ISO 27001:2022 and ISO 27002:2022: What Were The Updates & How to Comply
In 2022, ISO 27001 was updated along with its companion guidance standard ISO 27002. Starting April 2024, organizations pursuing ISO 27001 for the first time must be certified on the 2022 version. Organizations who are already certified must transition to this latest version by October 31, 2025.
To ensure a smooth compliance journey or transition period, you must understand the changes to ISO 27001 requirements and the Annex A controls in ISO 27002. We’ll cover these major updates below.
What changed with ISO 27001:2022?
Below are the key changes found in the latest version of ISO 27001.
Editorial updates in ISMS Clauses 4-10
Overall, the updates in the ISMS Clauses 4-10 include minor wording and structural changes.
For example, changes to Clause 6: Planning remove ambiguity and outdated language (i.e., control objectives). Clause 4.4, an existing requirement to establish, implement, maintain, and continually improve your ISMS, now includes the phrase “including the processes needed and their interactions.”
In terms of structural changes, Clause 9.2: Internal audit was split into 9.2.1: General and 9.2.2: Internal audit programme. However, the requirements remain the same.
Similarly, Clause 9.3: Management review was split into three subsections — 9.3.1: General, 9.3.2: Management review inputs, and 9.3.3: Management review results.
Introduced Clause 6.3
The 2022 version also introduced a new subclause. Clause 6.3: Planning for Changes requires that any change to the ISMS be carried out in a planned manner. The goal of this subclause is to ensure organizations consider the purpose of any change to their ISMS, potential consequences, impact on the ISMS, resource availability, and allocation or reallocation of responsibilities and authorities, among other factors.
Updated Annex A controls
The major change in ISO 27001:2022 that organizations need to be aware of is the official update to Annex A controls. This will be discussed in the section below.
What changed with ISO 27002:2022?
Below are the key changes found in the latest version of ISO 27002.
Reduced number of controls
The major change to ISO 27002 (and therefore ISO 27001) is that the total number of Annex A controls was reduced from 114 to 93. However, none of the previous controls were removed. 57 were simply merged into 24 controls. 11 controls were added. 1 was split. The remaining 58 controls are mostly unchanged, with minor contextual updates.
11 new controls
Some controls are brand new in the 2022 version, meaning they are not found in ISO/IEC 27001:2013.
The 11 new controls added to Annex A include:
| A.5.7 | Threat intelligence |
| A.5.23 | Information security for use of cloud services |
| A.5.30 | ICT readiness for business continuity |
| A.7.4 | Physical security monitoring |
| A.8.9 | Configuration management |
| A.8.10 | Information deletion |
| A.8.11 | Data masking |
| A.8.12 | Data leakage prevention |
| A.8.16 | Monitoring activities |
| A.8.23 | Web filtering |
| A.8.28 | Secure coding |
Reduced Annex A control domains
In the previous version, Annex A controls were divided into 14 domains. In the 2022 version, these were consolidated and reorganized into 4 clauses referred to as themes. These are:
- Clause 5: Organizational Controls (37 controls)
- Clause 6: People Controls (8 controls)
- Clause 7: Physical Controls (14 controls)
- Clause 8: Technological Controls (34 controls)
Introduced attributes
ISO 27002 introduced a simpler taxonomy for ISO 27001 controls. However, the four categories mentioned above are such broad descriptors that it can be challenging to know how you are using the controls in each category and if you need to implement every one.
To address this challenge, ISO 27002:2022 also introduced associated attributes. These offer different lenses to view controls so that you’re able to better understand which you need to implement and how you’re using them throughout your risk assessment and treatment process.
ISO 27002:2022 defines the following five attributes that are meant to be generic enough to be used by any organization. These attributes are also customizable so you can use your own.
1. Control types
When and how does the control impact the risk outcome during an information security incident?
Possible attribute values are
- Preventive: control acts before a threat occurs
- Detective: control acts when a threat occurs
- Corrective: control acts after a threat occurs
2. Information security properties
Which characteristic of information will the control help preserve?
Possible attribute values are:
- Confidentiality
- Integrity
- Availability
3. Cybersecurity properties
What cybersecurity concept defined in the framework described in ISO/IEC TS 27110 is associated with the control?
Possible attribute values are:
- Identify
- Protect
- Detect
- Respond
- Recover
4. Operational capabilities
What operational capabilities is the control associated with? Or, which department should be assigned this control or risk?
Possible attribute values include but are not limited to:
- Application security
- Asset management
- Governance
- Information protection
- Human resource security
- Identity and access management
- Information security event management
- Physical security
- Secure configuration
5. Security domains
What security field, expertise, service, and/or product is the control associated with?
Possible attribute values are:
- Governance and ecosystem
- Protection
- Defence
- Resilience
What do these changes mean for organizations that are already ISO 27001 certified?
Organizations that are currently certified to ISO 27001:2013 will have three years to transition to ISO/IEC 27001:2022. The transition period starts on October 31, 2022 and ends on October 31, 2025. Certifications based on ISO 27001:2013 will expire or be withdrawn at the end of the transition period.
Transition audits can either be done at the same time as the next audit (e.g., Recertification audit and transition audit), or separately.
What do these changes mean for organizations that are pursuing ISO 27001 certification for the first time?
Organizations pursuing ISO 27001 for the first time (both Stage 1 and Stage 2 audits) can still be certified on the 27001:2013 version until April 2024. Transition audits can either be done at the same time as your next audit (e.g., surveillance audit and transition audit), or separately.
FAQs
How many controls are in ISO 27001:2022?
There are 93 controls in ISO 27001:2022. These are outlined in a section called Annex A. ISO 27002:2022 expands on this Annex A overview.
When did ISO publish changes to ISO 27001 and ISO 27002?
ISO published changes to ISO 27001 in October 2022 and ISO 27002 back in February 2022.
What’s the official title of ISO 27001:2022?
This official title is ISO/IEC 27001:2022 Information Security, Cybersecurity, and Privacy Protection.
What’s the difference between ISO 27001 and ISO 27002?
ISO 27001 is an internationally-respected information security framework. It outlines the requirements to establish, maintain, and continually improve an information security management system (ISMS). Organizations can pursue ISO 27001 certification by completing an external audit by an accredited ISO audit firm.
On the other hand, ISO 27002 isn’t a standard that you can be certified on — it’s a companion to ISO 27001 that provides guidance and explains the purpose, design, and implementation of each control in greater detail.
Recommended Reading
ISO 27001 vs 27002: What’s the Difference?
How Secureframe simplifies ISO 27001 compliance
Whether you’re pursuing ISO 27001 compliance for the first time or just need an easier way to maintain certification, Secureframe can help. We’ll work with you to design an ISMS that aligns with ISO 27001 standards and your organization’s needs, help you get audit ready fast, and monitor your tech stack to ensure continuous compliance.
To learn more, schedule a demo of Secureframe today.