Home / ISO 27001 / ISO27001 2013 vs ISO27001 2022

ISO27001 2013 vs ISO27001 2022

Last updated Jul 5, 2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

ISO 27001 2013 vs ISO 27001 2022

It took 9 years for ISO 27001, the information security standard, to be updated with ISO 27001:2022 being released on October 25 2022. If you’re involved in managing or implementing ISO 27001, you might be wondering what these changes mean for you. Let’s break it down.

Table of contents

Key Takeaways
Watch the tutorial
ISO 27001 History
Changes to the management system
Changes to Annex A security controls
When is ISO 27001:2013 withdrawn?
The transition period
ISO 27001 minimal changes summary
ISO 27002:2022 a more significant update to the guidance
Transitioning Smoothly

Key Takeaways

ISO 27001:2022 focusses on wording changes and simplification
Clarification is provided on Management Reviews and Internal Audits
Planning for changes to the management system was introduced
Minor word changes
1 new clause
5 new sub clauses
the numbering of 2 clauses has swapped

Watch the tutorial

ISO 27001 History

For context, let us take a look at the history and timeline of the ISO 27001 standard.

1995

the first version of the standard was released as BS 7799-2.

2005

the standard becomes ISO 27001:2005 Information technology — Security techniques — Information security management systems — Requirements

2013

the standard becomes ISO 27001:2013 Information technology — Security techniques — Information security management systems — Requirements

2022

the latest version of the standard is released ISO 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems — Requirements

2024

the standard is amended to include climate change with ISO/IEC 27001:2022/Amd 1:2024 Information security, cybersecurity and privacy protection — Information security management systems — Requirements Amendment 1: Climate action changes

ISO 27001 Toolkit

Get the ISO 27001 Certification Kit >

Changes to the management system

The changes to clauses 4 through 10 were put in place to align the standard with other ISO management standards such as ISO 9001, ISO 14001 and with Annex SL.

A summary of the management system changes in ISO 27001:2022

ISO 27001 Clause 4.2

ISO/IEC 27001:2022 Clause 4.2 Understanding the needs and expectations of interested parties clarified that you will now determine which of the identified requirements will be addressed through the information security management system rather than implying it.

ISO 27001 Clause 4.3

ISO/IEC 27001:2022 Clause 4.3 Determining the scope of the information security management system removed the word ‘and’ from 4.3 b.

ISO 27001 Clause 4.4

ISO/IEC 27001:2022 Clause 4.4 Information security management system they now refer through the standard to this ‘document’ rather than this ‘international standard’. So replacement of the words ‘international standard’ with the word ‘document’. They have added into the sentence the term – ‘including the processes needed and their interactions’ to be absolutely crystal clear that processes are included, rather than implying it. In essence, nothing has changed. It is clarification of wording.

ISO 27001 Clause 5.3

ISO/IEC 27001:2022 Clause 5.3 Organisational roles, responsibilities and authorities added clarification that communication of roles is done within the organisation as was always implied but never said out right. Nothing material.

ISO 27001 Clause 6.1

ISO/IEC 27001:2022 Clause 6.1.3 Information security risk treatment The changes to ISO 27001 Clause 6.1.3 are minor but important

Changing the wording of 6.1.3 c to now reference Annex A as containing a list of possible information security controls. This is a change from it containing a comprehensive list of control objectives.
Removing the wording that control objectives are implicitly included in the controls chosen.
Changing from the control objectives listed in Annex A as being not exhaustive with additional controls may being needed to the wording of Information Security Controls listed in Annex.
Change the word control objectives to controls.
Changing the sentence of 6.1.3 d into a list for ease of reading
Changing the words ‘International Standard’ to the word ‘document’
Overall these are clarification changes and not material.

ISO 27001 Clause 6.2

ISO/IEC 27001:2022 Clause 6.2 Information security objectives and planning to achieve them ISO 27001 clause 6.2 had minor changes in the 2022 update with the changes being focussed on clarity. It introduced that information security objectives should be monitored and be available as documented information. This was always implied but is made explicit. As a result the numbering of the sub parts shifted but this is not material.

