NRS Nepal
  • Home
  • About
    • History
    • Our Team
    • Alliances
    • Client's Feedbacks
    • Intern's Testimonials
  • Services
    • Human Resource
    • Education & Training
    • Consultation Services
    • Research & Development
    • Accounting & Financial
    • Management Consulting
    • ISO Standard Certification
      • ISO 9001 Certification
      • ISO 14001 Certification
      • ISO 22000 Certification
      • ISO 15189 Certification
      • ISO 27701 Certification
      • ISO 45001 Certification
      • ISO 27001 Certification
      • Other Certifications
    • Strategy & Operation
    • Boutique Consulting
    • Technical Consulting
  • Internship
  • Corporate Events
  • Support Startup
  • Career
  • Blog
  • Contact

Exploring the Key Differences Between ISO 27001:2013 and ISO 27001:2022

May 08, 2023    |    NRS Admin    |    Management Consultancy ISO Consulting Service ISO Certification Service Business IT Security
Exploring the Key Differences Between ISO 27001:2013 and ISO 27001:2022

ISO/IEC 27001:2022 is the latest version of the International Standard for Information Security Management Systems (ISMS). It was published in January 2022 and replaces the previous version, ISO/IEC 27001:2013. The standard provides a framework for managing and protecting sensitive information using a risk-based approach.

ISO/IEC 27001:2022 follows the High-Level Structure (HLS), which is a standardized structure used in many ISO management system standards. This makes it easier for organizations to integrate their ISMS with other management systems they may have in place. One of the main differences between ISO/IEC 27001:2022 and ISO/IEC 27001:2013 is that ISO/IEC 27001:2022 includes a new risk assessment process that is based on the ISO 31000 risk management standard. This updated process allows organizations to tailor their risk management strategies to their specific needs and circumstances, giving them more control over their information security.

ISO/IEC 27001:2022 includes the same number of clauses as ISO/IEC 27001:2013, but the text has changed slightly. The changes help align ISO/IEC 27001 with other ISO management standards. Significant changes largely revolve around planning and defining process criteria, as well as monitoring standards. Specifically:

  • Clause 4.2 Understanding the Needs and Expectations of Interested Parties:
    A new subclause was added requiring an analysis of which of the interested party requirements are going to be addressed through the ISMS.


  • Clause 4.4 Information Security Management System:
    New language was added, which requires organizations to identify necessary processes and their interactions within the ISMS. Essentially the ISMS must include the processes underpinning the ISMS, not just the ones specifically called out in the Standard.

  • Clause 6.2 Information Security Objectives and Planning to Achieve Them:
    Now includes additional guidance on the information security objectives. This gives more clarity about how objectives should be monitored regularly and formally documented.

  • Clause 6.3 Planning of Changes:
    This clause was added to set a standard around planning for changes. It states that if changes are needed to the ISMS, they shall be adequately planned and reviewed before implementation.

  • Clause 8.1 Operational Planning and Control:
    It has additional guidance for operational planning and control. The ISMS now needs to establish criteria for actions identified in Clause 6 and control those actions in accordance with the criteria.

Additional minor changes include:

  • Clause 5.3 Organizational Roles, Responsibilities, and Authorities:
    A minor update to the language clarified that communication of roles relevant to information security are to be communicated within the organization.

  • Clause 7.4 Communication:
    Subclauses a-c remain the same. But subclauses d (who should communicate) and e (the process by which communication should be affected) have been simplified and combined into a newly renamed subclause d (how to communicate).

  • Clause 9.2 Internal Audit:
    This clause was changed, but not materially. It essentially just combined what already existed between Clause 9.2.1 and 9.2.2 into one section.

  • Clause 9.3 Management Review:
    A new item was added to clarify that the organization’s management review shall include consideration of any changes to the needs and expectations of interested parties.

  • Clause 10 Improvement:
    Structural changes to this clause now list Continual Improvement (10.1) first, and Nonconformity and Corrective Action (10.2) second.

