Skip to content

ISO 27001 2022 - what has changed?

Andrew Robinson Dec 31, 2022

The latest version, ISO 27001 2022 was released on October 25. It replaces the 2013 version of ISO 27001. Let’s find out what the key changes are and how the latest revision to the ISO standard impacts businesses. 

Introduction to ISO 27001 2022

ISO 27001 is a framework for an information security management system (ISMS) that can be used by companies of any size or type. The key focus of this framework is managing risks related to information security. As cyber threats evolve and seek out new vulnerabilities in companies, it is important to identify and manage the risks to the confidentiality, integrity, and availability of information.

The updated ISO/IEC 27001:2022 provides best practices for managing these risks. The list of information security controls in the normative Annex A of the new ISO/IEC 27001:2022 is derived from the revised ISO/IEC 27002:2022 guidance.

The implementation guidance for the new standard was adopted earlier this year and features a simpler taxonomy and updated security controls. With the publication of ISO/IEC 27001:2022, the successful ISO 27001/27002 tandem is once again a state-of-the-art solution for managing information security risks. 

One of the important changes in the new ISO/IEC 27001:2022 is the adoption of the 'Harmonized Structure', which places a greater emphasis on process orientation in an effective ISMS. This structure recognizes that effective management systems are built on clear processes and the interactions between them, as well as well-defined criteria for controlling these processes. By incorporating this process-oriented approach, the new standard is better able to support the implementation of an effective information security management system.

What are the key changes in ISO 27001 2022?

Below is a summary of some of the key changes to ISO 27001 2022.

Editorial changes

There are a few editorial changes to improve the clarity and consistency of the standard, making it easier to understand and use. Two main changes are:

  • Replacing the term "international standard" with "document" throughout the document.
  • Rearranging some English phrases to make them easier to translate into other languages.

Changes that align with the Harmonised approach

These changes reflect the latest best practices in information security management and are designed to improve the effectiveness and flexibility of the standard. They include:

  • A new numbering structure.
  • A requirement to define the processes needed for implementing the ISMS and their interactions.
  • An explicit requirement to communicate organizational roles relevant to information security within the organization.
  • The addition of a new clause 6.3 on planning of changes.
  • A new requirement to ensure the organization determines how to communicate as part of clause 7.4.
  • New requirements to establish criteria for operational processes and implementing control of these processes.

Changes to Annex A

The new ISO/IEC 27001:2022 includes several important changes to Annex A, which reflect the updates made in ISO/IEC 27002:2022. These changes include:

  • Consolidation of the structure into four key areas: organizational, people, physical, and technological, instead of the 14 areas in the previous edition.
  • A decrease in the number of controls listed from 114 to 93.
  • Merging, removing, and introducing new controls, as well as updating existing ones.
  • The introduction of the concept of attributes, which are aligned with the common terminology used in digital security. These attributes include control type, information security properties, cybersecurity concepts, operational capabilities, and security domains.

These changes are designed to improve the effectiveness and usability of the standard, making it easier for organizations to implement and maintain an effective information security management system.

How to transition to ISO 27001 2022?

The deadline to transition to ISO 27001 2022 is October 31, 2025. Organisations that are not ISO 27001 certified can implement ISO 27001:2013 and get their certification until October 31, 2023. They will then have 2 years to transition to the latest version. 

6clicks has updated its content library with a new document that includes the mandatory requirements for ISO 27001:2022. The document will help in implementing the revised standard and maintaining your information security. 

Looking to automate ISO 27001 implementation? Check out our solutions page - ISO 27001 compliance. The 6clicks platform helps you implement multiple standards and achieve compliance by providing a unified platform. Don’t go through manual implementation for each standard - our AI engine helps you achieve regulatory compliance minus the hassles. 

GET STARTED NOW

Related useful resources






Leave a Comment