A new version of ISO/IEC 27001 has been available since the end of 2022. After almost 10 years, it replaces the 2013 version of the established standard for the implementation of an ISMS.
What are the main changes? What do you need to consider for the next recertification of your ISMS? These are the questions I would like to address in this article. I will also provide you (as always) with a practical recommendation for action. That way, you can implement the added value of the new requirements in your company in a clear and structured manner.
You want the shortcut?
In a nutshell: ISO 27001 2022 – what is new, what has changed?
- The normative chapters 4-10 remain almost unchanged. In some places, they are made more specific and the PDCA cycle is strengthened once again. However, there are no major changes to be made to the management system.
- The normative Annex A has been completely revised, restructured and summarized to 93 controls.
- New content of 11 controls has been added.
- The new structure of Annex A is more practical and has eliminated some of the ambiguous requirements.
Initial certification or re-certification to the 2022 version of ISO 27001
You already have a certified ISMS according to ISO 27001 and would like to change to the new version. By when do you have to have the changeover certified at the latest?
You are planning to introduce a new ISMS and are considering whether you should still have it certified to the “old” 27001:2013 version or already to the new version.
Deadline 31 October 2025
The very last deadline for converting to the new standard is the end of October 2025. Three years after the new version is published, it alone will be valid. From this date on, only the new 2022 version may be certified. Still a long time away, but no problem, right?
Theoretically, certification can start immediately according to the new version 2022. During this three-year transition period, both standards are valid.
So when is the best time to get audited according to the new structure?
Certification of the ISMS according to ISO/IEC 27001:2022
If you have planned certification for 2023, your project will (hopefully) already be well advanced according to the “old” requirements. In this case, upgrading to the 2022 version makes little sense.
We introduce ISMS projects with a planned certification date for 2024 already to the new version of ISO 27001.
Why?
In this constellation, you would have to change over to the new version of the ISO standard by the first surveillance audit in 2025 at the latest. This means that right after successfully completing the ISMS project, you would have to continue with another changeover project. In practice, this makes little sense. It costs time and money. And it means frustration for the project team.
Risk?
The risk in this approach is, from our point of view, the certifier. Your certification company must, of course, have accreditation for ISO/IEC 27001:2022 by DAkkS. This is possible as soon as DAkkS presents a corresponding changeover concept and your certification company is prepared for the 2022 version.
We assume that the renowned certification companies will be up and running by 2024 and will be able to approve your ISMS according to the latest requirements.
Monitoring cycles of the ISMS audit
If your ISMS was newly certified or re-certified in 2022, then you will be in the first surveillance audit in 2023 and the second surveillance audit in 2024. Perfect! Then you start in 2025 with the re-certification audit in the new version.
Significant changes from the ISO 27001 2013 version to the 2022 version
Before we go into detail, here is a brief overview of the changes that have been taken from the English original of the bsi. (British Standards Institution).
Changes with the greates impact on the ISMS
Anyone who already operates an ISMS in accordance with ISO 27001 knows that the greatest effort in practice is in the controls, i.e. specifically in the requirements from Annex A. This is also where the main changes were made.
But don’t panic! The structure has been completely revised, but the essential content remains the same.
- Consolidation of subchapters in Appendix A. 14 subchapters (5-18) have now become 4 subchapters:
- Organizational
- People
- Physical
- Technological
- The total number of controls has also been reduced from 114 to 93.
- A concept for the attributes for the controls was introduced. 5 attributes were introduced, which are based on the terminology of the information security department.
- Control type
- Information security properties
- Cybersecurity concepts
- Operational capabilities
- Security domains
Editorial changes
In the document, the term “international standard” was replaced by “document”.
Furthermore, some terms in English were exchanged, which should probably allow an easier interpretation.
ISO structure harmonization
To ensure that all ISO standards continue to be aligned or harmonized, some points in the standard have been adjusted. This includes, for example, the restructuring of the numbering or further requirements for general management system requirements (for example on the subject of communication).
Changes to ISO 27001 2022 in chapters 4-10 on the ISMS
Overall, the basic framework of the information security management system has not been changed much. In one place or another, it could rather be described as a cosmetic correction. However, anyone who can demonstrate an intact certified ISMS will not have to make many adjustments to the 2022 version.