In ISO 27001:2022 structural changes were made to the Annex A controls. Control groups have been reorganized and the overall number of controls has decreased. At a high level:

  • 11 new controls were introduced
  • 57 controls were merged
  • 23 controls were renamed
  • 3 controls were removed

In ISO 27001:2013, controls were organized into 14 different domains. In the new update, controls are placed into the following four themes instead:

  • People controls (8 controls)
  • Organizational controls (37 controls)
  • Technological controls (34 controls)
  • Physical controls (14 controls)

The nomenclature change promotes a better understanding of how Annex A controls help secure information. The previous domain names were written for IT professionals — rather than management. Companies will need to update their Statement of Applicability to match this new structure, as they look to achieve certification under ISO 27001:2022.

Additional attribute values were also added to better describe the Annex A controls and help categorize them, but these are only available in ISO 27002.

The largest change within Annex A is around the 11 new controls which were introduced. Organizations that are currently certified under ISO 27001:2013 will need to ensure proper processes are in place to meet these new requirements or will need to create new processes to incorporate these controls into their existing ISMS.

 Notably “threat intelligence” requires organizations to gather and analyze information about threats, so organizations can take action to mitigate risk. Companies certified under ISO 27001:2013 may not have this element in place. This is a relevant change and speaks to the idea that threats are ever evolving. Therefore, mitigating risk is a continuous process, not a “one-and-done” task.

Additional new controls within ISO 27001:2022 include:

  • A.5.7 Threat Intelligence:
    This control requires organizations to gather and analyze information about threats, so they can take action to mitigate risk.

  • A.5.23 Information Security for Use of Cloud Services:
    This control requires organizations to ensure that information security is addressed when using cloud services.

  • A.5.30 ICT Readiness for Business Continuity:
    This control requires organizations to ensure that information and communication technology can be recovered and used when disruptions occur.

  • A.7.4 Physical Security Monitoring:
    This control requires organizations to monitor sensitive physical areas (data centers, production facilities, etc.) to ensure only authorized people can access them — so the organization is aware in the event of a breach.

  • A.8.9 Configuration Management:
    This control requires an organization to manage the configuration of its technology to ensure it remains secure and to avoid unauthorized changes.

  • A.8.10 Information Deletion:
    This control requires the deletion of data when it’s no longer required to avoid leaks of sensitive information and to comply with privacy requirements.

  • A.8.11 Data Masking:
    This control requires organizations to use data masking in accordance with the organization’s access control policy to protect sensitive information.

  • A.8.12 Data Leakage Prevention:
    This control requires organizations to implement measures to prevent data leakage and disclosure of sensitive information from systems, networks, and other devices.

  • A.8.16 Monitoring Activities:
    This control requires organizations to monitor systems for unusual activities and implement appropriate incident response procedures.

  • A.8.23 Web Filtering:
    This control requires organizations to manage which websites users access to protect IT systems.

  • A.8.28 Secure Coding:
    This control requires secure coding principles to be established within an organization’s software development process to reduce security vulnerabilities.

In General:

  • The main part of ISO 27001, i.e., clauses 4 to 10, has changed only slightly.
  • The changes in Annex A security controls are moderate.
  • The number of controls has decreased from 114 to 93.
  • The controls are placed into four sections instead of the previous 14.
  • There are 11 new controls, while none of the controls have been removed.
  • Changed from 114 to 93

Implementing ISO 27001:2022 can benefit your organization in a variety of methods, including greater consumer trust, improved business continuity, and risk control, enhanced compliance with legal and regulatory requirements, and improved alignment with industry best practices.

Nepal Realistic Solution specialize in assisting businesses with the implementation and maintenance of ISO 27001:2022. From gap analysis and risk assessment to creating policies and training, our expert consultants will guide you through the entire process. We customize our services to your business's specific needs and goals, ensuring an effortless and efficient implementation.

Contact us today to learn more about how ISO 27001:2022 can benefit your organization and how we can assist you in achieving compliance. Our team is ready to answer your questions and provide you with a tailored solution that meets the specific demands and challenges of your business.

