ISO/IEC 27001:2022 Update:

What are the main changes and what does this mean for you?

This year, the ISO27001 standard saw its first significant update since 2013.

What, however, do these changes mean for your organisation’s security?

Why has ISO27001:2022 changed?

At a minimum, all ISO standards go through a review process every five years.

The last version of the standard was published in 2013 – and a lot has changed since then.

Subsequently, the most recent review has led to some important revisions for ISO 27001:2022.

There are now new technologies in use (including cloud software), and the way people work has changed considerably. Since the COVID 19 pandemic, there has been an increase in organisation’s taking their operations online, changing to remote working, and leveraging Bring Your Own Device (BYOD).

Additionally, the online environment has seen a shift and become increasingly complicated, resulting in us facing new and different information security challenges.

Accordingly, The ISO27001 standard has been updated to reflect the fact that information security in 2022 is vastly different from what it was in 2013.


What is new in ISO27001:2022?

To address our current-day information security challenges, 11 new security controls have been added.

These controls include:

    • 5.7: Threat intelligence  
    • 5.23: Information security for use of cloud services  
    • 5.30: ICT readiness for business continuity  
    • 7.4: Physical security monitoring  
    • 8.9: Configuration management  
    • 8.10: Information deletion  
    • 8.11: Data masking  
    • 8.12: Data leakage prevention  
    • 8.16: Monitoring activities  
    • 8.23: Web filtering  
    • 8.28: Secure coding  

ISO27001:2022 and ISO27002:2022 Annex A updates:

  • The number of controls has been reduced from 114 controls to 93 controls
  • In contrast with the previous control categories, the new controls have been consolidated into four different control themes. These themes include “Organisational”, ‘”People”, “Physical” and “Technological”
  • 24 controls from the ISO27001:2013 standard have been merged
  • 58 controls from the ISO27001:2013 standard have been revised to reflect the current day information security environment
  • The concept of “attributes” have been newly introduced. There are now five different attribute groups that the updated standard offers. These include:
    • Control type: preventive, detective, corrective
    • Information security properties: confidentiality, integrity, availability
    • Cybersecurity concepts: identify, protect, detect, respond, recover
    • Operational capabilities: governance, asset management, information protection, HR security, physical security, system and network security, application security, secure configuration, identity and access management, threat and vulnerability management, continuity, supplier relationships security, legal and compliance, information security event management, information security assurance
    • Security domains: governance and ecosystem, protection, defence and resilience

Attributes offer a new way of creating different views of the controls via use of adding a hashtag to the beginning of each word. Attributes can be utilised in your Information Security Management System (ISMS) for increased management of controls.

What is the ISO27001:2022 Transition Period?

2022: Starting from September 2022, the transition period for ISO27001:2022 is three years to September 2025. However, implementing ISO27001:2022 earlier will increase your organisation’s degree of information security maturity.

2023: Taking this into account, new and existing certificates can still be assessed to ISO/IEC 27001:2013 during 2023.

2024: After the 29th of March 2024, no initial or recertification audits are to be completed.

2025: All ISO/IEC 27001:2013 certificates shall expire or be withdrawn by 29th of September 2025 latest.

Please reach out to us at any stage if you’d like to discuss how we can assist your organisation with transitioning to ISO27001:2022.