ISO/IEC 27001:2022 [New Guidelines & Checklist]

ISO 27001, an international compliance standard that helps organizations manage their information security management systems (ISMS) undergoes a systematic review every five years. 

This is a crucial process that helps to update the standard as per global changes and requirements. It helps ISO understand its global relevance and how it affects various industries. The result of this continuous improvement process is the release of ISO 27001:2022 clauses. 

If you want to implement ISMS or already have one, the systems and processes should align with the latest requirements; ISO 27001: 2022. 

This article covers the updated additions, changes, and differences between ISO 27001: 2013 and ISO 27001: 2022. 

TL;DRThe goal: To update the ISO 27001 standard in line with global changes, cyber attacks, and requirements, resulting in ISO 27001:2022. ISO 27001 2022 changes: ISO 27001:2022 features technical revisions and aligns with ISO 27002:2022, with updates in document length, structural changes, terms and definitions, planning, support, operation, performance evaluation, and improvement. The result: ISO 27001:2022 offers a broader approach covering information security, cloud security, data protection, and physical security, with 93 controls in Annex A and 11 new controls addressing evolving security needs. Organizations have up to three years to update their ISMS but can start incorporating minor changes now. Sprinto offers assistance in implementing compliance seamlessly.

What has changed in the latest ISO 27001 revision?

The latest changes in ISO 27001 highlight information security, cybersecurity, and privacy protection, and notable changes are featured, particularly in Annex A. This section has been updated to align with the ISO 27002:2022 revisions. 

While some controls have been combined, others are entirely new, potentially necessitating adjustments to your current implementation if you intend to incorporate them into your Statement of Applicability.

We’ll go into further detail in the next section.

What are the requirements of ISO 27001: 2022?

The ISO 27001:2022 international standard sets forth the requirements for establishing, implementing, maintaining, and continually improving your ISMS. These requirements are necessary for a company with a systematic framework to manage IT security risks and cyber-attacks.

With that being said, here are the requirements of ISO 27001 2022: 

• 4.1 Deals with understanding your organization and its context to establish and manage ISMS
• 4.2 Comprehend the needs and expectations of interested parties
• 4.3 Set the scope of your ISMS using defined criteria – an absolute must
• 4.4 Put in place a real ISMS, and manage, not just ‘maintain’ it effectively
• 5.1 Emphasizes the need for organizational leadership to be actively involved and
• visible in supporting information security in the organization
• 5.2: Addresses the implementation, operation, and management of roles and
• responsibilities for an organization’s information security
• 5.3 A key area which focuses on separating conflicting duties and responsibilities,
• reducing the risk of errors, fraud, or bypassing of information security controls
• 6.1 An organization must establish a methodology for the systematic assessment of risk, which must be thoroughly documented for each risk
• 6.2 Discusses the need for a formal agreement to outline new employee
• responsibilities and the organization’s commitments regarding information
• security
• 7.1 Enables an organization to demonstrate its implementation of an effective
• physical boundary to avoid unauthorized physical access to its site and assets
• 7.2 Details the need for an organization to protect areas that contain secure
• information with adequate entry controls
• 7.3 Details what is required to establish and implement physical security controls
• that are applicable to offices, rooms, and facilities
• 7.4 Requires organizations to demonstrate what they are doing to monitor and
• control access to their site – and thus prevent unauthorized physical access
• 7.5 Requires organizations to implement suitable surveillance equipment as an
• essential means of detecting and responding to security events
• 8.1 An organization must plan, implement and control the processes needed to fulfil
• Information Security requirements
• 8.2 Information security risk assessment
• 8.3 Information security risk treatment
• 9.1 An organization must assess the performance and effectiveness of the ISMS
• 9.2 An organization must conduct internal audits to verify whether its ISMS and related controls are functioning effectively
• 9.3 Top management must review and evaluate the organization’s Information
• Security Management System at defined intervals
• 10.1 Looks at what an organization needs to do in the event of non-compliance with the standard
• 10.2 Based on nonconformity and corrective action, these requirements detail how an organization must effectively manage the situation when things are incorrect

How can Sprinto help?

