In this article I lay bare the changes to the ISO 27001 standard that happened in 2022.
Using over two decades of experience on hundreds of ISO 27001 audits and ISO 27001 certifications I am going to show you what’s new, show you how to transition, give you templates, show you examples and do a walkthrough.
In this ISO 27001 certification guide I show you exactly what changed in the ISO 27001:2022 update.
I am Stuart Barker the ISO 27001 Ninja and this is everything you need to know about ISO 27001:2022
Table of contents
- What is ISO/IEC 27001:2022?
- What has changed in the new version of ISO/IEC 27001:2022?
- What do I need to know about the new version of ISO 27001?
- What should I do for the new version of ISO 27001?
- The new ISO/IEC 27001:2022 with changes listed
- ISO 27001:2013 Verses ISO 27001:2022
- The top 3 Mistakes People make with the new ISO 27001:2022
- The 3 things you missed that have changed in ISO 27001:2022
- ISO/IEC 27001:2022 Release Date
- ISO/IEC 27001:2022 FAQ
What is ISO/IEC 27001:2022?
ISO 27001 is the international standard for information security. It is an Information Security Management Systems (ISMS) and the output is an ISO 27001 Certification. ISO/IEC 27001:2022 is the much anticipated 2022 update to the standard.
Officially it is called: ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information Security Management Systems Requirements
What has changed in the new version of ISO/IEC 27001:2022?
In reality, very little has changed in ISO/IEC 27001:2022. The following is a summary of the ISO 27001:2022 changes:
- Minor word changes
- 1 new clause
- 5 new sub clauses
- the numbering of 2 clauses has swapped
What do I need to know about the new version of ISO 27001?
You need to know that you do not need to panic. This is not a revolution. It is barely an evolution. The main focus seems to be to align the numbering and address the fact the date of the last major revision was 2013.
What should I do for the new version of ISO 27001?
The first thing you should do for the new version of ISO 27001 is not panic. Very little has changed. Now the new version is in final release get yourself a copy.
The new ISO/IEC 27001:2022 with changes listed
Here we list the summary changes to the ISO 27001 standard.
ISO/IEC 27001:2022 | Changes |
---|---|
ISO/IEC 27001:2022 Clause 4 Context of the Organization | |
ISO/IEC 27001:2022 Clause 4.1 Understanding the organisation and its context | No Change |
ISO/IEC 27001:2022 Clause 4.2 Understanding the needs and expectations of interested parties | There is no real change to ISO 27001 clause 4.2 for the 2022 update. It has clarified that you will now determine which of the identified requirements will be addressed through the information security management system rather than implying it. |
ISO/IEC 27001:2022 Clause 4.3 Determining the scope of the information security management system | Not a massive change to ISO 27001 Clause 4.3 in the 2022 update as the only thing it does is remove the word ‘and’ from 4.3 b. Great isn’t it? |
ISO/IEC 27001:2022 Clause 4.4 Information security management system | Well they now refer through the standard to this ‘document’ rather than this ‘international standard’. So replace the words ‘international standard’ with the word ‘document. They have added into the sentence the term – ‘including the processes needed and their interactions’ to be absolutely crystal clear that processes are included, rather than implying it. In essence, nothing has changed. It is clarification of wording. |
ISO/IEC 27001:2022 Clause 5 Leadership | |
ISO/IEC 27001:2022 Clause 5.1 Leadership and commitment | No Change |
ISO/IEC 27001:2022 Clause 5.2 Policy | No Change |
ISO/IEC 27001:2022 Clause 5.3 Organisational roles, responsibilities and authorities | The changes to ISO 27001 clause 5.3 for the 2022 update are minor at best. Changing the word ‘International Standard’ to the word ‘document’ and adding clarification that communication is within the organisation as was always implied but never said out right. Nothing material. |
ISO/IEC 27001:2022 Clause 6 Planning | |
ISO/IEC 27001:2022 Clause 6.1 Actions to address risks and opportunities | No Change |
ISO/IEC 27001:2022 Clause 6.1.1 General | Brace yourself. The massive update was to remove the word ‘and’ from 6.1.1 b. |
ISO/IEC 27001:2022 Clause 6.1.2 Information security risk assessment | No Change |
