ISO/IEC 27001 is the world’s best-known standard for information security management systems (ISMS) and their requirements. The latest version of the standard has been released in October 2022.

Before explaining the main changes of the 2022 version, let’s go back a couple of decades ago, to see the history of the conception of the standard.

History of the standard

What are the changes?

1- ISO/IEC 27001

The most significant changes concern the approach to harmonisation of the core ISO management system standards. Consequently, regardless of the ISO, the structure remains the same.

In the 2022 version, the standard is renamed as “Information security, cybersecurity and privacy protection – Information security management systems – Requirements“. The notions of cybersecurity and privacy protection have been added compared to the version of 2013 that was called “Information technology – Security techniques – Information security management systems – Requirements”.

Regarding the standard, the changes can be summarized as below:

• Clause 4: Context of the organization:
  • 4.2, add the section c) about the determination of which interested parties should be addressed into the ISMS
  • 4.4, the notion of processes has been added
• Clause 6: Planning:
  • 6.1.3 c) the notes have been revised
  • 6.1.3 d) the wording is re-organized
  • 6.2 d) the requirement for information security objectives must be monitored and documented
  • 6.3 has been added for the planning of changes
• Clause 7: Support:
  • 7.4 e) has been removed
• Clause 8: Operation
  • 8.1 requires the planning of processes by determining criteria for the processes to meet requirements of clause 6 and to implement and control them according to those criteria. “Externally provided process” replaces “outsourced processes”
• Clause 9: Performance evaluation
  • Naming and reordering of the internal audit and management review sections
• Clause 10: Improvement
  • Exchanging the order of the sub clauses.

2- ISO/IEC 27001 Annex A / ISO/IEC 27002

In the 2013 version, there were 114 controls divided into 14 categories:

• Annex A.5 – Information security policies (2 controls)
• Annex A.6 – Organization of information security (7 controls)
• Annex A.7 – Human resource security (6 controls)
• Annex A.8 – Asset management (6 controls)
• Annex A.9 – Access control (14 controls)
• Annex A.10 – Cryptography (2 controls)
• Annex A.11 – Physical and environmental security (15 controls)
• Annex A.12 – Operations security (14 controls)
• Annex A.13 – Communications security (7 controls)
• Annex A.14 – Systems acquisition, development, and maintenance (13 controls)
• Annex A.15 – Supplier relationships (5 controls)
• Annex A.16 – Information security incident management (7 controls)
• Annex A.17 – Information security aspects of business continuity management (4 controls)
• Annex A.18 – Compliance (8 controls)

In the 2022 version, the number of controls has been reduced to 93 and 4 themes:

• People (8 controls)
• Organizational (37 controls)
• Technological (34 controls)
• Physical (14 controls)

Among those 93 controls, 58 are from the previous edition, 24 are merged and 11 are newly added.

Which standard should be used?

The answer depends on the current situation of your company:

• If you have never been certified or if you are just starting the process of implementation, you can choose the 2013 version until October 31, 2023, or the 2022 version since October 25, 2022. However, from my viewpoint, the newest version ISO/IEC 27001:2022 should be used to avoid a double work with the transition between the 2 revisions.
• If you are already certified, you can continue to use the ISO/IEC 27001:2013 but you should start working on the transition as soon as possible as the deadline is October 31, 2025, after when, you’ll have to be certified against the 2022 revision.

If you have any projects regarding the ISO 27001, for its implementation or to manage your internal audits, you can connect with us by email: contact@apisconsulting.cn or by adding Antoine on WeChat via the QRcode below.

---