Sprinto helps you put your ISO 27001 program on autopilot. In this case, the new version helps you by identifying gaps in your ISMS, automating crucial compliance tasks, and making recommendations on establishing the right controls and policies.

To see how this worked, see how Sprinto gave Intellect the confidence to achieve its ISO 27001 goals.

ISO 27001 2013 Vs ISO 27001 2022: Main differences

If you are reading this because you wish to align your ISMS to the new developments, take a sigh of relief. The changes, while notable, are not really significant. You can refer to the ISO 27001 2013 document PDF to compare.

 

Structural changes

The structure of the table of content has changed. Sections like planning, support, operation, and performance evaluation now has more sub clauses. It is clearer to read and easier to implement.  

Terms and definition

Section 3 of ISO 27001:2013 have references only to ISO 27000. ISO 27001: 2022 refers to terminology databases from ISO and IEC in addition to ISO 27001. This broader scope with more terms and conditions enables practitioners to access a richer repository of definitions, which, in turn, enhances the clarity of the interpretation of standard requirements.

Context of organization

Section 4 of 2022 has an additional sub-clause to clause 4.2 (understanding the needs and expectations of the interested parties). This sub-clause requires organizations to determine which of the requirements stated in the other two sub-clauses will be addressed through their ISMS. 

Additionally, the 2013 version of sub-clause 4.4 (information security management system), mentioned only the requirement. The revised document mentions the inclusion of required processes and its interaction. 

Planning

Section 6 clause 6.2 (information security objectives and planning to achieve them) of 2013 had ten requirements. The 2022 version now includes two new requirements – be monitored and be available as documented information. 

This section also has incorporated a new clause – 6.3 (planning of changes). This requires organizations to implement changes in a planned or systematic manner. 

Support

Section 7 clause 7.4 (Communication) had five internal and external communications guidelines. ISO 27001: 2022 version has four guidelines where a fourth one (how to communicate), replaced the last two (on who and the process by which it will be affected). 

Operation

Section 8 clause 8.1 (Operational planning and control) of 2022 has two new guidelines on how to meet the requirements and actions of clause 6. These include establishing criteria for processes and implementing control as per the criteria. 

Performance evaluation

Section 9 clause 9.1 (Monitoring, measurement, analysis, and evaluation) of the new 2022 version now requires organizations to evaluate the performance of information security and the effectiveness of ISMS. 

Additionally, two clauses in this section are divided into subclauses. 

Clause 9.2 (Internal audit) is now subdivided into two sub-clauses; 9.2.1 – General and 9.2.2 – Internal audit programme. The text of the guidelines remain the same. 

Clause 9.3 (Management review) is subdivided into 9.3.1 – General and 9.3.2 – Management review inputs. 9.3.2 includes an additional requirement on guidelines that the management should consider while reviewing; changes in needs and expectations of parties relevant to ISMS. 

Guideline name

The first noticeable change is the name of the standard. Previously, it was Information technology—Security techniques—Information Security Management Systems— Requirements. 

Now, it reads Information security, cybersecurity, and privacy protection—Information Security Management Systems—Requirements. 

Also, the number of pages in the 2013 document was 23, while the current version has only 19 pages. The increase in the length suggests that the content is modified, removed, or consolidated to align with new standards and guidelines.

Improvement

Section 10 had only one clause; 10.1 (Nonconformity and corrective actions). This section now has two clauses; 10.1 (Continual improvement) and 10.2 (Nonconformity and corrective action). The text of the guideline remains unchanged.

In essence, ISO 27001: 2022 has shifted the focus from information security to a broader approach that includes cloud security, data protection, and physical security. 

Updates in ISO/IEC 27001:2022

Several clauses underwent rewording or reordering in the latest version. Note that there are very few fresh requirements in clauses 4-10. 

