Summary of KEY CHANGES on ISO/IEC 27001:2022
The ISO/IEC 27001:2022 has published on 25 October 2022.
2. Principle hanges
ISO/IEC 27001:2022 is not a fully revised edition.
Its main changes include:
• Annex A references to the controls in ISO/IEC 27002:2022, which includes the information of control title and control;
• The notes of Clause 6.1.3 c) are revised editorially, including deleting the control objectives and using “information security control” to replace “control”;
• The wording of Clause 6.1.3 d) is re-organized to remove the potential ambiguity.
Note 1: The first two items come from ISO/IEC 27001:2013/AMD1:2022, the last item is from ISO/IEC 27001:2013/COR 2:2015.
Note 2: Compared with the old edition, the number of controls in ISO/IEC 27002:2022 decreases from 114 controls in 14 clauses to 93 controls in 4 clauses. For the controls in ISO/IEC 27002:2022, 11 controls are new, 24 controls are merged from the existing controls, and 58 controls are updated. Moreover, the control structure is revised, which introduces “attribute” and “purpose” for each control and no longer uses “objective” for a group of controls.
Note 3: ISO/IEC 27001:2013/COR 1:2014 is related to Annex A and overlapped by ISO/IEC 27001:2013/AMD1:2022.
The following table sets out all of the changes between edition 2 of ISO/IEC 27001:2013 as originally published and ISO/IEC 27001:2022 as supplied to the ISO editorial team on a clause-by-clause basis.
|Clause 1 Scope||The three references to ‘International Standard’ appearing in ISO/IEC 27001:2013 have been replaced by ‘document’. Otherwise, the wording is unchanged.|
|Clause 2 Normative references||The first sentence of this section has been rewritten.
Was: ‘The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application’.
Now: ‘The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document.
The remainder of the paragraph is unchanged.
|Clause 3 Terms and definitions||New text has been added at the end of existing clause 3 as follows:
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
- ISO Online browsing platform: available at https://www.iso.org/obp
- IEC Electropedia: available at https://www.electropedia.org/
|Clause 4 Context of the organization|
|4.1 Understanding the organization and its context||Note – it is changed to reflect the revised structure of the latest edition of ISO 31000.
Was: Determining these issues refers to establishing the external and internal context of the organization considered in clause 5.3 of ISO 31000:2009.
Now: Clause 5.4.1 of ISO 31000:2018.
|4.2 Understanding the needs and expectations of interested parties||Existing bullet b) has been divided into two bullets b) and c)
b) the requirements of these interested parties relevant to information security
b) the relevant requirements of interested parties;
c) which of these requirements will be addressed through the information security management system.
In the note to 4.2 ‘may include legal and regulatory requirements’ becomes ‘can include legal and regulatory requirements.
|4.3 Determining the scope of the information security management system||No change.|
|4.4 Information security management system
||Additional text included <in brackets> to more explicitly reference the need for a process approach.
The organization shall establish, implement, maintain and continually improve an information security management system, <including the processes needed and their interactions>, in accordance with the requirements of this document.
|Clause 5 Leadership
|5.1 Leadership and Commitment
||Requirements unchanged, new note added below
Note – Reference to business in this document can be interpreted broadly to mean those activities that are core to the purposes of the organization’s existence.
||No changes other than ‘; and’ is removed at the end of bullets c) and f)
|5.3 Organizational roles, responsibilities and authorities
||Para 1 – ‘assigned and communicated’ now becomes ‘assigned and communicated within the organization’.
In bullet a) this ‘international standard’ is replaced by this ‘document’.
In the note ‘top management may also’ becomes ‘top management can also’.
|Clause 6 Planning
|6.1 Actions to address risks and opportunities
|6.1.2 Information security risk assessment
|6.1.3 Information security risk treatment
||The note under bullet b) in the 2013 edition is unchanged but renamed as NOTE 1
The existing NOTE 1 under bullet c in the 2013 edition is changed from: ‘Annex A contains a comprehensive list of control objectives and controls. Users of this international standard are directed to Annex A to ensure that no necessary controls are overlooked’
‘NOTE 2 – Annex A contains a list of possible information security controls. Users of this document are directed to Annex A to ensure no necessary information security controls are overlooked.
The existing NOTE 2 under bullet c in the 2013 edition is changed from:
‘Control objectives are implicitly included in the controls chosen. The control objectives and controls listed in Annex A are not exhaustive and additional control objectives and controls may be needed’
‘NOTE 3 – The information security objectives listed in Annex A are not exhaustive and additional information security controls can be included if needed’.
Bullet d – ‘Statement of Applicability’ is amended
Was: ‘Produce a Statement of Applicability that contains the necessary controls (see 6.1.3b) and c)) and justification for inclusions; whether they are implemented or not, and the justification for exclusion of controls from Annex A’.
