On October 25, 2022, ISO/IEC 27001:2022 was published. Some of the main new updates of ISO/IEC 27001:2022 include a major update of Annex A, minor updates to the clauses, and a change in the standard’s title.
What changed?
It has been updated and published a new, more relevant, and up-to-date edition of ISO/IEC 27001 to address the new and evolving security challenges. The purpose of this standard is to protect the confidentiality, availability, and integrity of the information assets of organizations.
The new version of ISO/IEC 27001 uses the full title ISO/IEC 27001:2022 which refers to Information Security, Cybersecurity, and Privacy Protection.
It is Annex A of ISO/IEC 27001 that has undergone the most significant changes, which is aligned with the ISO/IEC 27002:2022 updates.
Clauses 4-10 Changes:
Clauses 4 to 10 have been revised in several minor ways, particularly clauses 4.2, 6.2, 6.3, and 8.1 which have been updated with additional information. As well as minor changes in terminology, the sentence structure and clause structure have been revised. There is no change to the title or order of these clauses:
Clause 4: The context of the organization
Clause 5: Leadership
Clause 6: Planning
Clause 7: Support
Clause 8: Operation
Clause 9: Performance evaluation
Clause 10: Improvement
Annex A changes:
ISO/IEC 27001:2022 contains changes to both the number of controls and their groupings in Annex A. It has also been renamed Information security controls reference from Reference control objectives and controls. It has been decided to eliminate the reference objectives of each control group that were included in the previous version of the standard.
Annex A controls have decreased from 114 to 93. Many controls have been merged, which has resulted in a decrease in the number of controls. There have been 35 controls that remain the same, 23 controls that have been renamed, 57 controls that have been merged into 24 controls, and one control that has been divided into two controls. As a result of the reorganization, the 93 controls have been grouped into four sections or control groups.
ISO/IEC 27001:2022 includes the following new control groups:
- A.5 Organizational controls – contains 37 controls
- A.6 People controls – contains 8 controls
- A.7 Physical controls – contains 14 controls
- A.8 Technological controls – contains 34 controls
The following 11 new controls have also been added to Annex A of ISO/IEC 27001:2022:
- Threat intelligence
- Information security for the use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
How ISO27001:2022 will effect my current 2013 version?
As a result of the new updates, your existing certification against the ISO 27001 standard will not be affected. To allow organisations with ISO 27001 certification to efficiently transition to the newer version, the accreditation bodies will collaborate with certification companies on a transition period.
It is still recommended that your Statement of Applicability (SoA) refer to the controls found in Annex A of ISO 27001:2013 even though the updated version of ISO 27001 has been released.
