ISO 27001 is an internationally acknowledged Information Security Management Systems (ISMS) standard that systematically protects sensitive company information. It offers a comprehensive framework for the creation, implementation, maintenance, and ongoing improvement of an ISMS, focusing on evaluating and managing information security risks tailored to the organization’s specific needs. Over the years, the ISO 27001 standard has been periodically revised with the evolving nature of information security threats, technological advancements, and changes in regulatory environments.
The progression from ISO 27001:2013 to ISO 27001:2022 marks a significant development in the standard to tackle the complexities of information security in today’s digital environment. While the 2013 edition established a framework for information security management best practices, the latest 2022 update expands upon these principles with revised guidelines that address the current and emerging threats in the field.
How is ISO 27001:2022 Different from ISO 27001:2013?
Let us examine the differences between ISO 27001 versions, ISO 27001:2013 vs. 2022, based on the clauses.
Clause (4-10) | ISO 27001:2013 | ISO 27001:2022 |
4.2 Understanding the Needs and Expectations of Interested Parties | Not explicitly requiring an analysis of interested parties’ requirements to be addressed through the ISMS. | Introduced a new item (c) mandating an analysis to determine which requirements from interested parties needs and expectations to be managed through the ISMS. |
4.4 Information Security Management System | Less specific language around the identification of necessary processes within the ISMS. | A new phrase was added that requires organizations to identify relevant processes and their interactions within the ISMS, emphasizing a more comprehensive approach. |
5.3 Organizational Roles, Responsibilities, and Authorities | Contained general instructions on communicating roles related to information security. | A minor phrase was updated to clarify the communication of roles relevant to information security within the organization. |
6.2 Information Security Objectives and Planning to Achieve Them | Provided general guidance on setting information security objectives. | Additional guidance (d and e) on the information security objectives was introduced, including the need for regular monitoring and formal documentation. |
6.3 Planning of Changes | N/A | A new sub-clause was added, which sets a standard for planning changes to the ISMS, ensuring changes are controlled. |
7.4 Communication | Included detailed instructions for communication (items a-c), with separate points (d and e) for who should communicate and how. | Items a-c remain the same; simplified and combined items related to communication (previously d and e) into a new item (d), streamlined focusing on how to communicate. |
8.1 Operational Planning and Control | Offers basic guidance on operational planning and control. | New guidance was added to establish criteria for operational actions identified in Clause 6 and control those actions according to the criteria. |
9.2 Internal Audit | Separate sections for Clause 9.2.1 and 9.2.2. | A clause was revised to consolidate previous subclauses (9.2.1 and 9.2.2) into a single section without materially changing its content. |
9.3 Management Review | No explicit mention of considering changes to the needs and expectations of interested parties. | A new item (9.3.2 c) was added, which included a requirement for the management review to consider changes to interested parties’ needs and expectations. |
10 Improvement | Structure did not prioritize Continual Improvement. | Reorganized subclauses to prioritize Continual Improvement (10.1) before Nonconformity and Corrective Action (10.2), emphasizing the importance of ongoing improvement in the ISMS. |
Updation to the Structure of Annex A Controls
The update from ISO 27001:2013 to ISO 27001:2022 modernizes and simplifies the framework, aligning it with current information security risks and technologies through a restructured organization of controls. The title of this annex has been updated to “Information security controls reference” from its previous title, “Reference control objectives and controls.”
Aspect | ISO 27001:2013 | ISO 27001:2022 |
Control Domains/Themes | 14 domains | 4 categories |
Total Number of Controls | 114 controls (across 14 domains) | Decreased overall 114 controls into 93 controls (across 4 categories) |
New Controls Introduced | N/A | Introduction of 11 new controls |
Controls Merged | N/A | Consolidation of 57 controls into fewer overarching controls |
Controls Renamed | N/A | Renaming of 23 controls for clarity or relevance |
Controls Removed | N/A | Elimination of 3 controls deemed no longer necessary |
Reorganization of Controls | 1. Information security policies 2. Organization of information security 3. Human resource security 4. Asset management 5. Access control 6. Cryptography 7. Physical and environmental security 8. Operations security 9. Communications security 10. System acquisition, development, and maintenance 11. Supplier relationships 12. Information security incident management 13. Information security aspects of business continuity management 14. Compliance |
1. A.5 Organizational controls (37 controls) 2. A.6 People controls (8 controls) 3. A.7 Physical controls (14 controls) 4. A.8 Technological controls (34 controls) |
Updated Controls in ISO 27001:2022 Annex A
The ISO 27001:2022 version introduces 11 new controls within Annex A.
To know more, watch the videos:
Explore the related blogs:
How can InfosecTrain Help?
Both versions of the ISO 27001 standard highlight the importance of tailoring the ISMS to fit the organization’s specific requirements. However, the 2022 version emphasizes the importance of organizations considering their specific context, such as technological, legal, and regulatory factors, when developing and implementing their ISMS.
Start Date | End Date | Start - End Time | Batch Type | Training Mode | Batch Status | |
---|---|---|---|---|---|---|
08-Feb-2025 | 02-Mar-2025 | 19:00 - 23:00 IST | Weekend | Online | [ Open ] |
At InfosecTrain, we offer ISO 27001:2022 Lead Auditor and ISO 27001:2022 Lead Implementer certification training courses. These courses provide learners with the skills to audit and enforce an Information Security Management System (ISMS), aligning with the latest standards and best practices for information security. We provide instructor-led training sessions that focus on practical skills, interactive learning, and real-world scenarios, all under the guidance of experienced instructors.
Start Date | End Date | Start - End Time | Batch Type | Training Mode | Batch Status | |
---|---|---|---|---|---|---|
29-Dec-2024 | 09-Feb-2025 | 09:00 - 13:00 IST | Weekend | Online | [ Open ] | |
11-Jan-2025 | 01-Mar-2025 | 19:00 - 23:00 IST | Weekend | Online | [ Open ] | |
01-Mar-2025 | 06-Apr-2025 | 09:00 - 13:00 IST | Weekend | Online | [ Open ] |