Differences between ISO 27001:2013 and ISO 27001:2022

Updates to clauses 4-10

ISO 27001:2022 has the same number of clauses as ISO 27001:2013 but there are slight changes to the text. The changes revolve around planning and defining the criteria for carrying out processes.

Clause 4.2 Understanding the needs and expectations of interested parties

A sub clause was added requiring an analysis of which of the interested party requirements are going to be addressed through the ISMS

Clause 4.4 Information Security Management System

Organizations are now required to identify the necessary processes and their interactions within the ISMS. The ISMS must include the processes supporting the ISMS and not just the processes in the standard.

Clause 6.2 Information Security Objectives and Planning to Achieve Them

This Includes guidance on information security objectives and how they should be monitored regularly and formally documented.

Clause 6.3 Planning of Changes

This new clause was added to standardize the process around the planning of changes. It says that if changes are needed to the ISMS, they shall be adequately planned for.

Clause 8.1 Operational Planning and Control

An additional guide was added for the operational planning and control. The ISMS requires that you establish criteria for the actions identified in clause 6 and control those actions based on the criteria.

Clause 5.3 Organizational Roles, Responsibilities, and Authorities

The communication roles relevant to Information Security are to be communicated within the organization.

Clause 7.4 Communication

Sub clauses A-C remains the same but the clause has a new sub clause D which speaks to how to communicate. Sub clause D is a combination of who should communicate and the process by which they should be affected.

Clause 9.2 Internal Audit

Clause 9.21 and 9.2.2 of the 2013 version was combined into one section

Clause 9.3 Management Review

The organization management review now includes consideration of any changes to the needs and expectations of the interested parties. This is important as it is instrumental to the scope of the ISMS determined in clause 4.

Clause 10 Improvement

In clause 10, continual improvement comes first in 10.1 and Nonconformity and Corrective Action 10.2 comes next.

Changes to the Annex A

The number of controls has reduced from 114 controls and 14 clauses in the 2013 version to 93 controls and 4 clauses in the 2022 version.

11 controls are new in the 2022 version.

57 controls were merged

23 controls were renamed

3 controls were removed

The goal is to ensure that organizations use a risk-based approach rather than focusing on specific objectives.

New Controls within ISO 27001:2022 Annex A

The biggest change within Annex A is the 11 new controls. Organizations are expected to transition to the ISO 27001:2022 and will need to ensure that proper processes are in place to meet those new requirements. The ISO 27001:2013 does not cater to threat intelligence which expects organizations to gather and analyze information about threats so that actions can be taken to mitigate risk. The new controls include:

A.5.7 Threat Intelligence

This control requires to gather and analyze information about threats thus helping them take action to mitigate it.

A.5.23 Information Security for the use of cloud services

With the rise in cloud services, there is a need for better information security in the cloud. This control requires organizations to set security standards for the cloud.

A.5.30 ICT readiness for business continuity

This control requires the organization to ensure that information and technology can be recovered in the event of a disruption

A.7.4 Physical security monitoring

This control requires organizations to monitor sensitive areas in the organization's physical environment. Only authorized people should be able to access the data center and production facilities.

A.8.9 Configuration Management

This requires an organization to manage and documentation of ?the configuration of its technology like firewalls, hardware, software, routers, etc

A.8.10 Information Deletion

This control requires that data that is no longer in use is deleted to avoid leaks of critical information and also to comply with privacy regulations,

A.8.11 Data Masking

Data masking control requires the organization to employ the use of data masking to protect sensitive information.

A.8.12 Data Leakage Prevention

In Data Leakage Prevention, organizations are required to implement measures to prevent data leakage and disclosure of sensitive information from the organization's network or system.

A.8.16 Monitoring activities

Under this annex control, the organization is required to monitor systems for unusual activities and implement appropriate incident response procedures.

A.8.23 Web filtering

This control requires that organizations manage the websites that users access to protect IT systems

A.8.28 Secure coding

This control requires coding principles to be established within the software development architecture of the organization to reduce vulnerabilities

Note : it is important that you update your Issc about this update to the ISMS as they play a very key role in transitioning. The effectiveness of the ISMS should still be maintained despite the objectives of the ISMS not changing.has context menu