ISO27001 2022: Everything you need to know

Share with your network

ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information Security Management Systems Requirements

In this article we lay bare the changes to the ISO 27001 standard that happened in 2022 We show you exactly what changed in the ISO27001:2022 update. I am Stuart Barker the ISO27001 Ninja and this is everything you need to know about the ISO27001 2022 update.

What is ISO/IEC 27001:2022?

ISO27001 is the international standard for information security. It is an Information Security Management Systems (ISMS) and an organisation will seek ISO27001 Certification. ISO/IEC 27001:2022 is the much anticipated 2022 update to the standard.

What has changed in the new version of ISO/IEC 27001:2022?

Very little has change in ISO/IEC 27001:2022. Minor word changes, 1 new clause, 5 new sub clauses and the number of 2 clauses has swapped.

What do I need to know about the new version of ISO27001?

You need to know that you do not need to panic. This is not a revolution. It is barely an evolution. The main focus seems to be to align the numbering and address the fact the date of the last major revision was 2013.

What should I do for the new version of ISO27001?

The first thing you should do for the new version of ISO27001 is not panic. Very little has changed. Now the new version is in final release get yourself a copy.

The new ISO/IEC 27001:2022 with changes listed

Here we list the summary changes to the ISO27001 standard.

ISO/IEC 27001:2022
ISO/IEC 27001:2022 Clause 4 Context of the Organization
ISO/IEC 27001:2022 Clause 4.1 Understanding the organization and its contextNo Change
ISO/IEC 27001:2022 Clause 4.2 Understanding the needs and expectations of interested partiesThere is no real change to ISO 27001 clause 4.2 for the 2022 update. It has clarified that you will now determine which of the identified requirements will be addressed through the information security management system rather than implying it.
ISO/IEC 27001:2022 Clause 4.3 Determining the scope of the information security management systemNot a massive change to ISO 27001 Clause 4.3 in the 2022 update as the only thing it does is remove the word ‘and’ from 4.3 b. Great isn’t it?
ISO/IEC 27001:2022 Clause 4.4 Information security management systemWell they now refer through the standard to this ‘document’ rather than this ‘international standard’. So replace the words ‘international standard’ with the word ‘document. 
They have added into the sentence the term – ‘including the processes needed and their interactions’ to be absolutely crystal clear that processes are included, rather than implying it. 
In essence, nothing has changed. It is clarification of wording.
ISO/IEC 27001:2022 Clause 5 Leadership
ISO/IEC 27001:2022 Clause 5.1 Leadership and commitmentNo Change
ISO/IEC 27001:2022 Clause 5.2 PolicyNo Change
ISO/IEC 27001:2022 Clause 5.3 Organisational roles, responsibilities and authoritiesThe changes to ISO 27001 clause 5.3 for the 2022 update are minor at best. Changing the word ‘International Standard’ to the word ‘document’ and adding clarification that communication is within the organisation as was always implied but never said out right. Nothing material.
ISO/IEC 27001:2022 Clause 6 Planning
ISO/IEC 27001:2022 Clause 6.1 Actions to address risks and opportunitiesNo Change
ISO/IEC 27001:2022 Clause 6.1.1 GeneralBrace yourself. The massive update was to remove the word ‘and’ from 6.1.1 b.
ISO/IEC 27001:2022 Clause 6.1.2 Information security risk assessmentNo Change
ISO/IEC 27001:2022 Clause 6.1.3 Information security risk treatmentThe changes to ISO 27001 Clause 6.1.3 are minor but important
Changing the wording of 6.1.3 c to now reference Annex A as containing a list of possible information security controls. This is a change from it containing a comprehensive list of control objectives
Removing the wording that control objectives are implicitly included in the controls chosen.
Changing from the control objectives listed in Annex A as being not exhaustive with additional controls may being needed to the wording of Information Security Controls listed in Annex.
Change the word control objectives to controls
Changing the sentence of 6.1.3 d into a list for ease of reading
Changing the words ‘International Standard’ to the word ‘document’ 
Overall these are clarification changes and not material.
ISO/IEC 27001:2022 Clause 6.2 Information security objectives and planning to achieve themISO 27001 clause 6.2 had minor changes in the 2022 update with the changes being focussed on clarity. 
It introduced that information security objectives should be monitored and be available as documented information. This was always implied but is made explicit. 
As a result the numbering of the sub parts shifted but this is not material.
ISO 27001:2022 Clause 6.3 Planning Of Changes NEW – when you make changes to the ISMS do it in a planned manner. Which you were anyway.
ISO/IEC 27001:2022 Clause 7 Support
ISO/IEC 27001:2022 Clause 7.1 ResourcesNo Change
ISO/IEC 27001:2022 Clause 7.2 CompetenceNo Change
ISO/IEC 27001:2022 Clause 7.3 AwarenessNo Change
