7 August 2023

Key Changes to ISO/IEC 27001:2022

The digitalization of our society is advancing, enabling the transfer and provision of information and data. This necessitates essential requirements for defending against cyber-attacks, preventing data manipulation, and avoiding data loss.

Updated security measures: ISO/IEC 27001:2022.

The current version of ISO 27001 dates back to 2013, and the threat landscape has changed significantly since then. The need to protect critical infrastructure has increased significantly and data transfer has become a standard part of operational processes.

ISO/IEC 27001:2022 introduces new requirements for security measures, aiming to ensure three essential security objectives: confidentiality, integrity, and availability.

Changes to Annex A and implementation guide

Significant changes have been made to Annex A of ISO 27001:2022 ("Information Security Controls") and the implementation guide ISO 27002:2022. Both have been revised to align with the current state of technology. The security measures have been regrouped, refined, supplemented, and some have been removed.

Annex A previously contained 114 controls organized into 14 sections, intended for addressing information security risks. The revised version now includes 93 information security controls, categorized into the following four thematic areas: 

  • A.5 Organizational controls (with 37 controls)
  • A.6 Personnel controls (with 8 controls)
  • A.7 Physical controls (with 14 controls)
  • A.8 Technical controls (with 34 controls) 

In addition, the requirements of section 6.1.3 have been formulated more precisely and still reference the information security controls in Annex A. 

Organizations must meet these requirements by adapting their Statement of Applicability. 

Furthermore, the risk assessment needs to be revised, and the information security controls must be evaluated and implemented. 

Moreover, ISO 27001:2022 has been aligned with the "Harmonized Structure" (HS) of existing ISO management systems. 

Chapter 4.4 discusses the requirement to determine the processes and interactions of an ISMS (Information Security Management System), which are necessary for implementing and maintaining the ISMS. 

Chapter 5.3 has been updated to ensure that responsibilities and authorities for roles related to information security are communicated within the organization. 

The normative sections 9.2 Internal Audit and 9.3 Management Review have been aligned with the Harmonized Structure. Chapter 9.2 is now divided into 9.2.1 and 9.2.2, while chapter 9.3 has been subdivided into 9.3.1, 9.3.2, and 9.3.3. 

The order of chapters 10.1 and 10.2 has been adjusted to follow the Harmonized Structure, emphasizing the importance of continuous improvement. Chapter 10.2, covering the handling of non-conformities and corrective actions, does not include any substantive changes. 

Transition and Timeline

The new version of ISO/IEC 27001 was published on October 25, 2022. The transition period is set at three years. Current ISO 27001 certificates will expire on October 31, 2025. Kiwa can assist you with the transition to the new version, ISO 27001:2022. Transition audits can be conducted within the three-year transition period as part of any planned audit. Alternatively, a specific transition audit can be scheduled.

After April 30, 2024, initial and recertification audits must be performed according to the new ISO 27001:2022. In surveillance audits taking place after April 30, 2024, the transition to ISO 27001:2022 should be included. Otherwise, your certificate will automatically become invalid on October 31, 2025.

Kiwa has applied for the transition of accreditation to the new version of the standard. Our accreditation will be transitioned, and Kiwa will issue a new accreditation certificate. We will then be able to issue certificates according to ISO 27001:2022.

Preparations for Implementation

Start preparing for the transition as early as possible and integrate the necessary changes into your management system.

Recommended steps for the transition include:

  • Familiarize yourself with the content and requirements of the new standard. Focus on the changes introduced by the revised standard.
  • Ensure that employees in your organization receive appropriate training to understand the requirements and changes.
  • Identify gaps that need to be addressed. Meet the new requirements and create an implementation plan.
  • Implement the necessary measures and update your management system to fulfill the new requirements.