What Are the Key Differences Between ISO 27001:2013 and ISO 27001:2022?

Overview

ISO 27001 is the international standard for Information Security Management Systems (ISMS), providing a comprehensive framework to protect your organization's sensitive information. It guides you through creating, implementing, maintaining, and continuously improving an ISMS, all while managing information security risks tailored to your specific needs.

Yet, information security threats, technology, and regulations are always changing. That's why the ISO 27001 standard gets updated periodically - the latest being the update in 2022. While the 2013 version laid a solid foundation for information security best practices, the 2022 update builds on those principles with updated guidelines and selected controls.

This quick guide will break down the key differences between ISO 27001:2013 and the updated 2022 version. Whether you're just starting your compliance journey or learning the latest changes to update your compliance readiness, we've got you covered!

Key Differences: ISO 27001:2013 vs. ISO 27001:2022

The 2022 update brings a more streamlined approach to information security, and emphasizes a more proactive and adaptable ISMS. Let's start with the changes to the clauses.

Changes in Clauses (4-10)

The core clauses (4-10) of ISO 27001:2022 largely maintain their structure from the 2013 version, but some key adjustments have been made to enhance clarity and provide more detailed guidance. These changes often revolve around planning, defining process criteria, and monitoring standards.

Here's a breakdown of the notable changes in each clause:

Clause 4: Context of the Organization

• 4.2 Understanding the Needs and Expectations of Interested Parties:
  • 2013: This version didn't explicitly require an analysis of interested parties' requirements to be addressed through the ISMS.
  • 2022: A new item (c) was introduced, explicitly mandating an analysis to determine which requirements from interested parties' needs and expectations need to be managed through the ISMS. This means you need to clearly identify which stakeholder requirements directly impact your information security.
• 4.4 Information Security Management System:
  • 2013: The language was less specific regarding the identification of necessary processes within the ISMS.
  • 2022: A new phrase was added requiring organizations to identify relevant processes and their interactions within the ISMS. This emphasizes a more comprehensive approach, ensuring that all processes supporting the ISMS are recognized and managed.

Clause 5: Leadership

• 5.3 Organizational Roles, Responsibilities, and Authorities:
  • 2013: Contained general instructions on communicating roles related to information security.
  • 2022: A minor phrase was updated to clarify the communication of roles relevant to information security within the organization. This reinforces the importance of clear internal communication regarding security roles.

Clause 6: Planning

• 6.2 Information Security Objectives and Planning to Achieve Them:
  • 2013: Provided general guidance on setting information security objectives.
  • 2022: Additional guidance (d and e) on information security objectives was introduced. This includes the need for regular monitoring and formal documentation of these objectives, providing more clarity on how to track and record their achievement.
• 6.3 Planning of Changes:
  • 2013: This sub-clause did not exist.
  • 2022: This sub-clause was added, setting a standard for planning changes to the ISMS. This ensures that any modifications to your information security management system are controlled and well-thought-out, preventing unintended security gaps.

Clause 7: Support

• 7.4 Communication:
  • 2013: Included detailed instructions for communication (items a-c), with separate points (d and e) for who should communicate and how.
  • 2022: Items a-c remain the same, but the standard simplified and combined items related to communication (previously d and e) into a new item (d). The focus is now streamlined, emphasizing how to communicate information security matters.

Clause 8: Operation

• 8.1 Operational Planning and Control:
  • 2013: Offered basic guidance on operational planning and control.
  • 2022: New guidance was added to establish criteria for operational actions identified in Clause 6 and control those actions according to the criteria. This means organizations need to define clear benchmarks for their operational security activities and ensure adherence to them.

Clause 9: Performance Evaluation

• 9.2 Internal Audit:
  • 2013: Had separate sections for Clause 9.2.1 and 9.2.2.
  • 2022: The clause was revised to consolidate previous sub-clauses (9.2.1 and 9.2.2) into a single section without materially changing its content. This is a simplification for better readability.
• 9.3 Management Review:
  • 2013: No explicit mention of considering changes to the needs and expectations of interested parties.
  • 2022: A new item (9.3.2 c) was added, requiring the management review to consider changes to interested parties' needs and expectations. This ensures that the ISMS remains relevant to stakeholder requirements.

Clause 10: Improvement

• 10 Improvement:
  • 2013: The structure did not prioritize continual improvement.
  • 2022: The sub-clauses were reorganized to prioritize Continual Improvement (10.1) before Nonconformity and Corrective Action (10.2). This subtle change emphasizes the proactive and ongoing nature of improvement within the ISMS.

Updates to the Structure of Annex A Controls

The most significant changes in ISO 27001:2022 are found in Annex A. This update modernizes and simplifies the information security control framework, aligning it with current risks and technologies. The title of this annex has also been updated from "Reference control objectives and controls" to "Information security controls reference."

Control Domains/Themes

• ISO 27001:2013: Controls were organized into 14 domains.
• ISO 27001:2022: Controls are now grouped into 4 categories (themes), making them more intuitive:
  • A.5 Organizational controls (37 controls)
  • A.6 People controls (8 controls)
  • A.7 Physical controls (14 controls)
  • A.8 Technological controls (34 controls)

This new categorization provides a more logical way to manage and implement controls across different aspects of an organization's security.

Total Number of Controls

• ISO 27001:2013: Featured 114 controls.
• ISO 27001:2022: Features only 93 controls. This reduction is due to the re-organization and merging of existing controls, along with the introduction of new ones.