ISO27001 ISMS InformationSecurity RiskAssessment RiskManagement InformationProtection ISO270012022 CyberProtection
Write A Comment
Categories
  • Business64
  • CE Marking4
  • Consultancy Services57
  • Consulting Firms49
  • Financial Service8
  • Human Capital15
  • Human Resource22
  • Internship In Nepal11
  • Inventory Management Service In Nepal3
  • ISO Certification Service71
  • ISO Consulting Service66
  • IT Security22
  • Management Consultancy41
  • Management Consulting43
  • Marketing Experts12
  • Marketing Strategy17
  • Presentation3
  • Social Media13
  • Strategy And Operation16
  • Support Start-Up Program8
  • Training21
  • Training Service In Nepal10
  • Uncategorized19
  • Vat & Tax Service In Nepal3
  • Writing6
Tags Cloud
100 Internship Program AI Marketing Airport Issues In Nepal Asset Management Best ISO Certification Provider BigData Boutique Management And Technology Brand Visibility Business Business Advisory In Nepal Business Consultancy Services Business Consultant Business Consultant In Nepal Business Consulting Business Consulting Company Business Consulting Expert Business Consulting Firm Business Consulting In Nepal Business Consulting Services Business Experts Business Growth Business Management Business Opportunity Business Plan Business Problems Business Setup Business Setup In Nepal Business Strategy Business Upgradation BusinessAnalytics BUSINESSCONSULTANT BusinessConsultantinNepal BusinessConsulting BusinessConsultingServices BusinessGrowth BusinessGrowth BusinessGrowth BusinessGrowth BusinessGrowth BusinessIntelligence BusinessManagement BusinessStrategy BusinessSuccess BusinessWebsite Busniess Consultant In Nepal Career Development Program Career Growth Career Progression CE Mark CE Marking CE Marking In Nepal Certification In Nepal Challenges In System Implementation CIA Triad In The ISO 27001 Company Setup In Nepal CompetentContract Construction Industry Consultancy Services Consulting Firms Contract Cost Effective Marketing Cost-efficient Marketing Strategy Courage Covid19 Creating Professionals Program Cyber Security Certification Cyber Security Certification Cyber Security With ISO 27001 CyberProtection Data Breach Pretection Data Protection Data Protection DataAnalytics DataDriven DataScience Develop Transferable Skills Digital Marketing Digital Marketing Digital Marketing Digital Marketing Digital Solutions Digital Training DigitalMarketing DigitalMarketingServices DigitalMarketingServices DigitalMarketingServices DigitalMarketingServices Education System Effective CV Writing Effective Leadership Effective Marketing EMAIL EMAILMARKETING Emergencies Employe Contract Employee Happiness Employee Training And Development Employee Welfare Employment Training Entrepreneurs Expert Business Consultants Financial Consulting Financial Structure First Aid First Aid Kit Flexibility At Work Food Safety And Management Certification Gain Experience Get ISO 9001 Certified In Australia Global ISO Consultant Good Manufacturing Practices Health And Safety HR Management Human Capital Human Capital Human Capital Consultancy Services Human Capital Consultants Human Capital Employment Center Human Capital Management Services Human Resource Human Resource Management Human Resource Services Human Resources Consultant Implementation Importance Of Public Relations In Business Ineligible Admissions Information Security Information Security Management System Information Security Management Systems Information Security Management Systems Information Technology Information Technology Cosulting InformationProtection InformationSecurity INFORMATIONTECHNOLOGY InternalAudit, ISO90012015, NepalRealisticSolution, QMS, Benefits, ISOTraining, Auditor International Internship International ISO Auditor In Australia International ISO Consultant In Australia International Management Consulting Company Internship Internship In Nepal