Exploring the Key Differences Between ISO 27001:2013 and ISO 27001:2022

May 08, 2023    |    NRS Admin    |    Management Consultancy ISO Consulting Service ISO Certification Service Business IT Security
Exploring the Key Differences Between ISO 27001:2013 and ISO 27001:2022

ISO/IEC 27001:2022 is the latest version of the International Standard for Information Security Management Systems (ISMS). It was published in January 2022 and replaces the previous version, ISO/IEC 27001:2013. The standard provides a framework for managing and protecting sensitive information using a risk-based approach.

ISO/IEC 27001:2022 follows the High-Level Structure (HLS), which is a standardized structure used in many ISO management system standards. This makes it easier for organizations to integrate their ISMS with other management systems they may have in place. One of the main differences between ISO/IEC 27001:2022 and ISO/IEC 27001:2013 is that ISO/IEC 27001:2022 includes a new risk assessment process that is based on the ISO 31000 risk management standard. This updated process allows organizations to tailor their risk management strategies to their specific needs and circumstances, giving them more control over their information security.

ISO/IEC 27001:2022 includes the same number of clauses as ISO/IEC 27001:2013, but the text has changed slightly. The changes help align ISO/IEC 27001 with other ISO management standards. Significant changes largely revolve around planning and defining process criteria, as well as monitoring standards. Specifically:

  • Clause 4.2 Understanding the Needs and Expectations of Interested Parties:
    A new subclause was added requiring an analysis of which of the interested party requirements are going to be addressed through the ISMS.

  • Clause 4.4 Information Security Management System:
    New language was added, which requires organizations to identify necessary processes and their interactions within the ISMS. Essentially the ISMS must include the processes underpinning the ISMS, not just the ones specifically called out in the Standard.

  • Clause 6.2 Information Security Objectives and Planning to Achieve Them:
    Now includes additional guidance on the information security objectives. This gives more clarity about how objectives should be monitored regularly and formally documented.

  • Clause 6.3 Planning of Changes:
    This clause was added to set a standard around planning for changes. It states that if changes are needed to the ISMS, they shall be adequately planned and reviewed before implementation.

  • Clause 8.1 Operational Planning and Control:
    It has additional guidance for operational planning and control. The ISMS now needs to establish criteria for actions identified in Clause 6 and control those actions in accordance with the criteria.

Additional minor changes include:

  • Clause 5.3 Organizational Roles, Responsibilities, and Authorities:
    A minor update to the language clarified that communication of roles relevant to information security are to be communicated within the organization.

  • Clause 7.4 Communication:
    Subclauses a-c remain the same. But subclauses d (who should communicate) and e (the process by which communication should be affected) have been simplified and combined into a newly renamed subclause d (how to communicate).

  • Clause 9.2 Internal Audit:
    This clause was changed, but not materially. It essentially just combined what already existed between Clause 9.2.1 and 9.2.2 into one section.

  • Clause 9.3 Management Review:
    A new item was added to clarify that the organization’s management review shall include consideration of any changes to the needs and expectations of interested parties.

  • Clause 10 Improvement:
    Structural changes to this clause now list Continual Improvement (10.1) first, and Nonconformity and Corrective Action (10.2) second.

In ISO 27001:2022 structural changes were made to the Annex A controls. Control groups have been reorganized and the overall number of controls has decreased. At a high level:

  • 11 new controls were introduced
  • 57 controls were merged
  • 23 controls were renamed
  • 3 controls were removed

In ISO 27001:2013, controls were organized into 14 different domains. In the new update, controls are placed into the following four themes instead:

  • People controls (8 controls)
  • Organizational controls (37 controls)
  • Technological controls (34 controls)
  • Physical controls (14 controls)

The nomenclature change promotes a better understanding of how Annex A controls help secure information. The previous domain names were written for IT professionals — rather than management. Companies will need to update their Statement of Applicability to match this new structure, as they look to achieve certification under ISO 27001:2022.

Additional attribute values were also added to better describe the Annex A controls and help categorize them, but these are only available in ISO 27002.

The largest change within Annex A is around the 11 new controls which were introduced. Organizations that are currently certified under ISO 27001:2013 will need to ensure proper processes are in place to meet these new requirements or will need to create new processes to incorporate these controls into their existing ISMS.

 Notably “threat intelligence” requires organizations to gather and analyze information about threats, so organizations can take action to mitigate risk. Companies certified under ISO 27001:2013 may not have this element in place. This is a relevant change and speaks to the idea that threats are ever evolving. Therefore, mitigating risk is a continuous process, not a “one-and-done” task.

Additional new controls within ISO 27001:2022 include:

  • A.5.7 Threat Intelligence:
    This control requires organizations to gather and analyze information about threats, so they can take action to mitigate risk.

  • A.5.23 Information Security for Use of Cloud Services:
    This control requires organizations to ensure that information security is addressed when using cloud services.

  • A.5.30 ICT Readiness for Business Continuity:
    This control requires organizations to ensure that information and communication technology can be recovered and used when disruptions occur.

  • A.7.4 Physical Security Monitoring:
    This control requires organizations to monitor sensitive physical areas (data centers, production facilities, etc.) to ensure only authorized people can access them — so the organization is aware in the event of a breach.

  • A.8.9 Configuration Management:
    This control requires an organization to manage the configuration of its technology to ensure it remains secure and to avoid unauthorized changes.

  • A.8.10 Information Deletion:
    This control requires the deletion of data when it’s no longer required to avoid leaks of sensitive information and to comply with privacy requirements.

  • A.8.11 Data Masking:
    This control requires organizations to use data masking in accordance with the organization’s access control policy to protect sensitive information.

  • A.8.12 Data Leakage Prevention:
    This control requires organizations to implement measures to prevent data leakage and disclosure of sensitive information from systems, networks, and other devices.

  • A.8.16 Monitoring Activities:
    This control requires organizations to monitor systems for unusual activities and implement appropriate incident response procedures.

  • A.8.23 Web Filtering:
    This control requires organizations to manage which websites users access to protect IT systems.

  • A.8.28 Secure Coding:
    This control requires secure coding principles to be established within an organization’s software development process to reduce security vulnerabilities.

In General:

  • The main part of ISO 27001, i.e., clauses 4 to 10, has changed only slightly.
  • The changes in Annex A security controls are moderate.
  • The number of controls has decreased from 114 to 93.
  • The controls are placed into four sections instead of the previous 14.
  • There are 11 new controls, while none of the controls have been removed.
  • Changed from 114 to 93

Implementing ISO 27001:2022 can benefit your organization in a variety of methods, including greater consumer trust, improved business continuity, and risk control, enhanced compliance with legal and regulatory requirements, and improved alignment with industry best practices.

Nepal Realistic Solution specialize in assisting businesses with the implementation and maintenance of ISO 27001:2022. From gap analysis and risk assessment to creating policies and training, our expert consultants will guide you through the entire process. We customize our services to your business's specific needs and goals, ensuring an effortless and efficient implementation.

Contact us today to learn more about how ISO 27001:2022 can benefit your organization and how we can assist you in achieving compliance. Our team is ready to answer your questions and provide you with a tailored solution that meets the specific demands and challenges of your business.

ISO27001 ISMS InformationSecurity RiskAssessment RiskManagement InformationProtection ISO270012022 CyberProtection
Write A Comment