For organisations that have already implemented the 2013 standard or are working towards being ISO 27001:2013 certified, there’s no need to panic about the update. Once awarded, your organisation’s ISO 27001 certification is valid for three years. After this point, you’ll need to either re-certify or update your ISMS policies, procedures and documentation in line with the 2022 standard, which is a quick and easy task within Hicomply’s automated platform.
Clauses
ISO 27001:2022 clauses with no changes
4.1 Understanding the organisation and its context
4.3 Determining the scope of the information security management system
5.2 Leadership - Policy
6.1.1 Actions to address risks and opportunities - General
6.1.2 Information security risk assessment
7.1 Support - Resources
7.2 Support - Competence
7.3 Support - Awareness
7.5.1 Documented information - General
7.5.2 Documented information - Creating and updating
7.5.3 Control of documented information
8.2 Information security risk assessment
8.3 Information security risk treatment
Clauses that have been reworded or clarified, no additional requirements
4.4 Information security management system
5.1 Leadership and commitment
5.3 Organisational roles, responsibilities and authorities
6.1.3 Information security risk treatment
8.1 Operational planning and control
9.1 Monitoring, measurement, analysis and evaluation
7.4 Support - Communication
Clauses that have new or additional requirements
4.2 Understanding the needs and expectations of interested parties
As well as the information outlined in ISO 27001:2013, the additional requirement for this clause is that the organisation shall determine which requirements will be addressed through the ISMS.
6.2 Information security objectives and planning to achieve them
As well as the information outlined in ISO 27001:2013, the additional requirements in this clause state that the information security objectives shall be updated as appropriate and be available as documented information.
Clauses that have notable changes
9.2 Internal audit has been split into 9.2.1 General, and 9.2.2 Internal audit programme:
9.2.1 General requires that the organisation conducts internal audits at planned intervals to provide information on whether the ISMS conforms to the organisation’s requirements for its ISMS and the requirements of the document, and is effectively implemented and maintained.
9.2.2 Internal audit programme requires that the organisation plan, establish, implement and maintain an audit programme or audit programmes. This includes the frequency, methods, responsibilities, planning requirements and reporting.
When establishing the internal audit programme, the organisation should consider the importance of the processes, the results of previous audits and:
- a) define the criteria and scope for each audit
- b) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process
- c) ensure that the results of the audits are reported to relevant management;
Documented information shall be available as evidence of the implementation of the audit programme(s) and the audit results.
Clause 9.3 Management review has been split into 9.3.1 General, 9.3.2 Management review inputs and 9.3.3 Management review results:
9.3.1 General requires that top management review the organisation's information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness.
9.3.2 Management review input requires that the management review includes consideration of:
- a) the status of actions from previous management reviews
- b) changes in external and internal issues that are relevant to the ISMS
- c) changes in needs and expectations of interested parties that are relevant to the information security management system
- d) feedback on the information security performance, including trends in
- 1) nonconformities and corrective actions
- 2) monitoring and measurement results
- 3) audit results
- 4) fulfilment of information security objectives.
- e) feedback from interested parties
- f) results of risk assessment and status of risk treatment plan
- g) opportunities for continual improvement.
9.3.3 Management review results requires that the results of the management review include decisions related to continual improvement opportunities and any needs for changes to the ISMS. Documented information must be available as evidence of the results of management reviews.
In Clause 10, 10.1 nonconformity and corrective action is now clause 10.2. 10.2 Continual improvement is now 10.1.
New clauses
6.3 Planning of changes is a new clause outlining requirements of planning of changes, requiring that when the organisation determines the need for changes to the ISMS, the changes be carried out in a planned manner.
Annex A
Annex A has been restructured, changing from 114 controls under 14 categories to 93 controls under four categories. However, these controls have remained largely the same. Instead of referring to reference controls and objectives, the annex is now title information security controls reference in line with the standard’s focus on information security specifically.
Below, we’ve mapped the ISO 27001:2022 controls against their ISO 27001:2013 counterparts.