ISO 27001 Clause 6.3

ISO 27001:2022 Clause 6.3 Planning Of Changes was added and is new. When you make changes to the ISMS it requires that you do it in a planned manner.

ISO 27001 Clause 7.4

ISO/IEC 27001:2022 Clause 7.4 Communication There are minor changes to ISO 27001 Clause 7.4 in the 2022 update. The changes can be seen as a simplification. It removes who shall communicate and replaces it with how to communicate and it completely removes the need to show the processes by which communication shall be done. It is our opinion that keeping who and the process of how is good practice but you can, if you wish, not account for it directly.

ISO 27001 Clause 8.1

ISO/IEC 27001:2022 Clause 8.1 Operational planning and control The changes to ISO 27001 Clause 8.1 in the 2022 update are clarification changes and nothing material.

The wording on planning and implementing and controlling processes is widened to the more general wording of ‘meet requirements’ rather than before which was ‘meet information security requirements’.
It now talks to establishing cirtieria for the processes and implementing control of processes in line with those criteria.
Rather than keep documented information it is changed to documented information shall be available.
Outsourced processes are determined and controlled is changed to externally provided processes, products or services that are relevant to the information security management system are controlled

ISO 27001 Clause 9.1

ISO/IEC 27001:2022 Clause 9.1 Monitoring, measurement, analysis and evaluation There are clarification changes to the ISO 27001 Clause 9.1 in the 2022 update.

The words about how the organisation evaluates the information security performance and the effectiveness of the management system have been removed. They are covered to a greater or lesser degree elsewhere in the clause.
9.1 b has been updated to give guidance on the methods of monitoring, measurement, analysis and evaluation and provides that they should produce comparable results and reproducible results to be considered valid. This was previously a footnote so no material change.
9.1 e has had the word ‘and’ removed with little to no consequence.
A requirement for documented information to be available to evidence results has been included making it an explicit rather than implied requirement.
Rather than retain appropriate documentation as evidence the line has been replaced with the requirement to evaluate the information security performance and effectiveness of the information security management system.
It says pretty much the same thing, with the same requirement with a change to the wording of how it says it.

ISO 27001 Clause 9.2

ISO/IEC 27001:2022 Clause 9.2 Internal audit This clause has now had the wording removed and wording shifted to two new separate sub clauses.

ISO/IEC 27001:2022 Clause 9.2.1 General doesn’t say anything new just separates out the old clause for ease of reading
ISO/IEC 27001:2022 Clause 9.2.2 Internal audit programme doesn’t say anything new just separates out the old clause for ease of reading

ISO 27001 Clause 9.3

ISO/IEC 27001:2022 Clause 9.3 Management review This clause has now had the wording removed and wording shifted to three new separate sub clauses.

ISO/IEC 27001:2022 Clause 9.3.1 General doesn’t say anything new just separates out the old clause for ease of reading
ISO/IEC 27001:2022 Clause 9.3.2 Management review inputs doesn’t say anything new just separates out the old clause for ease of reading.
SO/IEC 27001:2022 Clause 9.3.3 Management review results doesn’t say anything new just separates out the old clause for ease of reading

ISO 27001 Clause 10.1

ISO/IEC 27001:2022 Clause 10.1 Continual improvement – no changed but used to be Clause 10.2 and now is renumbered to 10.1

ISO 27001 Clause 10.2

ISO/IEC 27001:2022 Clause 10.2 Nonconformity and corrective action – no changed but used to be Clause 10.1 and now is renumbered to 10.2

Changes to Annex A security controls

A summary of the Annex A Security controls changes in ISO 27001:2022

11 New controls were added

57 controls were merged

1 control was split

23 controls were renamed

35 controls stayed the same.

We cover this in depth in The complete guide to ISO/IEC 27002:2022

Although no controls have been removed, ISO 27001:2022 lists only 93 controls compared to the 114 controls in ISO 27001:2013’s. This is due to the large number of merged controls (57 into 24).