Here is a table that helps you point out the differences at a glance. Let’s expand on the controls category-wise:

Organizational controls – 37

A 5.1: Managing direction and support for information security

A 5.2: Top management shall be involved in creating an Information Security Policy

A 5.3: Segregation of duties to separate conflicting tasks

A 5.4: Management should require all personnel to apply information security in accordance with the established information security policy

A 5.5:  Organization has to put in place official procedure for engaging the proper authorities.

A 5.6:  Companies are advised to create and maintain connections with people with marginalized interests.

A 5.7: The purpose of this is to have companies be capable of compiling and examining information about present-day and possible threats.

A 5.8: The focus of this proposal is to enable that the security risks linked to projects and deliverables are properly managed during the project management process

A 5.9: Provides instructions to stakeholders to complete the inventory of information and assets, including owners, should be done

A 5.10: Lay out a framework of companies in order to carry out the measure that such data and other resources are properly secured

A 5.11: The organization’s assets such as books, laptops, cars, and other portable items must be retrieved back for the organization when the employee changes a job, the contract and agreement cease

A 5.12: Protecting organizational systems that include the control of risks that can be identified by determining the level of protection for each information asset

A 5.13: Safeguard the information assets from the possible dangers

A 5.14: Enumerates the particular details of rules, procedures and agreements for the all the three situations of transfers

A 5.15: Authorize the access and prevent illegal access to the information and related assets

A 5.16: Provide a means of identifying people or systems in the event of any intrusion to the organisations information

A 5.17:  Necessitates an organisation-wide framework for setting the rules, procedures and measures for handling authorization information

A 5.18:  Accounting for the assignment, modification, and revocation of access rights based on the dictates of the busines

A 5.19: Procedures and principles need to be developed and used to mitigate risk related to information security

A 5.20  Incorporating information security into supplier agreements

A 5.21 Maintain an ongoing level of information security in their supplier relationships

A 5.22 Ban misuse of systems and reserve the right to monitor end the maintenance of an agreed level of information security and service delivery

A 5.23 Describes the necessary procedures for acquiring, utilizing, managing, and terminating cloud services

A 5.24 Deals with how organizations should address information security incidents by establishing streamlined processes.

A 5.25 The identification, assessment, and prioritization of information security-related incidents – for example, by type, time of day, location, etc.

A 5.26 Best practices for the management of information security incidents/events/vulnerabilities and improvement programs should consist of procedures to manage

A 5.27: Organizations should establish rules to prepare and connect evidence to the authorities. This training should include rules for avoiding tampering with the evidence and educating staff to do the same, and the discipline elements for those who breach these rules may also be outlined in the contractual agreement.

A 5.28: Addresses the legal and disciplinary repercussions of gathering evidence related to an information security incident

A 5.29: Information security should be included in the wider risk assessment /business continuity management plan of the organization

A 5.30: A corrective measure that preserves risk by establishing ICT continuity plans that enhance the organization’s overall operational resilience.

A 5.31: Describes how legislation, regulations, and contractual obligations form part of an organization’s information security priorities

A 5.32: Outlines the necessary steps organizations must take to ensure compliance with intellectual property (IP) rights

A 5.33: Protection of Records

A 5.34: Privacy and Protection of PII

A 5.35: Independent Review of Information Security

A 5.36: Compliance With Policies, Rules, and Standards for Information Security

A 5.37: Documented Operating Procedures

Technological controls – 34

A 8.1: Responsibility for devices

A 8.2: Information classification

A 8.3: A procedure for alerts to flag any unauthorized usage of data, including unauthorized access, distribution, and attempted deletion, among other actions.

A 8.4: Requires organizations to contemplate access to source code with a predefined set of stringent read and/or write privileges

A 8.5: Preventive measure that keeps risk levels in check by implementing technology and establishing secure authentication measures

A 8.6: A dual-purpose preventive and detective control that manages risk by implementing detective controls

A 8.7: A triple-purpose preventive, detective, and corrective control that manages risk by implementing policies and procedures.