Produce a statement of applicability that contains:
- the necessary controls (see 6.1.3 b) and c))
- justification for their inclusion
- whether the necessary controls are implemented or not; and
- the justification for excluding any Annex A controls
In NOTE 4 this ‘International Standard’ is replaced by this ‘document’
|6.2 Information security objectives and planning to achieve them
||New bullet d) be monitored
Existing bullet d) ‘be communicated; and’ becomes ‘e) be communicated’
Existing bullet e) ‘be updated as appropriate.’ becomes ‘f) be updated as appropriate’
New bullet g) added ‘be available as documented information’
The text of the 2013 bullets f) to j) is unchanged but the bullets become h) to l) because of the insertion of two new bullets as set out above.
|6.3 Planning of changes
||This is a new subclause.
It does not appear in the 2013 edition. 6.3 states ‘When the organization determines the need for changes to the information security management system, the changes shall be carried out in a planned manner.’
|Clause 7 Support
||In the NOTE – ‘applicable action may include’ becomes ‘applicable action can include’. No other changes.
||Existing bullets ‘d) who shall communicate;’ and ’e) the processes by which communication shall be effected’ are deleted. These are replaced by a new bullet d) ‘how to communicate’.
|7.5 Documented information|
||In bullet a) this ‘International Standard’ is replaced by ‘this document’ Remainder unchanged.
|7.5.2 Creating and updating
|7.5.3 Control of documented information
||Opening sentence - this ‘International Standard’ is replaced by this ‘document’
In the NOTE – ‘Access implies a decision’ becomes ‘Access can imply a decision’.
No other changes
|Clause 8 Operation
8.1 Operational Planning and control
Reworded but maintaining original intent.
Was – ‘the organization shall plan, implement and control the processes needed to meet information security requirements and to implement the actions determined in 6.1. The organization shall also implement plans to achieve information security objectives determined in 6.2.
Now – ‘the organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in Clause 6, by:
- establishing specification for the processes;
- implementing control of the processes in accordance with the specification.
Was – ‘The organization shall keep documented specification to the extent necessary to have confidence that the processes have been carried out as planned.’
Now – Documented information shall be available to the extent necessary to have confidence that the processes have been carried out as planned.
Text relating to control of planned changes is unchanged.
Was – ‘The organization shall ensure that outsourced processes are determined and controlled’
Now – The organization shall ensure that externally provided processes, products or services that are relevant to the information security management system are controlled.’
|8.2 Information security risk assessment
|8.3 Information security risk treatment
|9 Performance evaluation
|9.1 Monitoring, measurement, analysis and evaluation
||The 2013 edition paragraph ‘the organization shall evaluate the information security performance and effectiveness of the information security management system’ is relocated at the end of 9.1.
The 2013 edition note to bullet b) ‘the methods selected should produce comparable and reproducible results to be considered valid’ is now deleted as a note, with the text being appended ‘as is’ to the end of bullet b) to form an enhanced requirement.
The 2013 edition statement ‘the organization shall retain appropriate documented information as evidence of monitoring and measurement results is deleted and replaced by new text ‘Documented information shall be available as evidence of the results.
|9.2 Internal audit
||The 2022 edition divides the 2013 edition 9.2 requirements across two new subclauses ‘9.2.1 general’ and ‘9.2.2 internal audit programme’.
The 2013 edition bullets a (including a1 and a2) plus b) move to the new 9.2.1. Apart from the wording for a2) being changed from ‘this international standard’ to ‘this document’ there are no differences in text between the editions.
The text from the 2013 edition bullet c) now forms an introduction to 9.2.2. The second sentence of the bullet is reworded from:
‘The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits’
‘When establishing the internal audit programme(s) the organization shall consider the importance of the processes concerned and the results of previous audits’
Underneath this the text ‘The organization shall:’ is added and the 2013 bullets d) to f) are taken across as new bullets a) to c).
The 2013 edition bullet g) ‘retain documented information as evidence of the audit programme(s) and the audit result(s) is deleted and replaced with a statement at the end of 9.2.2 ‘Documented information shall be available as evidence of the implementation of the audit programme(s) and the audit results.
|9.3 Management review
||The 2013 edition clause 9.3 is subdivided into clauses 9.3.1 General, 9.3.2 Management review inputs and 9.3.3 Management review outputs in the 2022 edition.
||This subclause contains the unchanged text of the first paragraph of the existing 2013 edition.
|9.3.2 Management review inputs
||The bullet list of items top management is required to review under the 2013 edition is migrated with no changes in the requirement text to 9.3.2, with the insertion of a new bullet into the existing list - c) ‘changes in the needs and expectations of interested parties that are relevant to the information security management system’.
This means that the 2013 edition bullet c) now becomes bullet d), d) becomes e), e) becomes f) and f) becomes g).
The text appearing after the bullet list in the 2013 version is revised and included in the new subclause 9.3.3. ‘The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system.
