What You Need to Know About ISO 27001:2022

Update: This article has been updated to reflect new guidance regarding the ISO 27001:2022 transition period.

As you might now know, a new version of ISO 27001 was published last year, beginning a transition period that will reshape the way organisations are expected to manage information security.

ISO 27001 was previously updated in 2013 – almost a decade ago – and with ISO 27001:2022, significant changes have been made that bring the Standard into line with modern business practices.

What’s different in ISO 27001:2022?

ISO 27001 contains several new requirements. For example, there are new rules on planned changes and how organisations should deal with them, plus there is a greater focus on the needs and expectations of interested parties.

Meanwhile, Annex A of ISO 27001 now refers to the updated information security controls in ISO 27002:2022 (which was published earlier this year), and the Standard requires organisations to document and monitor their objectives.

There are also changes in the terminology used. The latest version of the Standard aligns its phrasing with the language used across other ISO management standards, while ISO 27002:2022 is no longer referred to as a “code of practice”. This better reflects its purpose as a reference set of information security controls.

Other major changes relate to the structure of ISO 27002. It no longer consists of 14 control categories (often referred to as ‘clauses’), and is instead split into four ‘themes’: organisational, people, physical and technological.

As part of this change, the total number of controls has decreased from 114 to 93. This is because many controls have been reordered and merged, while 11 completely new requirements have been added. These are:

Threat intelligence
Information security for use of cloud services
ICT readiness for business continuity
Physical security monitoring
Configuration management
Information deletion
Data masking
Data leakage prevention
Monitoring activities
Web filtering
Secure coding

The new and amended controls are also categorised according to five types of ‘attribute’: control type, operational capabilities, security domains, cybersecurity concepts and information security properties.

This change is intended to make it easier to highlight and view all controls of a certain type, such as all preventive controls, or all controls related to confidentiality.

What organisations must do now

Organisations that have already certified their ISMS (information security management system) to ISO 27001:2013 have until 31 October 2025 to conform to ISO 27001:2022.

However, according to the IAF’s (International Accreditation Forum) revised guidance document, certification bodies must stop offering (re)certification to the 2013 edition of the Standard by 30 April 2024, so there may be less time to conform to ISO 27001:2022 than you thought.

Moreover, even if your organisation’s ISMS is recertified to ISO 27001:2013 by 30 April 2024, that certificate will expire on 31 October 2025 – even if it has been in place for less than three years (the normal duration of an ISO management system certificate).

We therefore advise you start adopting the 2022 Standard as soon as you can.

Indeed, the reason that the new version of ISO 27001 was published last year is so that organisations can familiarise themselves with the new controls before embarking on an implementation project.

Fortunately, ISO 27002:2022 contains an annex that compares its controls with the 2013 version. As such, the process should relatively straightforward if you are already certified to the current iteration.

The best way to get started is to read a copy of the new standard for yourself and comparing it to the 2013 version and your current compliance practices.