ISO 27001:2022 vs 2013 — The Evolution
In October 2022, ISO released a major update to the 27001 standard. Understanding these changes is crucial for both new implementations and existing certified organizations.
Timeline of Changes
- 2013 - ISO 27001:2013 published
- 2022 - ISO 27001:2022 published
- October 2023 - New certifications must use 2022 version
- October 2025 - All existing certifications must transition
What Changed in the Main Clauses?
The good news: The 10 main clauses remained largely unchanged. The core ISMS framework structure is preserved:
| Clause | 2013 | 2022 |
|---|---|---|
| 4. Context | ✓ | ✓ (minor clarifications) |
| 5. Leadership | ✓ | ✓ (unchanged) |
| 6. Planning | ✓ | ✓ (minor updates) |
| 7. Support | ✓ | ✓ (unchanged) |
| 8. Operation | ✓ | ✓ (minor updates) |
| 9. Performance | ✓ | ✓ (unchanged) |
| 10. Improvement | ✓ | ✓ (unchanged) |
The Big Change: Annex A Controls
The most significant changes are in Annex A, which was completely restructured:
2013 Structure (14 Domains, 114 Controls)
- A.5 Information security policies
- A.6 Organization of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development, maintenance
- A.15 Supplier relationships
- A.16 Incident management
- A.17 Business continuity
- A.18 Compliance
2022 Structure (4 Themes, 93 Controls)
- A.5 Organizational controls (37 controls)
- A.6 People controls (8 controls)
- A.7 Physical controls (14 controls)
- A.8 Technological controls (34 controls)
New Controls in 2022
Eleven completely new controls were added to address modern threats:
- A.5.7 Threat intelligence
- A.5.23 Information security for cloud services
- A.5.30 ICT readiness for business continuity
- A.7.4 Physical security monitoring
- A.8.9 Configuration management
- A.8.10 Information deletion
- A.8.11 Data masking
- A.8.12 Data leakage prevention
- A.8.16 Monitoring activities
- A.8.23 Web filtering
- A.8.28 Secure coding
Controls That Were Merged
Many controls from 2013 were consolidated. For example:
- Access control policies and procedures → Combined into fewer controls
- Multiple cryptography controls → Streamlined
- Several physical security controls → Consolidated
What This Means for You
If You're Starting Fresh
- Implement directly to 2022
- Use the new 4-theme structure
- Focus on the 11 new controls
If You're Already Certified
- Transition required by October 2025
- Gap analysis against new controls
- Update your Statement of Applicability
- Retrain auditors and staff
Key Takeaways
- The ISMS framework (Clauses 4-10) is stable
- Annex A has been modernized and streamlined
- New controls address cloud, monitoring, and secure development
- The transition is manageable with proper planning
Next Lesson: Deep dive into the 10 Sacred Clauses of ISO 27001.