Internship Opportunity Internship Program Inventory And Asset Inventory Management Investment Investors ISMS ISO 14000 ISO 14001 Certification ISO 14001 In Nepal ISO 14001 Services ISO 14001 Services In Austraila ISO 15189 ISO 15189 Services ISO 22000 Certification In Nepal ISO 22000 Certified ISO 22000 Services ISO 22000 Services In Austraila ISO 22000:2018 ISO 27001 Auditor Training ISO 27001 Austalia ISO 27001 Canada ISO 27001 Certificaiton Services ISO 27001 Certification ISO 27001 Certification In Australia ISO 27001 Certification In Canada ISO 27001 Certification In Nepal ISO 27001 Certification In UK ISO 27001 Certification Services ISO 27001 Certification Services ISO 27001 Clauses And Controls Iso 27001 Consultant ISO 27001 Consulting ISO 27001 Consulting Company ISO 27001 Consulting Service Iso 27001 Expert ISO 27001 Framework ISO 27001 Nepal ISO 27001 Services ISO 27001 Services Canada ISO 27001 Uk ISO 27001:2022 ISO 2701 Certification Company ISO 27701 Audit Process ISO 27701 Certification ISO 27701 Certification Service ISO 27701 Consulting ISO 45001 ISO 45001 Certificaiton Services ISo 45001 Guidelines ISO 45001 Services In Austraila ISO 55001 ISO 9001 Audit Australia Iso 9001 Auditor ISO 9001 Australia ISO 9001 Canada ISO 9001 Certification ISO 9001 Certification Australia ISO 9001 Certification Services ISO 9001 Certification Services In Nepal ISO 9001 Certifying Compnay In Australia ISO 9001 Company Australia ISO 9001 Compliance Training ISO 9001 Consulting ISO 9001 Consulting Australia ISO 9001 Internal Auditor Training ISO 9001 Nepal ISO 9001 QMS Certification ISO 9001 Services ISO 9001 Services In Austraila ISO 9001 Training Nepal ISO 9001 UK ISO 9001:2015 ISO 9001:Quality Management System ISO Audits ISO Certificaion Company ISO Certificaiton Company In Nepal ISO Certificaiton In Australia ISO Certificaiton In Canada ISO Certificaiton In UK ISO Certification ISO Certification Company ISO Certification Company Canada ISO Certification In Nepal ISO Certification In Nepal ISO Certification Process ISO Certification Services ISO Certification Services In Australia ISO Consultancy Firm ISO Consultancy Services ISO Consultancy Services ISO Consultant ISO Consultant Australia ISO Consultant In Canada ISO Consultant In Nepal ISO Consulting And Certification Company In Nepal ISO Consulting Cmpany In Australia ISO Consulting Company ISO Consulting Company In Australia ISO Consulting Firm ISO Consulting In Australia ISO Consulting Service ISO Consulting Services ISO Consulting Services In Australia ISO Expert ISO Expert Ausitalia ISO Expert Consultants ISO Services ISO Standard ISO Standard 9001 ISO Standard Certificaiton ISO Standard For Medical Labs ISO Standards ISO Training For Business ISO_Consultancy_In_Nepal ISO14001 ISO14001 ISO27001 ISO270012022 ISO9001 ISOCERTIFICATION ISOCERTIFIED ISOCONSULTANCYSERVICES ISOSTANDARDCERTIFICATIONINNEPAL ISOSTANDARDS IT IT Consultant It Consulting IT Consulting Offices In Nepal IT Development IT Management IT Secutiy Services IT Strategy ITConsultingNepal ITservices ITSTRATEGY Knowing Yourself Leadership Leading ISO Consulting Company Learn Management Management And Consultancy Firm Management And Technology Consulting Management Consultant Management Consultant In Nepal Management Consultant In Nepal Management Consulting Management Consulting Firm Management System ManagementConsulting MANAGEMENTCONSULTINGFIRM Manufacturing Companies Manufacturing Practices Market Marketing Marketing Analysis Marketing Communication Strategy Marketing Experts Marketing Research Marketing Strategy Media Communication Strategy Negligence In Work Environment Nepal Realistic Solution Nepal Realistic Solution Nepal Realistic Solution Nepal Realistic Solution Nepal Realistic Solution, Training Services Nepal’s Tax Structure NEPALREALISTICSOLUTION Network Security Services NRS Karmakar NRS Nursing Occupational