ISO/IEC 27001 - What are the main changes in 2022?

The most recent edition of ISO/IEC 27001:2022 was released on October, 2022. Some of the main new updates of ISO/IEC 27001:2022 include a major change of Annex A, minor updates of the clauses, and a change in the title of the standard.

Also, the latest version of ISO/IEC 27002 was published at the beginning of 2022, and its latest changes have also impacted ISO/IEC 27001.

The new changes of ISO/IEC 27001:2022

As the world is facing new evolving security challenges, the internationally recognized standard ISO/IEC 27001, which aims to protect the confidentiality, availability, and integrity of organizations’ information assets has been updated and its new more relevant, and up-to-date edition has been published.

Different from ISO/IEC 27001:2013, the new version’s complete title is ISO/IEC 27001:2022 Information Security, Cybersecurity and Privacy Protection.

The part that has gone under the most significant changes is Annex A of ISO/IEC 27001 which is aligned with the ISO/IEC 27002:2022 updates, published earlier this year.

As for other parts, clauses 4 to 10 have undergone several minor changes, especially in clauses 4.2, 6.2, 6.3, and 8.1 where additional new content has been added. Other updates include minor changes in the terminology and restructuring of sentences and clauses. However, the title and order of these clauses remain the same:

Clause 4 Context of the organization

Clause 5 Leadership

Clause 6 Planning

Clause 7 Support

Clause 8 Operation

Clause 9 Performance evaluation

Clause 10 Improvement

What are the main control changes in Annex A?

Annex A of ISO/IEC 27001:2022 contains changes in both, the number of controls, and their listing in groups. The title of this Annex has also changed from Reference control objectives and controls to Information security controls reference. Therefore, the reference objectives of each control group that were present in the previous version of the standard, now have been removed.

The number of Annex A controls has decreased from 114 to 93. The decrease in the number of controls has mostly come from merging many of them. 35 controls have remained the same, 23 controls were renamed, 57 controls were merged into 24 controls, and one control has been divided into two. The 93 controls have been restructured to four control groups or sections.

The new control groups of ISO/IEC 27001:2022 are:

1. A.5 Organizational controls -  contains 37 controls
2. A.6 People controls - contains 8 controls
3. A.7 Physical controls - contains 14 controls
4. A.8 Technological controls - contains 34 controls

ISO/IEC 27001:2022 has also added the below-mentioned 11 new controls to its Annex A:

1. Threat intelligence
2. Information security for the use of cloud services
3. ICT readiness for business continuity
4. Physical security monitoring
5. Configuration management
6. Information deletion
7. Data masking
8. Data leakage prevention
9. Monitoring activities
10. Web filtering
11. Secure coding

Will ISO/IEC 27001:2022 changes affect my current ISO/IEC 27001 certificate?

The new changes in ISO/IEC 27001:2022 will not affect the current ISO/IEC 27001 certificate. For those who are interested to get certified against it, PECB has published the new ISO/IEC 27001 Transition training course and the updated ISO/IEC 27001 Lead Auditor and Lead Implementer training courses.

ISO/IEC 27001 and ISO/IEC 27002

ISO/IEC 27001 and ISO/IEC 27002 are both related to IT security and information security management system, hence they seem to be quite similar. However, they are not the same.

ISO/IEC 27001 is an information security management system standard that provides a list of compliance requirements against which organizations and professionals can be certified. It helps organizations establish, implement, maintain, and improve an information security management system (ISMS).

This standard exists as of the early ‘90s, first under the name of ISO/IEC 17799. In 2005, the standard was revised and published with a new name ISO/IEC 27001. To keep up with the developments in technology and be more relevant to the latest security threats, ISO/IEC 27001 was revised in 2013 and a new version was published. In 2019, the standard experienced another revision, but the same version remained current, until now.

Another standard, also part of the ISO/IEC 27000 ISMS family of standards, closely related to ISO/IEC 27001, is ISO/IEC 27002. This standard is used to tailor information security management systems to the specific context of organizations by providing guidelines for selecting and implementing proper information security controls listed in Annex A of ISO/IEC 27001. Furthermore, ISO/IEC 27002 offers much more detailed and thorough information regarding these controls.

Considering that ISO/IEC 27002 is a supporting standard containing guidance and not requirements, organizations cannot be certified against it, only professionals can.

What can PECB do to help?

PECB training courses on ISO/IEC 27001 and ISO/IEC 27002 enable aspiring professionals to gain the expertise, skills, and competencies needed to help organizations ensure information security, cybersecurity, and privacy protection. Using both a theoretical and practical approach to qualitative education, professionals can learn a lot about these two standards and will obtain the necessary expertise to support an organization in planning, implementing, and managing an information security management system and its controls.

About the author

Vlerë Hyseni is the Digital Content Officer at PECB. She is in charge of doing research, creating, and developing digital content for a variety of industries. If you have any questions, please do not hesitate to contact her: content@pecb.com