ISO/IEC 27001:2022 Clause 6.1.3 Information security risk treatment | The changes to ISO 27001 Clause 6.1.3 are minor but important Changing the wording of 6.1.3 c to now reference Annex A as containing a list of possible information security controls. This is a change from it containing a comprehensive list of control objectives. Removing the wording that control objectives are implicitly included in the controls chosen. Changing from the control objectives listed in Annex A as being not exhaustive with additional controls may being needed to the wording of Information Security Controls listed in Annex. Change the word control objectives to controls. Changing the sentence of 6.1.3 d into a list for ease of reading Changing the words ‘International Standard’ to the word ‘document’ Overall these are clarification changes and not material. |
ISO/IEC 27001:2022 Clause 6.2 Information security objectives and planning to achieve them | ISO 27001 clause 6.2 had minor changes in the 2022 update with the changes being focussed on clarity. It introduced that information security objectives should be monitored and be available as documented information. This was always implied but is made explicit. As a result the numbering of the sub parts shifted but this is not material. |
ISO 27001:2022 Clause 6.3 Planning Of Changes | NEW – when you make changes to the ISMS do it in a planned manner. Which you were anyway. |
ISO/IEC 27001:2022 Clause 7 Support | |
ISO/IEC 27001:2022 Clause 7.1 Resources | No Change |
ISO/IEC 27001:2022 Clause 7.2 Competence | No Change |
ISO/IEC 27001:2022 Clause 7.3 Awareness | No Change |
ISO/IEC 27001:2022 Clause 7.4 Communication | There are minor changes to ISO 27001 Clause 7.4 in the 2022 update. The changes can be seen as a simplification. It removes who shall communicate and replaces it with how to communicate and it completely removes the need to show the processes by which communication shall be effected. It is our opinion that keeping who and the process of how is good practice but you can, if you wish, not account for it directly. |
ISO/IEC 27001:2022 Clause 7.5 Documented information | No Change |
ISO/IEC 27001:2022 Clause 7.5.1 General | Great news. There are no material changes to ISO 27001 Clause 7.5.1 in the 2022 update. There is a general update across the standard to replace the words ‘International Standard’ to the word ‘document’. But this is not material but refers to how the standard refers to itself in the text. |
ISO/IEC 27001:2022 Clause 7.5.2 Creating and updating | No Change |
ISO/IEC 27001:2022 Clause 7.5.3 Control of documented information | Great news. There are no changes to ISO 27001 Clause 7.5.3 in the 2022 update. Where reference was made to the ‘International Standard’ in reference to the document it has been replaced with the word ‘document’. |
ISO/IEC 27001:2022 Clause 8 Operation | No Change |
ISO/IEC 27001:2022 Clause 8.1 Operational planning and control | The changes to ISO 27001 Clause 8.1 in the 2022 update are clarification changes and nothing material. The wording on planning and implementing and controlling processes is widened to the more general wording of ‘meet requirements’ rather than before which was ‘meet information security requirements’. It now talks to establishing cirtieria for the processes and implementing control of processes in line with those criteria. Rather than keep documented information it is changed to documented information shall be available. Outsourced processes are determined and controlled is changed to externally provided processes, products or services that are relevant to the information security management system are controlled. |
ISO/IEC 27001:2022 Clause 8.2 Information security risk assessment | No Change |
ISO/IEC 27001:2022 Clause 8.3 Information security risk treatment | No Change |
ISO/IEC 27001:2022 Clause 9 Performance evaluation | |
ISO/IEC 27001:2022 Clause 9.1 Monitoring, measurement, analysis and evaluation | There are clarification changes to the ISO 27001 Clause 9.1 in the 2022 update. The words about the organisation evaluates the information security performance and the effectiveness of the management system have been removed. They are covered to a greater or lesser degree elsewhere in the clause. 9.1 b has been updated to give guidance on the methods of monitoring, measurement, analysis and evaluation and provides that they should produce comparable results and reproducible results to be considered valid. This was previously a footnote so no material change. 9.1 e has had the word ‘and’ removed with little to no consequence. A requirement for documented information to be available to evidence results has been included making it an explicit rather than implied requirement. Rather than retain appropriate documentation as evidence the line has been replaced with the requirement to evaluate the information security performance and effectiveness of the information security management system. It says pretty much the same thing, with the same requirement with a change to the wording of how it says it. |