A 8.8: Management of technical vulnerabilities

A 8.9: A preventative control that manages risk by establishing policies governing how an organization documents and implements procedures

A 8.10: Covers maintenance activities concerning the deletion and destruction of data and/or IT assets

A 8.11: Deals with data masking

A 8.12: Describes how data leakage is a common concern for organizations handling large volumes of data

A 8.13: Describes how technical support staff maintaining an organization’s network should manage daily backup operations

A 8.14: Guarantees the uninterrupted operation of information processing facilities

A 8.15: A detective control that alters risk by adopting a logging approach that meets the aforementioned objectives

A 8.16: A dual-purpose detective and corrective control that adjusts risk by enhancing monitoring activities to detect anomalous behavior

A 8.17: Describes the implementation of controls to ensure accurate and reliable synchronization of information system clocks

A 8.18: Sets guidelines for the use of any utility program capable of overriding critical business systems and applications

A 8.19: Covers technical concepts related to the maintenance and management of operational computer systems

A 8.20: Comprehensive set of protocols that govern network security in all its forms

A 8.21: A preventive control that manages risk by establishing a set of rules governing the use of network services

A 8.22: Describes the application of network segregation methods to prevent risks to the availability, integrity, and confidentiality of information assets

A 8.23: Assists organizations in mitigating security risks, such as preventing malware infection from accessing external websites with malicious content.

A 8.24: Enables organizations to safeguard the confidentiality, integrity, authenticity, and availability of information assets.

A 8.25: Deals with secure development life cycle

A 8.26: Prevents risks to the integrity, availability, and confidentiality of information assets stored on applications

A 8.27: Describes how to safeguard information systems from security threats by implementing secure system engineering principles.

A 8.28: Enables organizations to mitigate security risks and vulnerabilities stemming from inadequate software coding practices.

A 8.29: Allows organizations to ensure that security requirements are fulfilled during the implementation of new applications, databases, software, or code.

A 8.30: Creating and entering into licensing agreements to address code ownership and intellectual property rights

A 8.31: The organization should define the processes and technical controls for secure separation among the various information processing systems and facilities

A 8.32: To protect its information assets, the organization must ensure that information assets can be safeguarded when changes are being made to the information processing systems and facilities

A 8.33: The organization should carefully choose and safeguard the most suitable organization-owned information for the testing phase

A 8.34: To secure information assets during audit tests, organizations should ensure that the time in which information is awaiting destruction is minimized

Physical controls -14

A 7.1: Ensure that employees, contractors and visitors understand their responsibilities

A 7.2: Ensure that secure areas are secured with appropriate entry controls and access points in a manner that deters and detects

A 7.3: Develop and implement physical security measures to protect office buildings, rooms and other facilities within the confines of the perimeter established by the above secure areas requirements

A 7.4 The organization shall use suitable surveillance equipment to monitor secure areas where sensitive, unclassified information is processed or where sensitive, unclassified equipment is located

A 7.5 Effective controls shall be established and maintained to control of access to secure areas to those employees, contractors, and visitors who have a valid need for such access by means of identification plus a further need-to-know and verification procedures as appropriate

A 7.6 Smash and grab situations, where personnel take information or equipment from desks and office locations are too often a source of breaches. Protect all information in a secure area from unauthorized removal

A 7.7: Take action to prevent unauthorized access to sensitive information residing on, or transmitted by, automated information systems located in employee workstations

A 7.8: Take action, as necessary, to eliminate or reduce adverse physical threats or hazards to the information systems, such as fire, flood, earthquakes, intrusion, and others to protect facilities where sensitive, unclassified information is produced, processed, used, stored or transmitted

A 7.9: If sensitive, unclassified, information is retained in computers located in homes or residences located off-site, the organization shall ensure that organization owned devices are properly protected

A 7.10: Ensure that storage media is marked and controlled and that sensitive, unclassified information is destroyed, erased, or declassified as appropriate before the media is reused or released for disposal

A 7.11: The organization shall protect supporting utility services from failures or interruptions, such as power failures, energy fluctuations and spikes, communications failures, similar major external service interruptions, and any other service interruption impact high

A 7.12: Clear data shall not be transmitted over the wire. Encrypt data that is not sent over encrypted tunnels. information assets both in storage and transit