I would like to briefly describe the adjustments below.
Context of the organization
Interested parties
Chapter 4.2 still addresses the interested parties. Their interests / requirements continue to be specified. However, it is only mentioned which of these requirements are covered by the ISMS.
ISMS
Concerning the ISMS, it is explicitly mentioned again that the required processes and interfaces must be implemented. Even if this was not previously described in the old version, in my understanding it does not change the implementation of the ISMS in practice.
Leadership
A note was added here defining the term “business”. It can therefore be interpreted broadly. It means everything that concerns the core purpose of the business existence.
In the case of roles and responsibilities, it is added further down in chapter 5 that these are only roles that exist in the organization. This addition is certainly helpful, since on another page the obligation to control external resources has been further regulated.
Planning
Information Security Risk Assessment
At first glance, it looks as if something has been added here. However, only the requirements for the Statement of Applicability have been listed in a more striking presentation (bullet points).
Information security objectives
The requirements for the objectives have been complemented by two points – which should actually be self-evident. Of course, it is now also important to monitor the achievement of objectives and to have everything written down as documented information.
Planning of changes
This point 6.3 is completely new. Changes in, on, and around the management system must be planned and implemented accordingly. Ultimately, it is about a structured, controlled implementation of the change.
Support
Communication
Communication requirements have been adjusted by combining two items into the “how to communicate” item.
Operation
Operational planning and control
An addition to the specification of processes was added. Another obligation to the external services / service providers / processes was supplemented. Since this passage will certainly be added to all management system standards as a result of the harmonization of standards, it makes sense at this point. However, this requirement has also previously been found in a similar form in the protective measures from Annex. Thus, it is not really a new requirement for an ISMS.
Performance evaluation
When reading the Readline version of ISO 27001:2022, it seems at first glance the first glance that this chapter has been completely rewritten. However, it turns out that this impression is misleading. Most of the changes are of a pure editorial nature. There have been hardly any changes in content.
It is now explicitly emphasized that the methods of performance evaluation should provide comparable and reproducible results. It is also mentioned again that this information must be available as evidence in documented form.
Changes in Annex A to ISO 27001 2022
Consolidation of the subchapters in Appendix A
From the original 14 chapters of Annex A in the 2013 version, “only” 4 subchapters now remain in ISO 27001 2022. In addition to the number of chapters, the total number of controls has also been reduced. What was previously described in 114 measures is now governed in fewer than 100 measures.
This certainly makes sense. A lot does not always help a lot. I get the impression that the measures have been better delineated from one another and are also clear now.
The division into the four superordinate categories in Appendix A is a significant step towards greater clarity and unambiguity. All technical controls can be found under the item technological. No more subdivision into encryption and network security, for example, as was the case in the 2013 version.
Everything that is required in terms of specifications / guidelines can now be found under organizational controls. Asset inventory and classification requirements, which had their own A8 item in the previous version, can now be found under organizational measures.
The new structure follows our motto: The simpler, the better – without losing content.
Content of new controls in Annex A of ISO 27001 2022
Here you can find an overview of the new controls from my point of view. I explicitly say “from my point of view” because the names of controls have also been changed. Some of them are now hidden under a different protective measure, so not every measure that no longer appears has been superseded.
New organizational information security measures (A5)
- Threat intelligence: This requirement is intended to collect and analyze information about threats. The aim is to raise awareness of the threats so that appropriate remedial measures can be taken. In a slimmed-down form, it was also included in the old version of the standard to obtain information about news. Here, it seems to me that the focus on risk assessment (analysis) and measures should be brought even more to the fore.
- Even ISO 27001 can no longer ignore cloud services. Therefore, 5.23 now includes the control “Information security for use of cloud services“. This means that a security concept is required from selection, through introduction, to operation and replacement. The VDA ISA / TISAX® catalog has already firmly anchored this requirement.
- Information security in business continuity management becomes “ICT readiness for business continuity“. Ultimately, it is a matter of knowing the risks in the operational business that would trigger a (longer-term) process interruption. Appropriate measures for availability or an emergency process must be implemented. The BCM topic already existed in the previous version. Now the scope has been narrowed more realistically and thus more meaningfully.