ISO/IEC 27001:2022 Clause 9.2 Internal audit | This clause has now had the wording removed and wording shifted to two new separate sub clauses. |
ISO/IEC 27001:2022 Clause 9.2.1 General | NEW – doesn’t say anything new just separates out the old clause for ease of reading |
ISO/IEC 27001:2022 Clause 9.2.2 Internal audit programme | NEW – doesn’t say anything new just separates out the old clause for ease of reading |
ISO/IEC 27001:2022 Clause 9.3 Management review | This clause has now had the wording removed and wording shifted to three new separate sub clauses. |
ISO/IEC 27001:2022 Clause 9.3.1 General | NEW – doesn’t say anything new just separates out the old clause for ease of reading |
ISO/IEC 27001:2022 Clause 9.3.2 Management review inputs | NEW – doesn’t say anything new just separates out the old clause for ease of reading |
ISO/IEC 27001:2022 Clause 9.3.3 Management review results | NEW – doesn’t say anything new just separates out the old clause for ease of reading |
ISO/IEC 27001:2022 Clause 10 Improvement | |
ISO/IEC 27001:2022 Clause 10.1 Continual improvement | No Change but Swapped Numbering – why? |
ISO/IEC 27001:2022 Clause 10.2 Nonconformity and corrective action | No Change but Swapped Numbering – why? |
ISO/IEC 27001:2022 Clause Annex A (normative) Information security controls reference | ISO 27002: 2022 new version of control set |
ISO 27001:2013 Verses ISO 27001:2022
A direct comparison of ISO 27001:2013 verses ISO 27001:2022
ISO/IEC 27001:2022 | ISO/IEC 27001:2013 |
---|---|
ISO/IEC 27001:2022 Clause 4 Context of the Organization | ISO/IEC 27001:2013 Clause 4 Context of the Organization |
ISO/IEC 27001:2022 Clause 4.1 Understanding the organisation and its context | ISO/IEC 27001:2013 Clause 4.1 Understanding the organisation and its context |
ISO/IEC 27001:2022 Clause 4.2 Understanding the needs and expectations of interested parties | ISO/IEC 27001:2013 Clause 4.2 Understanding the needs and expectations of interested parties |
ISO/IEC 27001:2022 Clause 4.3 Determining the scope of the information security management system | ISO/IEC 27001:2013 Clause 4.3 Determining the scope of the information security management system |
ISO/IEC 27001:2022 Clause 4.4 Information security management system | ISO/IEC 27001:2013 Clause 4.4 Information security management system |
ISO/IEC 27001:2022 Clause 5 Leadership | ISO/IEC 27001:2013 Clause 5 Leadership |
ISO/IEC 27001:2022 Clause 5.1 Leadership and commitment | ISO/IEC 27001:2013 Clause 5.1 Leadership and commitment |
ISO/IEC 27001:2022 Clause 5.2 Policy | ISO/IEC 27001:2013 Clause 5.2 Policy |
ISO/IEC 27001:2022 Clause 5.3 Organizational roles, responsibilities and authorities | ISO/IEC 27001:2013 Clause 5.3 Organizational roles, responsibilities and authorities |
ISO/IEC 27001:2022 Clause 6 Planning | ISO/IEC 27001:2013 Clause 6 Planning |
ISO/IEC 27001:2022 Clause 6.1 Actions to address risks and opportunities | ISO/IEC 27001:2013 Clause 6.1 Actions to address risks and opportunities |
ISO/IEC 27001:2022 Clause 6.1.1 General | ISO/IEC 27001:2013 Clause 6.1.1 General |
ISO/IEC 27001:2022 Clause 6.1.3 Information security risk assessment | ISO/IEC 27001:2013 Clause 6.1.3 Information security risk assessment |
ISO/IEC 27001:2022 Clause 6.1.3 Information security risk treatment | ISO/IEC 27001:2013 Clause 6.1.3 Information security risk treatment |
ISO/IEC 27001:2022 Clause 6.2 Information security objectives and planning to achieve them | ISO/IEC 27001:2013 Clause 6.2 Information security objectives and planning to achieve them |
ISO/IEC 27001:2022 Clause 6.3 Planning of Changes | NEW |
ISO/IEC 27001:2022 Clause 7 Support | ISO/IEC 27001:2013 Clause 7 Support |
ISO/IEC 27001:2022 Clause 7.1 Resources | ISO/IEC 27001:2013 Clause 7.1 Resources |
ISO/IEC 27001:2022 Clause 7.2 Competence | ISO/IEC 27001:2013 Clause 7.2 Competence |
ISO/IEC 27001:2022 Clause 7.3 Awareness | ISO/IEC 27001:2013 Clause 7.3 Awareness |
ISO/IEC 27001:2022 Clause 7.4 Communication | ISO/IEC 27001:2013 Clause 7.4 Communication |
ISO/IEC 27001:2022 Clause 7.5 Documented information | ISO/IEC 27001:2013 Clause 7.5 Documented information |
