A minor phrase was updated to clarify the communication of roles relevant to information security within the organization. |
| 6.2 Information Security Objectives and Planning to Achieve Them | Provided general guidance on setting information security objectives. | Additional guidance (d and e) on the information security objectives was introduced, including the need for regular monitoring and formal documentation. |
| 6.3 Planning of Changes | N/A | A new sub-clause was added, which sets a standard for planning changes to the ISMS, ensuring changes are controlled. |
| 7.4 Communication | Included detailed instructions for communication (items a-c), with separate points (d and e) for who should communicate and how. | Items a-c remain the same; simplified and combined items related to communication (previously d and e) into a new item (d), streamlined focusing on how to communicate. |
| 8.1 Operational Planning and Control | Offers basic guidance on operational planning and control. | New guidance was added to establish criteria for operational actions identified in Clause 6 and control those actions according to the criteria. |
| 9.2 Internal Audit | Separate sections for Clause 9.2.1 and 9.2.2. | A clause was revised to consolidate previous subclauses (9.2.1 and 9.2.2) into a single section without materially changing its content. |
| 9.3 Management Review | No explicit mention of considering changes to the needs and expectations of interested parties. | A new item (9.3.2 c) was added, which included a requirement for the management review to consider changes to interested parties’ needs and expectations. |
| 10 Improvement | Structure did not prioritize Continual Improvement. | Reorganized subclauses to prioritize Continual Improvement (10.1) before Nonconformity and Corrective Action (10.2), emphasizing the importance of ongoing improvement in the ISMS. |
Updation to the Structure of Annex A Controls
The update from ISO 27001:2013 to ISO 27001:2022 modernizes and simplifies the framework, aligning it with current information security risks and technologies through a restructured organization of controls. The title of this annex has been updated to “Information security controls reference” from its previous title, “Reference control objectives and controls.”
| Aspect | ISO 27001:2013 | ISO 27001:2022 |
| Control Domains/Themes | 14 domains | 4 categories |
| Total Number of Controls | 114 controls (across 14 domains) | Decreased overall 114 controls into 93 controls (across 4 categories) |
| New Controls Introduced | N/A | Introduction of 11 new controls |
| Controls Merged | N/A | Consolidation of 57 controls into fewer overarching controls |
| Controls Renamed | N/A | Renaming of 23 controls for clarity or relevance |
| Controls Removed | N/A | Elimination of 3 controls deemed no longer necessary |
| Reorganization of Controls | 1. Information security policies 2. Organization of information security 3. Human resource security 4. Asset management 5. Access control 6. Cryptography 7. Physical and environmental security 8. Operations security 9. Communications security 10. System acquisition, development, and maintenance 11. Supplier relationships 12. Information security incident management 13. Information security aspects of business continuity management 14. Compliance |
1. A.5 Organizational controls (37 controls) 2. A.6 People controls (8 controls) 3. A.7 Physical controls (14 controls) 4. A.8 Technological controls (34 controls) |
Updated Controls in ISO 27001:2022 Annex A
The ISO 27001:2022 version introduces 11 new controls within Annex A.
- A.5.7 Threat Intelligence: This control requires organizations to collect and analyze threat-related information to manage and reduce risks proactively.
- A.5.23 Information Security for Use of Cloud Services: This control highlights the importance of securing cloud-based environments, mandating organizations to define security standards for cloud services, including specific processes and procedures tailored for cloud usage.
- A.5.30 ICT Readiness for Business Continuity: This control requires organizations to guarantee the resilience and recoverability of information and communication technologies when disruptions occur.
- A.7.4 Physical Security Monitoring: This control mandates the surveillance of critical physical locations like data centers and production sites to ensure access is restricted to authorized personnel, enhancing breach awareness.
- A.8.9 Configuration Management: This control obliges organizations to oversee the configuration of their technological assets to safeguard against unauthorized modifications and maintain security.
- A.8.10 Information Deletion: This control involves systematically deleting obsolete data to prevent unauthorized disclosure and comply with data privacy regulations.
- A.8.11 Data Masking: This control directs organizations to obscure sensitive data, aligning with access control policies to shield confidential information from unauthorized viewers.
- A.8.12 Data Leakage Prevention: This control requires implementing security measures to avert unauthorized exposure and leakage of sensitive data across systems, networks, and devices.
- A.8.16 Monitoring Activities: This control requires the continuous surveillance of systems for anomalous behavior, coupled with the execution of effective incident response strategies.
- A.8.23 Web Filtering: This control mandates the regulation of internet access within an organization to protect against digital threats and ensure the security of IT infrastructures.
- A.8.28 Secure Coding: This control mandates the incorporation of secure coding practices throughout the software development lifecycle to reduce vulnerabilities and improve the security of applications.
To know more, watch the videos:
- What’s New in ISO 27001:2022 | ISO 27001 History | ISO 27001:2013 Minor Updates
- ISO/IEC 27001: 2022 Update: What You Need to Know | InfosecTrain
Explore the related blogs:
- Career Scope of ISO 27001 Certification
- Common Interview Questions for ISO 27001
- What’s New in ISO 27001?
- Top Interview Questions for ISO 27001
- Top 20 Interview Questions for ISO 27001 Lead Auditor
- Guide to Become an ISO 27001 Lead Auditor
- ISO Lead Implementer Interview Questions
- Lead Auditor vs. Lead Implementer
How can InfosecTrain Help?
Both versions of the ISO 27001 standard highlight the importance of tailoring the ISMS to fit the organization’s specific requirements. However, the 2022 version emphasizes the importance of organizations considering their specific context, such as technological, legal, and regulatory factors, when developing and implementing their ISMS.
TRAINING CALENDAR of Upcoming Batches For ISO 27001:2022 LI
| Start Date | End Date | Start - End Time | Batch Type | Training Mode | Batch Status | |
|---|---|---|---|---|---|---|
| 25-May-2024 | 16-Jun-2024 | 09:00 - 13:00 IST | Weekend | Online | [ Open ] |
At InfosecTrain, we offer ISO 27001:2022 Lead Auditor and ISO 27001:2022 Lead Implementer certification training courses. These courses provide learners with the skills to audit and enforce an Information Security Management System (ISMS), aligning with the latest standards and best practices for information security. We provide instructor-led training sessions that focus on practical skills, interactive learning, and real-world scenarios, all under the guidance of experienced instructors.
TRAINING CALENDAR of Upcoming Batches For ISO 27001 : 2022 LA
| Start Date | End Date | Start - End Time | Batch Type | Training Mode | Batch Status | |
|---|---|---|---|---|---|---|
| 11-May-2024 | 09-Jun-2024 | 19:00 - 23:00 IST | Weekend | Online | [ Open ] | |
| 22-Jun-2024 | 28-Jul-2024 | 09:00 - 13:00 IST | Weekend | Online | [ Open ] |
Ruchi Bisht
Contact Us
1800-843-7890 (India) 