New controls from the area of physical safety (A7)
- Previously, only monitoring, i.e., the monitoring of digital security, was explicitly required. This is now extended to physical security in the management system. Here, too, it is now important to have proof of how physical security is monitored by means of the “Physical security monitoring” control.
Most of the new controls in ISO 27001 2022 are in the area of technical security (A8)
- “User end point devices” are explicitly addressed. Whereas the control actually concerns the protection goal of the information / data. This means that the control does not explicitly demand protection of the device, but rather protection of the data processed or accessible on it. From my point of view, the question arises whether the control is necessary with this protection goal.
- As a fan of ITL processes, I find it nice that “configuration management” has now also been included in A8.9. The requirements for the configuration of hardware, software and services must be defined, as well as the implementation and monitoring.
- What is already known in data protection as the deletion concept is now called “information deletion“. A documented deletion concept is not required. According to the normative requirement, it is sufficient if data that is no longer required is deleted. Of course, each company can decide for itself how to define what is no longer needed.
- To be honest, I still have some difficulties with the control “data masking“. If you read in detail in ISO 27002 what the background of this requirement is, you are relatively quickly at compliance and data protection (which should actually be covered by the compliance controls). The purpose of this measure is to limit the disclosure of sensitive data, including personal data, in relation to legal and regulatory requirements.
- Right next in A.12 is the requirement for “data leakage prevention” to prevent unauthorized disclosure of information through appropriate measures on systems and networks, processes with sensitive information.
- Although filtering of Internet traffic is already a practice in many (especially larger) companies and was also mentioned accordingly as an implementation in ISO 27001 2013 (when filling out the SOA), now in version 2022 of the international standard, this requirement with “Web filtering” is worth a separate control. Access to external websites must be controlled to minimize the risk from malicious code.
- Security in application development also existed in the past. The controls were restructured. Completely new from my point of view was the life cycle view. Under A8.25, “Secure development life cycle“, the focus is on information security with regard to design and implementation throughout the entire development process, but also with regard to the entire life cycle of the software or system.
Comparison or summary of changes ISO 27001 2022 with version 2013
Normative chapters 4-10
The changes will have little effect in practice. The additions in some places may force a little more pressure on the PDCA cycle of the ISMS. In other words, compliance with the cycle, monitoring of the specifications, processes and their evidence have been strengthened somewhat.
From the point of view of documentation requirements, hardly anything changes. Looking at our extensive templates, hardly any adaptation in the sample documents was necessary to cover the new requirements with them.
Even the central element of ISO 27001, the risk analysis, will continue to be operated in its existing form. Fortunately, no changes are necessary here.
Annex A of ISO 27001
The structure has been much improved in the new version 2022. Previously, there was Annex A divided from A5 – A18. Now in the new version there are only A5 – A8. The number of controls has also slimmed down and now no longer has over 100 measures, but “only” 93 in number. However, these are better structured due to the new subchapters.
Measures that addressed the same protection goal from different perspectives in the old version are now largely avoided. As a result, many controls have either been combined or listed under a new name. In my estimation, 11 controls have been added completely.
You are already certified according to ISO 27001:2013 – and now?
What specifically do you need to do to meet the requirements of ISO 27001 2022?
“Small” GAP Analysis to ISO 27001 2022
- I am deliberately writing “small GAP analysis” here because you already have a functioning ISMS according to 27001. Therefore, you know that your ISMS meets the requirements.
- Perhaps you have already aligned it at one point or another so that it meets the new requirements.
Set recertification date to ISO 27001 2022 version
- Create project or action plan with the goal of the planned recertification audit.
- Plan, assign and schedule the open deviations from the Mini GAP analysis.
Implementing the new requirements
The plan is in place, then you can get started. By the time of the audit, you should have implemented all the new controls and have the SOA in the new version.
How can the team of Ms Cybersecurity help you implement the measures of ISO 27001 2022?
GAP analysis and action plan
With the ISO 27001 2022 readiness check, we examine your delta to the new standard and provide you with a detailed results report with measures for implementation.
Project support during the implementation of the new requirements
Would you like professional and practice-oriented support for your ISMS project?