The organization shall retain documented information as evidence of the results of management reviews.
Becomes: ‘The results of management reviews shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system.
Documented information shall be available as evidence of the results of management reviews.’
|Clause 10 Improvement
||There has been a reordering of the 2013 edition subclauses 10.1 Nonconformity and corrective action and 10.2 Continual improvement.
In the 2022 edition 10.1 is now Continual Improvement and 10.2 is Nonconformity and corrective action.
2013 – 10.1 Nonconformity and corrective action.
The contents of the 2013 edition subclause 10.1 are taken across to the 2022 subclause 10.2 with no changes to the bulleted requirements a) to g). The only amendment in this section is that ‘The organization shall retain documented information as evidence of’ which appears before bullet f) has become ‘Documented information shall be available as evidence of’.
2013 – 10.2 Continual improvement
The text of the 2013 edition sub clause 10.2 is taken across unchanged to become the 2022 edition sub clause 10.1.
||This remains a normative annex but is renamed from ‘Reference control objectives and controls’ to ‘Information Security Controls Reference’ in the 2022 edition
Control objectives are removed from the 2022 list of controls.
There have been extensive changes to the content of this Annex, echoing the significant changes made in ISO/IEC 27002:2021.
The 14 categories of control – Information security policies, Organization of information security, Human Resource Security, Asset Management, Access Control, Cryptography, Physical and Environmental Security, Operations Security, Communications Security, System Acquisition, development and maintenance, Supplier relationships, Information Security Incident Management, Information security aspects of Business Continuity and Compliance.
Have been replaced by 4 new ‘themes’: Organizational controls, People Controls, Physical Controls, and Technological Controls.
The control objectives associated with the 2013 edition’s 13 categories have all been deleted.
The third edition of ISO/IEC 27002 also
- classifies controls as ‘corrective’ ‘preventive’ or ‘detective’
- identifies whether the control seeks to support ‘confidentiality’, ‘integrity’ or ‘availability or a combination of these
- whether the control exists to ‘identify’, ‘protect’, ‘detect’, ‘respond’ or ‘recover’.
- whether the controls relate to Governance, Asset management, Information protection, Human resource security, Physical security, System and network security, Application security, Secure configuration, Identity and access management, threat and vulnerability management, Continuity, Supplier relationships security, Legal and Compliance, Information security event management or Information security assurance.
- whether the control is linked to Governance and Ecosystem, Protection, Defence and Resilience
The number of controls is reduced from 114 to 93. Some existing 2013 controls have been merged, some deleted, and some taken across ‘as is’. Collectively, these changes account for 82 of the 93 controls in the 2022 edition. To this, 11 brand new controls have been added.
- Threat Intelligence
- Information security for use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
ISO/IEC 27002:2022 annex B contains 2 useful tables mapping the 2022 controls to the 2013 controls and vice versa.
||The bibliography has been updated to reflect the latest editions of referenced standards. The list of referenced standards is however unchanged.
3 The Impact to the Organization
The impact of the changes in ISO/IEC 27001:2022 is limited to the introduction of a new Annex A because:
1) ISO/IEC 27001:2013/COR 2:2015 has already been published and implemented;
2) Annex A is normative.
The requirements in ISO/IEC 27001 that use the reference control set in Annex A are the comparison process between the information security controls determined by the organization and those in Annex A (6.1.3 c)) and the production of a Statement of Applicability (6.1.3 d)). By comparing the necessary information security controls to those in Annex A, the organization may confirm that any necessary information security control from the reference set in Annex A is not inadvertently omitted.
The comparison might not lead to discovering any necessary information security control that has been inadvertently omitted. However, if inadvertently omitted necessary information security controls are discovered, the organization shall update its risk treatment plans to accommodate the additional necessary information security controls and implement them.
As implied above, the impact of ISO/IEC 27001:2022 on the organizations implementing ISMS is insignificant.
4. The impact to individualDue to the changes on ISO/IEC 27001:2022 are insignificant. There are NO auditor conversion training course recognized by CQI / IRCA or mandated.
The certificated or registered professionals who participated the CQI / IRCA professional training, like lead auditor training course. Please following the CQI / IRCA continuing professional development (CPD) requirements to maintain their qualification. We offered the following services to support this manner.
The CQI / IRCA offer the following training courses for ISO/IEC 27001:2022 :
- FD134 ISMS ISO/IEC 27001:2022 Foundation, 7 hours
- PT220 ISMS ISO/IEC 27001:2022 Internal Auditor, 14 hours
- PR374 ISMS ISO/IEC 27001:2022 Auditor Conversion, 24 hours,
- PR373 ISMS ISO/IEC 27001:2022 Lead Auditor, 40 hours, (TKSG registered course ID: 2541)
Please contact us for more information or support needed：firstname.lastname@example.org