ISO 27001:2022: What Has Changed in the New Revision?

In February of 2022, ISO published a new revision of ISO/IEC JTC 1/SC 27’s ISO/IEC 27002, replacing the 2013 revision, with the expectation that the flagship ISO/IEC 27001 Information security, cybersecurity and privacy protection – Information security management systems – Requirements would also see the 2022 revision published in October.

What is ISO 27001?

The flagship information security management standard, ISO 27001, was first published in 2005 and later revised in 2013, which is the current revision of the standard.  The 2013 revision will soon be withdrawn with the pending release of the newest iteration, ISO/IEC 27001:2022 (see the life cycle chart for publication information below).  The standard defines international best practice for developing and maintaining an ISMS (Information Security Management System) and seeks to guide firms in protecting the availability and integrity of their digital information.  It is published and maintained by ISO/IEC JTC 1/SC 27 information security, cybersecurity and privacy protection.

ISO describes the standard as a document that specifies requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of an organization, and that it also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.  The standard is organized in a similar management system standard format and its requirements are intended to be generic and applicable to all organizations, regardless of type, size, or nature.  In order for an organization to claim conformity against ISO 27001, none of the auditable clauses, clauses 4-10, may be excluded.


What’s Changing in ISO 27001/27002:2022?

The phrase “code of practice” is no longer present in the title of ISO 27002, now being called ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection – Information security controls; the new title seems to better reflect the purpose as a reference set of information security controls to be used in conjunction with ISO/IEC 27001:2022.

The standard itself is much larger than the 2013 revision.  The controls have been significantly reordered, updated, merged, or removed, and some new controls have been added – the update for the 2022 revision is significant, to say the least.

Even know the standard is longer than its predecessor, the controls have ultimately been reduced from 114 in the 2013 revision to 93 that are currently listed in the 2022 revision, with the controls being grouped into 4 themes rather than the 14 clauses that characterized the previous revision.  These themes are: 

  • People (8 controls)
  • Organizational (37 controls)
  • Technological (34 controls)
  • Physical (14 controls)

5 New control attributes to make them easier to categorize:

  • Control types (preventive, detective, corrective)
  • Information security properties (confidentiality, integrity, availability)
  • Cybersecurity concepts (identify, protect, detect, respond, recover)
  • Operational capabilities (governance, asset management, etc.)
  • Security domains (governance and ecosystem, protection, defense, resilience)

Completely new controls include:

  • Threat intelligence
  • Information security for use of cloud services
  • ICT readiness for business continuity
  • Physical security monitoring
  • Configuration management
  • Information deletion
  • Data masking
  • Data leakage prevention
  • Monitoring activities
  • Web filtering
  • Secure coding

Regarding ISO/IEC 27001, we expect that the structure, Annex A, will have undergone a complete overhaul to align with the new and updated controls defined in ISO 27002.

Click HERE to register to view a Free Webinar highlighting changes in ISO 27001/27002:2022

What Will This Mean for Organizations Certified or Planning to Certify Against ISO/IEC 27001:2013?

If you have already implemented or are in the process of implementing ISO 27001, you are likely selecting controls consistent with Annex A of the standard; your SoA (Statement of Applicability) should still refer to Annex A of ISO 27001:2013 but the controls of ISO 27002:2022 until the new standard is published, as controls can be selected from anywhere so long as they are compared with Annex A and your reasons are properly documented.  As we mentioned above, we would expect that the new revision of ISO 27001, due to be released at any time, will include a completely overhauled Annex A that will reflect controls in the new ISO/IEC 27002:2022. 

If you were in the midst of implementing ISO 27001, there won’t be any harm in continuing the work instead of waiting for the new iteration of the standard, as there will be a two-year transition period and having a foundational system that meets the requirements of the 2013 revision will make a small leap of a transition to any new or updated requirements.  For folks already certified against the 2013 revision, keep working with the system that you have, but recognize the benefits of early adoption of the new revision and its requirements – even with a two-year transition period, don’t wait until the last minute to purchase the new revision and begin understanding and implementing any changed or updated requirements.