A5 Organisational Controls
ISO 27001:2022 Control | ISO 27001:2013 Control(s) |
5.1 Policies for information security | |
5.2 Information security roles and responsibilities | |
5.3 Segregation of duties | |
5.4 Management responsibilities | |
5.5 Contact with authorities | |
5.6 Contact with special interest groups | |
5.7 Threat intelligence | None – new control |
5.8 Information security in project management | |
5.9 Inventory of information and other associated assets | |
5.10 Acceptable use of information and other associated assets | |
5.11 Return of assets | |
5.12 Classification of information | |
5.13 Labelling of information | |
5.14 Information transfer | |
5.15 Access control | |
5.16 Identity management | |
5.17 Authentication information | |
5.18 Access rights | |
5.19 Information security in supplier relationships | |
5.20 Addressing information security within supplier agreements | |
5.21 Managing information security in the information and communication technology (ICT) supply chain | |
5.22 Monitoring, review and change management of supplier services | |
5.23 Information security for use of cloud services | None – new control |
5.24 Information security incident management planning and preparation | |
5.25 Assessment and decision on information security events | |
5.26 Response to information security incidents | |
5.27 Learning from information security incidents | |
5.28 Collection of evidence | |
5.29 Information security during disruption | |
5.30 ICT readiness for business continuity | None – new control |
5.31 Legal, statutory, regulatory and contractual requirements | |
5.32 Intellectual property rights | |
5.33 Protection of records | |
5.34 Privacy and protection of personal identifiable information (PII) | |
5.35 Independent review of information security | |
5.36 Compliance with policies, rules and standards for information security | |
5.37 Documented operating procedures |
A6 People Controls
ISO 27001:2022 Control | ISO 27001:2013 Control(s) |
6.1 Screening | |
6.2 Terms and conditions of employment | |
6.3 Information security awareness, education and training | |
6.4 Disciplinary process | |
6.5 Responsibilities after termination or change of employment | |
6.6 Confidentiality or non-disclosure agreements | |
6.7 Remote working | |
6.8 Information security event reporting |
A7 Physical Controls
ISO 27001:2022 Control | ISO 27001:2013 Controls |
7.1 Physical security perimeters | |
7.2 Physical entry | |
7.3 Securing offices, rooms and facilities | |
7.4 Physical security monitoring | None – new control |
7.5 Protecting against physical and environmental threats | |
7.6 Working in secure areas | |
7.7 Clear desk and clear screen | |
7.8 Equipment siting and protection | |
7.9 Security of assets off-premises | |
7.10 Storage media | |
7.11 Supporting utilities | |
7.12 Cabling security | |
7.13 Equipment maintenance | |
7.14 Secure disposal or re-use of equipment |
8 Technological Controls
ISO 27001:2022 Control | ISO 27001:2013 Control(s) |
8.1 User end-point devices | |
8.2 Privileged access rights | |
8.3 Information access restriction | |
8.4 Access to source code | |
8.5 Secure authentication | |
8.6 Capacity management | |
8.7 Protection against malware | |
8.8 Management of technical vulnerabilities | |
8.9 Configuration management | None – new control |
8.10 Information deletion | None – new control |
8.11 Data masking | None – new control |
8.12 Data leakage prevention | None – new control |
8.13 Information backup | |
8.14 Redundancy of information processing facilities | |
8.15 Logging | |
8.16 Monitoring activities | None – new control |
8.17 Clock synchronisation | |
8.18 Use of privileged utility programmes | |
8.19 Installation of software on operational systems | |
8.20 Networks security | |
8.21 Security of network services | |
8.22 Segregation of networks | None – new control |
8.23 Web filtering | |
8.24 Use of cryptography | |
8.25 Secure development lifecycle | |
8.26 Application security requirements | |
8.27 Secure system architecture and engineering principles | |
8.28 Secure coding | None – new control |
8.29 Security testing in development and acceptance | |
8.30 Outsourced development | |
8.31 Separation of development, test and production environments | |
8.32 Change management | |
8.33 Test information | |
8.34 Protection of information systems during audit testing |