New, Merged, Renamed, and Removed Controls

The 93 controls in the 2022 version are a result of several strategic changes:

• 11 New Controls: These are crucial additions that address emerging threats and modern security challenges.
• 57 Controls Merged: Many redundant or closely related controls from the 2013 version have been consolidated into fewer, broader controls. For instance, 56 controls from ISO 27001:2013 have been merged into 24 controls in ISO 27001:2022.
• 23 Controls Renamed: Existing controls have been updated with clearer or more relevant names to improve understanding.
• 3 Controls Removed: Controls deemed no longer necessary or effectively covered by others have been eliminated.

Reorganization of Controls (Examples)

Let's look at how some of the old domains map to the new categories and highlight where controls have been merged or renamed.

From 14 Domains (2013) to 4 Categories (2022):

The 11 New Controls in ISO 27001:2022 Annex A

The introduction of 11 new controls is a significant update, reflecting evolving information security threats and technological advancements. Organizations currently certified under ISO 27001:2013 will need to assess their existing ISMS and implement processes to meet these new requirements.

Here are the 11 new controls, explained:

1. A.5.7 Threat Intelligence:
   • What it means: This control requires organizations to collect and analyze threat-related information to proactively manage and reduce risks.
   • Why it's important: Understanding potential threats is crucial for effective risk mitigation. This control encourages a proactive stance against cyberattacks.
2. A.5.23 Information Security for Use of Cloud Services:
   • What it means: This control highlights the importance of securing cloud-based environments, mandating organizations to define security standards for cloud services, including specific processes and procedures tailored for cloud usage.
   • Why it's important: This control ensures that cloud security is explicitly addressed within the ISMS.
3. A.5.30 ICT Readiness for Business Continuity:
   • What it means: This control requires organizations to guarantee the resilience and recoverability of information and communication technologies (ICT) when disruptions occur.
   • Why it's important: It emphasizes the critical role of ICT in business continuity, ensuring that systems and data can quickly recover after an incident.
4. A.7.4 Physical Security Monitoring:
   • What it means: This control mandates the surveillance of critical physical locations like data centers and production sites to ensure access is restricted to authorized personnel, enhancing breach awareness.
   • Why it's important: This control ensures constant monitoring of sensitive physical areas.
5. A.8.9 Configuration Management:
   • What it means: This control obliges organizations to oversee the configuration of their technological assets to safeguard against unauthorized modifications and maintain security.
   • Why it's important: Misconfigurations are a common source of security vulnerabilities. This control promotes a systematic approach to managing system configurations.
6. A.8.10 Information Deletion:
   • What it means: This control involves systematically deleting obsolete data to prevent unauthorized disclosure and comply with data privacy regulations.
   • Why it's important: This control ensures that data is disposed of securely when no longer needed.
7. A.8.11 Data Masking:
   • What it means: This control directs organizations to obscure sensitive data, aligning with access control policies to shield confidential information from unauthorized viewers.
   • Why it's important: Data masking is an effective technique to protect sensitive information while still allowing for testing, development, or analysis in non-production environments.
8. A.8.12 Data Leakage Prevention:
   • What it means: This control requires implementing security measures to avert unauthorized exposure and leakage of sensitive data across systems, networks, and devices.
   • Why it's important: This control focuses on proactive measures to prevent sensitive information from leaving controlled environments.
9. A.8.16 Monitoring Activities:
   • What it means: This control requires the continuous surveillance of systems for anomalous behavior, coupled with the execution of effective incident response strategies.
   • Why it's important: Continuous monitoring is vital for detecting and responding to security incidents in a timely manner.
10. A.8.23 Web Filtering:
    • What it means: This control mandates the regulation of internet access within an organization to protect against digital threats and ensure the security of IT infrastructures.
    • Why it's important: Web filtering helps prevent access to malicious websites, reducing the risk of malware infections and other cyber threats.
11. A.8.28 Secure Coding:
    • What it means: This control mandates the incorporation of secure coding practices throughout the software development lifecycle to reduce vulnerabilities and improve the security of applications.
    • Why it's important: Secure coding is essential for building robust and secure applications from the ground up, minimizing the introduction of vulnerabilities during development.

Transitioning to ISO 27001:2022

If your organization is currently certified under ISO 27001:2013, it's crucial to understand the transition timeline. The new ISO 27001:2022 standard must be fully implemented no later than October 31, 2025. To maintain your certification, you will need to transition before this deadline.

Here are the recommended steps to prepare for and complete your transition:

1. Conduct a Gap Assessment: Map your existing controls to the newly revised standard. This assessment will help you identify the specific changes your company needs to make to achieve certification under the 2022 version.
2. Implement New Controls and Update Processes:Once the gap assessment is complete, focus on implementing the new controls introduced in ISO 27001:2022 and updating existing processes to align with the revised clauses. This might involve developing new policies, procedures, and technical configurations.
3. Conduct a Transition Audit: To update your current certification, a transition audit is mandatory. This audit will verify that your ISMS meets the requirements of ISO 27001:2022.

To make your transition effortless and time-saving, Smartly provides startups with an automated ISO 27001 solution, equipped with a short gap analysis, pre-built templates, evidence management, auditor-ready checklists, clear audit trails and your very own Trust Center!

Conclusion

The evolution from ISO 27001:2013 to ISO 27001:2022 is a step in adapting information security practices to the demands of the modern digital world. While the fundamental principles of information security remain, the 2022 version offers a more refined framework.

By understanding the subtle yet significant changes in the clauses and the reorganization and addition of controls in Annex A, companies can effectively strengthen their information security posture. Embracing these updates isn't just about maintaining compliance; it's about building a more resilient and secure environment for your information, helping you build trust with enterprise clients.

Assess your ISMS against the new ISO 27001:2022 requirements now with Smartly!