Health And Safety Online Platform Online Presence OnlineBrandBuilding OnlineMarketing OnlineMarketing OnlineMarketing OnlineMarketing OnlineMarketing Organisational Growth Overcoming Writer’s Overcoming Writer’s Block Pandemic Personal Information Management System Planning Presentations Privacy Protection Privacy Protection Process Approach PROFESSIONALEMAIL Public Relation And Business Public Relations Public Relations Professionals QMS Training In Nepal Quality Management Quality Management Certificate Quality Management System Training Quality Management System, Training Services Quarantine Recertify_ISO Recruitment Agency Research And Development Responsibilities Of PR Practitioner RiskAssessment RiskManagement Safety First Safety Standards Security SEDEX Audit SEDEX Certification SEDEX Certification In Nepal Self Development SEO Class Skills SMETA SMETA Certification In Nepal Social Audit Social Media Social Media Addiction Social Media Platforms Social Media Strategies Social Media Strategy Social Networking Sites Social Responsibility Start-Ups In Nepal Strategy And Operation Successful Interview Successfull Presentation Supplier Audit Support Start- Up Support Start-Up Program Taxation System In Nepal Technical Consulting TechnicalConsulting TECHNICALCONSULTING Techniques To Read Quickly Technological Innovations The Environmental Impact Top ISO Certification Provider Top ISO Consulting Firm Training Training Training Services TrainingandEducationalServices TrainingcompaniesNepal Travel And Tourism Travel Nepal Upgrade_ISO_9001_2008_to_9001_2015 WebConsulting Website Development Website Optimization WebsiteDevelopment WebSolutions Work From Home Work Place Safety Work Process Writer’s Block
Archive
  • June 20251
  • April 20251
  • March 20251
  • February 20253
  • January 20253
  • December 20245
  • November 20243
  • October 20245
  • September 20244
  • July 20243
  • June 20244
  • May 20244
  • April 20244
  • March 20244
  • February 20245
  • January 20244
  • December 20233
  • November 20235
  • August 20231
  • May 20231
  • April 20232
  • February 20234
  • January 20235
  • December 20223
  • November 20221
  • September 20221
  • July 20221
  • June 20221
  • May 20222
  • April 20222
  • March 20222
  • February 20224
  • January 20223
  • December 20215
  • November 20214
  • October 20214
  • September 20215
  • August 20211
  • July 20212
  • June 20212
  • May 20212
  • April 20213
  • January 20211
  • December 20203
  • November 20202
  • October 20201
  • September 20203
  • August 20203
  • June 20203
  • May 20202
  • April 20202
  • March 20204
  • February 20203
  • January 20205
  • December 20192
  • November 20192
  • October 20193
  • September 20192
  • August 20193
  • July 20191
  • June 20192
  • May 20192
  • April 20194
  • March 20193
  • February 20191
  • December 20181
  • October 20181
  • September 20181
  • August 20181
  • July 20184
  • June 20181
  • April 20182
  • February 20181
  • December 20171
  • November 20171
  • October 20171
  • September 20177
  • August 20175
  • July 20172
Pofo
ISO 9001 | ISO / IEC 27001 Certified Company

We are a multinational business consulting firm, based in the UK, Canada, Australia, and Nepal, offering ISO certification, cutting-edge technology solutions, strategic business advisory, human resources management, financial consulting, and operational optimization solutions to businesses globally through a team of experts.

Important Links
  • Disclaimer
  • Privacy Policy
  • Our Team
  • Alliances
  • Current Activities
  • FAQs
  • Sitemap
  • Career
  • Internship
  • Education & Training
Contact Info

Addr: Nepal Realistic Solution
Minbhawan, New Baneshwor, Kathmandu, Nepal

Addr: Nepal Realistic Solution
251 Consumers Rd, 1200, Toronto, Ontario, Canada,M2J4R3

Email: info@nrsnepal.com
Copyright © 2015, All rights reserved Nepal Realistic Solution