ISO 27001 2013 vs 2022

Home / ISO 27001 / ISO 27001 2013 vs 2022

ISO 27001 2013 vs 2022 explained simply. The key changes and how to transition to the new version.

Table of contents

ISO 27001: Minimal Changes to the Management System
ISO 27002: A More Significant Update to the Guidance
Digging Deeper into the New Controls (and Some Questionable Aspects):
Transitioning Smoothly
In Conclusion

The world of information security standards can sometimes feel like it’s constantly shifting. Recently, there have been updates to both ISO 27001, the standard for information security management systems (ISMS), and ISO 27002, the guidance document that supports it. If you’re involved in managing or implementing ISO 27001, you might be wondering what these changes mean for you. Let’s break it down.

ISO 27001: Minimal Changes to the Management System

The good news is that the 2022 update to ISO 27001 brought very little change to the core management system itself. If you’re already familiar with the standard, you can breathe a sigh of relief. The updates were primarily focused on clarification:

Wording Adjustments: The standard now refers to itself as a “document” rather than a “standard” in certain places. Minor changes like removing extra spaces were also implemented. These are superficial changes that don’t impact the fundamental requirements.
Introduction of a Planning Clause: A new clause emphasising the importance of planning for the ISMS was added. However, for those already following established methodologies, this isn’t groundbreaking. Effectively managing an ISMS inherently involves planning for updates, reviews, audits, and other key activities. If you’ve been using a structured approach, you’ve likely been doing this all along.
Clarifications on Management Review and Internal Audit: The update provided more explicit details regarding the inputs and outputs of management reviews and internal audits. Again, this is more about formalising existing good practices.

Organizations that have been conducting thorough management reviews with documented agendas and minutes, and structured internal audits with defined inputs and outputs, won’t find this to be a significant shift.

The Takeaway for ISO 27001: Don’t panic! The changes to the management system are minimal and largely codify what many organizations were already doing. Transitioning to the 2022 version should be straightforward, especially if you have well-documented processes and a mature ISMS.

ISO 27002: A More Significant Update to the Guidance

While ISO 27001 saw minor tweaks, ISO 27002, which provides guidance on implementing the controls listed in Annex A of ISO 27001, underwent a more substantial update. This is where most of the changes you’ll need to consider reside.

Consolidation and Restructuring of Controls: The number of controls in Annex A was reduced from 114 to 93. This was achieved through consolidation, removal of some controls, and restructuring. The controls are now organised into simpler domains.
Introduction of New Controls: Eleven new controls were added, addressing areas like threat intelligence, information security during development, ICT readiness for business continuity, and physical security monitoring.
Focus on Guidance: The update aims to provide more comprehensive and up-to-date guidance on implementing these controls.

Digging Deeper into the New Controls (and Some Questionable Aspects):

While most of the new controls are sensible additions reflecting the evolving threat landscape, some have raised eyebrows:

Cloud Services Control: A new control specifically addressing cloud security was introduced. While cloud security is crucial, the guidance associated with this control includes recommendations, such as having an account manager with the cloud provider and conducting audits, which may not be feasible or necessary for all organizations, especially when dealing with major providers like Microsoft and Amazon. It’s important to view this guidance critically and apply it proportionate to your risk and business needs. In many ways, managing cloud providers effectively aligns with existing third-party supplier management practices.
Data Leakage Prevention: This control, while important, overlaps with existing data protection regulations like GDPR, which already mandate measures like data masking and anonymization.
Business Continuity and BIA: Similarly, the update includes elements related to business continuity and business impact assessments (BIA), areas already well-covered by ISO 22301. This feels like a bit of “land grabbing” from other established standards.

The Takeaway for ISO 27002: The update to ISO 27002 requires more attention. You’ll need to review the new set of 93 controls and assess which ones are relevant to your organisation’s risks and business needs. Treat these new controls like any other potential control:

Identify the Risk: Do you have a risk that the new control aims to mitigate?
Evaluate the Control: Does the control effectively mitigate that risk?
Implement Proportionately: If you decide to implement the control, tailor the implementation to your specific risk profile, budget, and business requirements. Don’t blindly follow the guidance if it doesn’t make sense for your organization.

Transitioning Smoothly

When transitioning to the updated standards, remember these key points:

Focus on the Management System Clarifications: Ensure your documentation and processes align with the minor clarifications in ISO 27001.
Assess the New Controls in ISO 27002: Don’t feel obligated to implement every single new control. Conduct a risk assessment to determine which controls are necessary and appropriate for your organization.
Treat Guidance as Guidance: The guidance in ISO 27002 is just that – guidance. Adapt it to your specific context and don’t be afraid to deviate if necessary.
Leverage Existing Frameworks: If you’re already using a robust ISMS framework, the transition should be manageable. Many of the concepts and practices remain the same.

In Conclusion

The updates to ISO 27001 and ISO 27002, while requiring some attention, shouldn’t be a cause for significant concern. The changes to ISO 27001 are minimal, and while ISO 27002 has been updated more substantially, a thoughtful and risk-based approach to assessing and implementing the new controls will ensure a smooth transition. Remember to document your decisions and maintain a focus on continuous improvement to keep your information security management system effective and aligned with your business needs.

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.

Necessary

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Functional

Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Performance

Analytics

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Advertisement

Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Others

Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.