The controls are grouped into 4 ‘themes’ rather than 14 clauses. The themes are:

People (8 controls)
Organisational (37 controls)
Technological (34 controls)
Physical (14 controls)

The update also introduced ISO 27001 attributes. Used to view, report on and categorise controls they are:

Control type (preventive, detective, corrective)
Information security properties (confidentiality, integrity, availability)
Cyber security concepts (identify, protect, detect, respond, recover)
Operational capabilities (governance, asset management, etc.)
Security domains (governance and ecosystem, protection, defence, resilience)

ISO 27001 Certification Strategy Session

When is ISO 27001:2013 withdrawn?

ISO 27001:2013 is still valid until October 2025.

The transition period

For companies that are already certified against ISO 27001:2013, the transition to the ISO 27001:2022 needs to be completed by October 31, 2025.

ISO 27001 minimal changes summary

The good news is that the 2022 update to ISO 27001 brought very little change to the core management system itself. If you’re already familiar with the standard, you can breathe a sigh of relief. The updates were primarily focused on clarification:

Wording Adjustments: The standard now refers to itself as a “document” rather than a “standard” in certain places. Minor changes like removing extra spaces were also implemented. These are superficial changes that don’t impact the fundamental requirements.
Introduction of a Planning Clause: A new clause emphasising the importance of planning for the ISMS was added. However, for those already following established methodologies, this isn’t groundbreaking. Effectively managing an ISMS inherently involves planning for updates, reviews, audits, and other key activities. If you’ve been using a structured approach, you’ve likely been doing this all along.
Clarifications on Management Review and Internal Audit: The update provided more explicit details regarding the inputs and outputs of management reviews and internal audits. Again, this is more about formalising existing good practices.

Organizations that have been conducting thorough management reviews with documented agendas and minutes, and structured internal audits with defined inputs and outputs, won’t find this to be a significant shift.

The Takeaway for ISO 27001: Don’t panic! The changes to the management system are minimal and largely codify what many organizations were already doing. Transitioning to the 2022 version should be straightforward, especially if you have well-documented processes and a mature ISMS.

ISO 27002:2022 a more significant update to the guidance

While ISO 27001 saw minor tweaks, ISO 27002, which provides guidance on implementing the controls listed in Annex A of ISO 27001, underwent a more substantial update. This is where most of the changes you’ll need to consider reside.

Consolidation and Restructuring of Controls: The number of controls in Annex A was reduced from 114 to 93. This was achieved through consolidation, removal of some controls, and restructuring. The controls are now organised into simpler domains.
Introduction of New Controls: Eleven new controls were added, addressing areas like threat intelligence, information security during development, ICT readiness for business continuity, and physical security monitoring.
Focus on Guidance: The update aims to provide more comprehensive and up-to-date guidance on implementing these controls.

For a breakdown of the changes to ISO 27001 Annex A / ISO 27002:2022 read The complete guide to ISO/IEC 27002:2022

Transitioning Smoothly

When transitioning to the updated standards, remember these key points:

Focus on the Management System Clarifications: Ensure your documentation and processes align with the minor clarifications in ISO 27001.
Assess the New Controls in ISO 27002: Don’t feel obligated to implement every single new control. Conduct a risk assessment to determine which controls are necessary and appropriate for your organisation.
Treat Guidance as Guidance: The guidance in ISO 27002 is just that – guidance. Adapt it to your specific context and don’t be afraid to deviate if necessary.
Leverage Existing Frameworks: If you’re already using a robust ISMS framework, the transition should be manageable. Many of the concepts and practices remain the same.

Tags:

Stuart Barker, ISO 27001 expert

Stuart Barker
ISO 27001 Expert and Thought Leader

ISO 27001 Toolkit Business Edition

ISO 27001 Jumpstart Kit

ISO 27001 Consultant Toolkit

Stuart Barker, ISO 27001 expert

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.

Necessary

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Functional

Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Performance

Analytics

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Advertisement

Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Others

Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.