Comparison of changes to the requirements of ISO/IEC 27001:2013 (:2017) vs ISO/IEC 27001:2022

 

ISO/IEC 27001:201 has been replaced by ISO/IEC 27001:2023, according to which all certified organisations must be certified within a transition period.
The transition period is set, according to IAF MD 26, at 36 months from the last day of the month of publication of ISO/IEC 27001:2022 (i.e. 31 October 2025).

The CO will require an increase in audit time as part of the requirements for the transition to the new standard:
1) In the case of a recertification audit, 0.5 audit days.
2) In the case of a surveillance audit, 1 audit day.

Basic requirements

Annex A of the standard contains the interpretation and application of the standard.

ISO/IEC 27001:2022 is based on the new  - High-Level Structure - (HLS), which is a unified structure for all new and revised ISO Management System Standards (MSS). This structure facilitates the integration of different standards into common management systems.

The new version of the standard places greater emphasis on risk assessment. Organizations must conduct a more comprehensive and de-tail risk analysis to better identify and manage information security threats.

ISO/IEC 27001:2022 reflects new challenges and technology trends that have emerged since the release of the pre-release version. Particular attention is paid to new threats such as cyber-attacks based on artificial intelligence, the Internet of Things (IoT) and other emerging technologies.

Strengthening the focus on leadership and senior management commitment

The standard emphasises the importance of involving the organisations leadership in the information security management process.

Top management must demonstrate a commitment to information security and ensure that they are adequately resourced for it.

The new version emphasizes the involvement of the organizations suppliers and partners in the information security management system, especially when key services or products are delivered.

Consideration of risk related to human behaviour:

ISO/IEC 27001:2022 emphasises the importance of considering human behaviour as a fundamental aspect of information security. Organisations should improve their ability to identify and manage risks related to the behaviour of their employees and other users.

- 4.2 - Understanding stakeholder needs and expectations: A new item has been added that requires an analysis of which stakeholder requirements will be addressed through the ISMS.

- 4.4 - Information Security Management System: the standard requires identification of the necessary processes and their interactions within the ISMS. Essentially, the ISMS must therefore include the processes that support the ISMS, not just those specifically listed in the standard.

- 6.2 - Information security objectives and planning for their achievement: now provides further guidance on the objectives of in-information security. This provides a clearer picture of how the objectives should be periodically  monitored and formally documented.

- 6.3 - Change Planning: This clause has been added to set a standard for change planning. It states that if changes are needed in the ISMS, these changes must be sufficiently planned.

- 8.1 - Operational Planning and Management: Additional guidance on operational planning and management has been added. The ISMS must now establish criteria for the actions listed in Article 6 and control these actions in accordance with the criteria.

Minor changes

- 5.3 - Organizational Roles, Responsibilities and Authority: A minor language update clarified that communication of roles relevant to information security is to be communicated within the organization.

-7.4 - Communication: the subordinate clauses a-c remain the same. But subordinate clauses d (who should communicate) and e (the process by which communication should be affected) have been simplified and combined into the newly renamed subordinate clause d (how to communicate).

- 9.2 - Internal Audit: This clause has been changed, but not substantially. It basically just combined what already existed between clauses 9.2.1 and 9.2.2 into one section.

- 9.3 Management Review: A new clause has been added to clarify that the management review of the organization must include consideration of any changes in stakeholder needs and expectations. It is important to note any changes as they are instrumental to the scope of the ISMS as identified in Article 4 (and based on those needs and expectations). For example, if an organizations board of directors wants to go public, the organization needs to consider how a change in priorities would affect the ISMS.

- 10 - Improvement: the structural changes to this article now list continuous improvement first (10.1) and non-compliance and corrective action second (10.2).

Annex A

- 11 new points have been added

- 57 points have been merged

- 23 points were renamed

- 3 points were removed

 

In ISO 27001:2013, controls have been organized into 14 different areas. In the new update, the points are instead placed in the following four areas:

 

- Person controls (8 points)

- Organizational controls (37 points)

- Technology controls (34 points)

- Physical controls (14 points)

 

The change in nomenclature contributes to a better understanding of how Annex A controls help secure information. The previous area names were written for IT professionals - rather than management.

Companies will need to update their applicability statement to reflect this new structure as they look to achieve certification to ISO/IEC 27001:2022.

 

Additional attribute values have also been added to better describe the Annex A controls and help categorize them, but these are only available in ISO/IEC 27001:2022.

- A.5.23 Information security for use of cloud services: this control highlights the need for better information security in the cloud and requires organisations to set standards

     security standards for cloud services and have processes and procedures specifically for cloud services.

- A.5.30 ICT preparedness for business continuity: This control requires organizations to ensure that ICT can be recovered or used in the event that

     disruption.

- A.7.4 Physical Security Monitoring: This control requires organisations to monitor sensitive physical areas (data centres, production facilities, etc.) to ensure that they can be accessed

     only authorized individuals are allowed access to these facilities - so that the organization is notified in the event of a breach.

- A.8.9 Configuration Management: This control requires the organisation to manage the configuration of its technology to ensure that it remains secure and to prevent unauthorised changes.

- A.8.10 Delete Information: This control requires the deletion of data when no longer needed to prevent the leakage of sensitive information and to comply with privacy requirements.

     data protection.

- A.8.11 Data Masking: This control requires organizations to use data masking in accordance with the organizat. access control policy to protect sensitive information.

- A.8.12 Data Leakage Prevention: This control requires organizations to implement measures to prevent data leakage and disclosure of sensitive information from systems, networks, and other devices.

- A.8.16 Monitoring activities: This control requires organizations to monitor systems for unusual activities and implement appropriate incident response procedures.

- A.8.23 Web filtering: This control requires organisations to manage which websites users access to protect IT systems.

- A.8.28 Secure coding: This control requires that secure coding principles are implemented as part of the organisat. software development process to reduce security vulnerabilities.