ISO/IEC 27001:2022 Clause 7.5.1 General | ISO/IEC 27001:2013 Clause 7.5.1 General |
ISO/IEC 27001:2022 Clause 7.5.2 Creating and updating | ISO/IEC 27001:2013 Clause 7.5.2 Creating and updating |
ISO/IEC 27001:2022 Clause 7.5.3 Control of documented information | ISO/IEC 27001:2013 Clause 7.5.3 Control of documented information |
ISO/IEC 27001:2022 Clause 8 Operation | ISO/IEC 27001:2013 Clause 8 Operation |
ISO/IEC 27001:2022 Clause 8.1 Operational planning and control | ISO/IEC 27001:2013 Clause 8.1 Operational planning and control |
ISO/IEC 27001:2022 Clause 8.2 Information security risk assessment | ISO/IEC 27001:2013 Clause 8.2 Information security risk assessment |
ISO/IEC 27001:2022 Clause 8.3 Information security risk treatment | ISO/IEC 27001:2013 Clause 8.3 Information security risk treatment |
ISO/IEC 27001:2022 Clause 9 Performance evaluation | ISO/IEC 27001:2013 Clause 9 Performance evaluation |
ISO/IEC 27001:2022 Clause 9.1 Monitoring, measurement, analysis and evaluation | ISO/IEC 27001:2013 Clause 9.1 Monitoring, measurement, analysis and evaluation |
ISO/IEC 27001:2022 Clause 9.2 Internal audit | ISO/IEC 27001:2013 Clause 9.2 Internal audit |
ISO/IEC 27001:2022 Clause 9.2.1 General | NEW |
ISO/IEC 27001:2022 Clause 9.2.2 Internal audit programme | NEW |
ISO/IEC 27001:2022 Clause 9.3 Management review | ISO/IEC 27001:2013 Clause 9.3 Management review |
ISO/IEC 27001:2022 Clause 9.3.1 General | NEW |
ISO/IEC 27001:2022 Clause 9.3.2 Management review inputs | NEW |
ISO/IEC 27001:2022 Clause 9.3.3 Management review results | NEW |
ISO/IEC 27001:2022 Clause 10 Improvement | ISO/IEC 27001:2013 Clause 10 Improvement |
ISO/IEC 27001:2022 Clause 10.1 Continual improvement | ISO/IEC 27001:2013 Clause 10.1 Nonconformity and corrective action |
ISO/IEC 27001:2022 Clause 10.2 Nonconformity and corrective action | ISO/IEC 27001:2013 Clause 10.2 Continual improvement |
ISO/IEC 27001:2022 Clause Annex A (normative) Information security controls reference | ISO 27002: 2022 new version of control set |
The top 3 Mistakes People make with the new ISO 27001:2022
The top 3 mistakes people make with the new ISO 27001 standard
1. Assuming it is different
Assuming that it is vastly different and panicking. Worrying the organisation unduly and seeking massive budget for something that fundamentally is no different to what they have or are already working towards.
2. Paying consultants to work out the impact
Paying consultants to tell you that nothing has fundamentally changed when you can buy the standard yourself and read it and around 15 minutes.
3. Not buying and reading the standard
Relying on the internet and free resources rather than getting a copy of the standard and reading it yourself.
The 3 things you missed that have changed in ISO 27001:2022
1. Fundamentally nothing has changed
ISO 27001 2022 is fundamentally the same with minor wording changes, a numbering change on 2 controls and some clarifications.
2. The biggest change was to ISO 27002 / Annex A
The biggest change has already happened with the control set when ISO 27002 was updated to the 2022 version.
3. It is a version alignment
As the standard has not changed significantly since the 2013 version, as the approach seems to be to name the standard followed by a year it is kind of embarrassing that people are working to what appears to be a 2013 version of an information security standard so to make it more relevant they have changed the name to 2022.
ISO/IEC 27001:2022 Release Date
ISO 27001 2022 was released in October 2022.
ISO/IEC 27001:2022 FAQ
Yes. The ISO 27001 2022 version is not really an update but yes a new version of the standard was released in October 2022.
The ISO 27001 standard has been amended and was released in October 2022.
The latest version of ISO 27001 is ISO/IEC 27001:2022
Potentially. It is unlikely until the end of 2023 or 2024 that you will be audited against the new version of the standard.
Very little has changed in ISO 27001. It is minor wording updates, a change of name to reflect the release date of 2022 and bring the versioning into alignment and a numbering change on 2 controls.
Yes. The ISO 27001 Toolkit includes both versions of the ISO 27001 standard and both versions of the ISO 27002 standard and a migration plan.
It will take you about a week to migrate from the old version of ISO 27001 to the new version of ISO 27001.
ISO 27001 was last updated in October 2022.
Yes, you can download a copy of the ISO 27001:2022 PDF in the ISO 27001 Toolkit.
ISO/IEC 27001:2022 was released in October 2022.