ISO 27001:2022 Updates Simplified: The Major Changes You Need to Know

Every day, the world of security, privacy, and compliance faces new and complex challenges. As the threat landscape evolves, so do the security frameworks designed to protect organizations from security incidents and malicious entities. 

Recently, ISO 27001 was updated along with its companion guidance standard ISO 27002. This updated version’s official title is ISO/IEC 27001:2022 Information Security, Cybersecurity, and Privacy Protection. 

Keeping up with the latest changes to compliance requirements can be difficult, which is why we make it part of our mission to notify customers of any industry or regulatory changes they need to know about. In this article, we’re explaining the changes made to ISO 27001 and ISO 27002 and what they mean for your compliance posture. 

What’s the difference between ISO 27001 and ISO 27002?

ISO 27001 is an internationally-respected information security framework. It outlines the requirements to establish, maintain, and continually improve an information security management system (ISMS). Organizations can pursue ISO 27001 certification by completing an external audit by an accredited ISO audit firm. 

On the other hand, ISO 27002 isn’t a standard that you can be certified on — it’s a companion to ISO 27001 that provides guidance and explains the purpose, design, and implementation of each control in greater detail. 

What changed with ISO 27001:2022?

The ISO 27001:2022 standard was officially published in October 2022. Overall, the updates in the ISMS Clauses 4-10 include minor wording and structural changes. 

For example, changes to Clause 6: Planning remove ambiguity and outdated language (i.e., control objectives). 

In terms of structural changes, Clause 9.2: Internal audit was split into 9.2.1: General and 9.2.2: Internal audit programme. However, the requirements remain the same. 

Similarly, Clause 9.3: Management review was split into three subsections — 9.3.1: General, 9.3.2: Management review inputs, and 9.3.3: Management review results.  The 2022 version also introduces a new Clause 6.3: Planning for Changes.

The major change that organizations need to be aware of is the official update to Annex A controls, reflected in the “Annex A” section within the new ISO 27001:2022 standard. This change marks a major update for the ISO 27001 standard. 

What changed with ISO 27002:2022?

ISO published changes to ISO 27002 back in February 2022. The major changes to ISO 27002 (and therefore ISO 27001) include consolidating and reorganizing the original 14 Annex A control domains into 4 categories: 

• Clause 5: Organizational Controls (37 controls)
• Clause 6: People Controls (8 controls)
• Clause 7: Physical Controls (14 controls)
• Clause 8: Technological Controls (34 controls)

As a result, the total number of controls was also reduced from the original 114 to 93. 58 controls remain mostly unchanged, with minor contextual updates. 57 controls were merged into 24 controls, and 11 controls are brand new (not found in ISO/IEC 27001:2013). 

The 11 new controls added to Annex A include:

1. Threat intelligence
2. Information security for the use of cloud services
3. ICT readiness for business continuity
4. Physical security monitoring
5. Configuration management
6. Information deletion
7. Data masking
8. Data leakage prevention
9. Monitoring activities
10. Web filtering
11. Secure coding

What do these changes mean for organizations that are already ISO 27001 certified? 

Organizations that are currently certified to ISO 27001:2013 will have three years to transition to ISO/IEC 27001:2022. The transition period starts on October 31, 2022 and ends on October 31, 2025. Certifications based on ISO 27001:2013 will expire or be withdrawn at the end of the transition period.

Transition audits can either be done at the same time as the next audit (e.g., Recertification audit and transition audit), or separately.

What do these changes mean for organizations that are pursuing ISO 27001 certification for the first time?

Organizations pursuing ISO 27001 for the first time (both Stage 1 and Stage 2 audits) can still be certified on the 27001:2013 version until October 2023. Transition audits can either be done at the same time as your next audit (e.g., surveillance audit and transition audit), or separately. 

How Secureframe simplifies ISO 27001 compliance

Whether you’re pursuing ISO 27001 compliance for the first time or just need an easier way to maintain certification, Secureframe can help. We’ll work with you to design an ISMS that aligns with ISO 27001 standards and your organization’s needs, help you get audit ready fast, and monitor your tech stack to ensure continuous compliance. 

To learn more, schedule a demo of Secureframe today.