ISO 27001:2013 vs ISO 27001:2022: What Has Been Changed?

The world’s leading information security standard, ISO/IEC 27001, was updated on October 25, 2022. While the new update doesn’t bring any major changes, it’s essential to study them closely. 


The article explores the key updates in the ISO 27001:2022 standard and how it differs from ISO 27001:2013. But first, let’s discuss why the update took place. 


Why Was There a Need to Update ISO 27001:2013?


Cyberattacks on businesses have become more targeted, frequent, and complex. Statista states cybercrime is expected to increase rapidly in the coming years. The need to address cybersecurity challenges and mitigate rapidly evolving cyber threats while improving digital presence demands updated standards and frameworks for information security management that helps organizations secure their information assets. 


Organizations need to enhance their cyber resilience and implement threat mitigation efforts. The updated version of ISO/IEC 27001 has been released to address the growing and evolving security challenges the world faces today. This version has been updated to better align with the current security landscape. 


The ISO/IEC 27001 has been updated to benefit organizations in the following ways:


  • Protect all types of information, including electronic, cloud-based, and physical documents.
  • Enhance defense against cyber threats.
  • Implement a centralized system for securing all information.
  • Guarantee comprehensive protection for the entire organization, including against technological hazards and other potential risks.
  • Adapt to changing security concerns.
  • Lower expenses by eliminating unnecessary security technology.
  • Maintain the accuracy, privacy, and accessibility of data.


What Has Been Changed in ISO 27001:2022?


The new update includes changes in the standard’s title, minor clause updates, and some major significant changes in Annex A. Let’s explore what has been changed in these sections.


Title Update


The new version of ISO/IEC 27001 has been renamed as “Information security, cybersecurity, and privacy protection – Information security management systems – Requirements,” which aligns with the title of ISO/IEC 27002:2022 (Information security, cybersecurity, and privacy protection – Information security controls).


Clause Updates


In addition to the title change, clauses 4 to 10 have undergone several minor modifications, particularly clauses 4.2, 6.2, 6.3, and 8.1, which have new additional content. There are also minor adjustments in the terminology and rephrasing of sentences and clauses. However, the title and structure of these clauses remain unchanged:


  • Clause 4 Context of the organization
  • Clause 5 Leadership
  • Clause 6 Planning
  • Clause 7 Support
  • Clause 8 Operation
  • Clause 9 Performance evaluation
  • Clause 10 Improvement


New subclauses have also been added in ISO 27001:2022.


6.3 Planning of changes
9.2.1 General
9.2.2 Internal audit program
9.3.1 General
9.3.2 Management review inputs
9.3.3 Management review results. 


Changes in Annex A of ISO 27001:2022


Annex A of ISO/IEC 27001:2022 has seen changes in the number of controls and their grouping. The title of this Annex has also been changed from “Reference control objectives and controls” to “Information security controls reference.” As a result, the reference objectives of each control group present in the previous version of the standard have been removed.


The number of Annex A controls has been reduced from 114 to 93. The majority of this decrease has come from merging several controls. 35 controls have remained unchanged, 23 controls have been renamed, 57 controls have been consolidated into 24 controls, and one control has been split into two. The 93 controls have been reorganized into four control groups or sections.


The new control groups in ISO/IEC 27001:2022 are :


A.5 Organizational controls – 37 controls

A.6 People controls – 8 controls 

A.7 Physical controls – 14 controls

A.8 Technological controls – 34 controls


The 11 new controls added in Annex A are:


  • A.5.7 Threat intelligence
  • A.5.23 Information security for the use of cloud services
  • A.5.30 ICT readiness for business continuity
  • A.7.4 Physical security monitoring
  • A.8.9 Configuration management
  • A.8.10 Information deletion
  • A.8.11 Data masking
  • A.8.12 Data leakage prevention
  • A.8.16 Monitoring activities
  • A.8.23 Web filtering
  • A.8.28 Secure coding


The revised Annex A of ISO/IEC 27001:2022 is designed to align with the information security controls outlined in ISO/IEC 27002:2022. This is the most notable change in the new edition of the standard. Additionally, changes have been made to clauses 4-10 to improve consistency with other management system standards; these changes are mostly editorial in nature.


How can CyberArrow Help?


Transitioning to the updated version of ISO/IEC 27001:2022 will likely require effort for organizations already certified to the previous edition. These efforts may include updating internal policies to align with the new requirements, as well as reviewing and revising risk assessments and risk management plans based on the new Annex A controls.


A powerful GRC and Compliance Automation Tool like CyberArrow GRC can help you in this regard. Our Compliance automation tool helps you implement ISO 27001 without having the need for physical audits. Visit our website to learn more about CyberArrow. 




1. Will ISO/IEC 27001:2022 changes affect my current ISO/IEC 27001 certificate?


The updates to ISO/IEC 27001:2022 will not affect the validity of existing ISO/IEC 27001 certificates. Organizations already certified to the previous edition will not be required to recertify to the new edition at least until 2024.


2. Will I get audited on the new version of ISO 27001?


The industry is not yet ready to conduct official audits against the new version of the standard. It is unlikely that organizations will be audited against ISO/IEC 27001:2022 until the end of 2023. Organizations already certified to the previous version would not be required to recertify to the new version if they got assessed for 2013 before October 2022.


3. Can I still become certified to ISO 27001:2013?


Organizations that haven’t achieved ISO 27001 yet can implement the previous version and get certified before October 31, 2023. Then they would have 2 years to adapt to the new version of the standard.

Amar Basic
Amar Basic


No Comments

Post a Comment