A 7.13: Appropriate action shall be taken to ensure that any technical measures to maintain the information asset are taken and that these technical measures will not damage or reduce the effectiveness of the maintenance or service contract

A 7.14: The organization shall identify and document sensitive data and take appropriate security measures to assure that all information in a secure area is appropriately secured

People Controls – 8

A 6:  Planning

A 6.2: Deals with the terms and conditions of employment

A 6.3: Deals with how the company needs to have an information security program

A 6.4: You need to create a Disciplinary Process

A 6.5: This section deals with what the responsibilities of the company are after termination or change of employment

A 6.6: You shall maintain the confidentiality of the information that “is accessed by people working on behalf of the organization

A 6.7: Deals with remote working

A 6.8: It tells you how to set up a system for reporting information security incidents within the framework

What are the 11 new controls introduced in ISO 27001:2022? 

The 11 new controls introduced in ISO 27001:2022 is to address the continuously evolving nature of information security. These include

5.7	Threat Intelligence
5.23	Information Security for Cloud Services
5.30	ICT Readiness for Business Continuity
7.5	Physical Security Monitoring
8.9	Configuration Management
8.10	Information Deletion
8.11	Data Masking
8.12	Data Leakage Prevention
8.16	Monitoring Activities
8.23	Web Filtering
8.28	Secure coding

During the transition period to the new version, your team might need to spend more time addressing the first control. The requirement for ‘threat intelligence’ sets this apart from earlier iterations and other cybersecurity frameworks, as it demands a precise identification of threats.

Do organizations need to relook at the ISO 27001 implementation process?

While the changes in ISO 27001:2022 do not significantly different from the 2013 version, you can incorporate minor changes. You don’t have to work on them right away as you have up to three years to update your ISMS. 

However, we don’t recommend keeping your to-dos locked away for three years as certification bodies may not offer certification for the older version by then.

You can use the controls from Annex A to review your controls but do compare it with 2013 controls in your statement of applicability (SoA). 

To sum it up, here’s an ISO/IEC 27001 2022 checklist to get started:

Review and update your:

• Risk treatment plan to align it with the new controls. 
• SoA
• ISMS review process
• ISMS communication plan
• IS objectives

Get ISO 27001 ready within weeks rather than months. See demo.

ISO 27001: 2022 implementation made easy

Implementing compliance is hectic. Updates, while necessary to revamp systems that are no longer applicable, can add to your headache. 

Whether you wish to update your ISMS or implement a new one, Sprinto simplifies the end-to-end process. A combination of the Sprinto tool and a team of experts review your system to help you add new controls, monitor the existing ones for non-compliance, and report issues to the relevant team. 

With Sprinto, you don’t have to worry about any requirements to matter how small or specific they are. Automation at every step of the process takes care of even the most complex tasks. Talk to our experts about your business needs now. 

FAQs

What is the release date of ISO 27001:2022?

ISO 27001:2022, the third and latest, revised version of the ISO 27001 standard was released on October 25, 2022.

What has changed in the new ISO 27001 version?

ISO 27001 2022 has undergone some technical revisions. The text now aligns with the harmonized structure of management systems standards as per ISO 27002:2022. The number of controls has reduced from 114 to 93.

What are the versions of ISO 27001?

The latest version is ISO/IEC 27001:2022, which was published in October 2022. But there were versions before that. The first came out in 2005 and was dubbed ISO/IEC 27001:2005. Then, there was a second version in 2013. The latest release we have now is the third revision of that same standard, which came out in 2022.

Should I choose ISO 27001 or SOC 2?

It depends on what matters most to you. ISO 27001 is recognized globally, which could mean bonus points with international partners or clients, for example. 

But remember, getting ISO 27001 can take longer — about 50-60% more time to be specific — and that extra time can also add around 50-60% to the cost. While with SOC 2, a licensed CPA firm needs to review it, and ISO 27001 needs to be certified by an accredited registrar. So it’s a question of international recognition vs. extra time and money.