ISO/IEC 27001:2022 Clause 7.4 CommunicationThere are minor changes to ISO 27001 Clause 7.4 in the 2022 update. The changes can be seen as a simplification. It removes who shall communicate and replaces it with how to communicate and it completely removes the need to show the processes by which communication shall be effected. 
It is our opinion that keeping who and the process of how is good practice but you can, if you wish, not account for it directly.
ISO/IEC 27001:2022 Clause 7.5 Documented informationNo Change
ISO/IEC 27001:2022 Clause 7.5.1 GeneralGreat news. There are no material changes to ISO 27001 Clause 7.5.1 in the 2022 update.
There is a general update across the standard to replace the words ‘International Standard’ to the word ‘document’. But this is not material but refers to how the standard refers to itself in the text.
ISO/IEC 27001:2022 Clause 7.5.2 Creating and updatingNo Change
ISO/IEC 27001:2022 Clause 7.5.3 Control of documented informationGreat news. There are no changes to ISO 27001 Clause 7.5.3 in the 2022 update. Where reference was made to the ‘International Standard’ in reference to the document it has been replaced with the word ‘document’.
ISO/IEC 27001:2022 Clause 8 OperationNo Change
ISO/IEC 27001:2022 Clause 8.1 Operational planning and controlThe changes to ISO 27001 Clause 8.1 in the 2022 update are clarification changes and nothing material. 
The wording on planning and implementing and controlling processes is widened to the more general wording of ‘meet requirements’ rather than before which was ‘meet information security requirements’. 
It now talks to establishing cirtieria for the processes and implementing control of processes in line with those criteria.
Rather than keep documented information it is changed to documented information shall be available. 
Outsourced processes are determined and controlled is changed to externally provided processes, products or services that are relevant to the information security management system are controlled.
ISO/IEC 27001:2022 Clause 8.2 Information security risk assessmentNo Change
ISO/IEC 27001:2022 Clause 8.3 Information security risk treatmentNo Change
ISO/IEC 27001:2022 Clause 9 Performance evaluation
ISO/IEC 27001:2022 Clause 9.1 Monitoring, measurement, analysis and evaluationThere are clarification changes to the ISO 27001 Clause 9.1 in the 2022 update. 
The words about the organisation evaluates the information security performance and the effectiveness of the management system have been removed. They are covered to a greater or lesser degree elsewhere in the clause.
9.1 b has been updated to give guidance on the methods of monitoring, measurement, analysis and evaluation and provides that they should produce comparable results and reproducible results to be considered valid. This was previously a footnote so no material change. 
9.1 e has had the word ‘and’ removed with little to no consequence.
A requirement for documented information to be available to evidence results has been included making it an explicit rather than implied requirement.
Rather than retain appropriate documentation as evidence the line has been replaced with the requirement to evaluate the information security performance and effectiveness of the information security management system. 
It says pretty much the same thing, with the same requirement with a change to the wording of how it says it.
ISO/IEC 27001:2022 Clause 9.2 Internal auditThis clause has now had the wording removed and wording shifted to two new separate sub clauses.
ISO/IEC 27001:2022 Clause 9.2.1 GeneralNEW – doesn’t say anything new just separates out the old clause for ease of reading
ISO/IEC 27001:2022 Clause 9.2.2 Internal audit programmeNEW – doesn’t say anything new just separates out the old clause for ease of reading
ISO/IEC 27001:2022 Clause 9.3 Management reviewThis clause has now had the wording removed and wording shifted to three new separate sub clauses.
ISO/IEC 27001:2022 Clause 9.3.1 GeneralNEW doesn’t say anything new just separates out the old clause for ease of reading
ISO/IEC 27001:2022 Clause 9.3.2 Management review inputsNEW – doesn’t say anything new just separates out the old clause for ease of reading
ISO/IEC 27001:2022 Clause 9.3.3 Management review resultsNEW – doesn’t say anything new just separates out the old clause for ease of reading
ISO/IEC 27001:2022 Clause 10 Improvement
ISO/IEC 27001:2022 Clause 10.1 Continual improvement No Change but Swapped Numbering – why?
ISO/IEC 27001:2022 Clause 10.2 Nonconformity and corrective action No Change but Swapped Numbering – why?
ISO/IEC 27001:2022 Clause Annex A (normative) Information security controls referenceISO 27002: 2022 new version of control set
Free ISO27001 Strategy Call

ISO27001 2013 V ISO27001 2022

A direct comparison of ISO27001:2013 verses ISO27001:2022

ISO/IEC 27001:2022
ISO/IEC 27001:2022 Clause 4 Context of the Organization ISO/IEC 27001:2013 Clause 4 Context of the Organization
ISO/IEC 27001:2022 Clause 4.1 Understanding the organization and its contextISO/IEC 27001:2013 Clause 4.1 Understanding the organization and its context
ISO/IEC 27001:2022 Clause 4.2 Understanding the needs and expectations of interested partiesISO/IEC 27001:2013 Clause 4.2 Understanding the needs and expectations of interested parties
ISO/IEC 27001:2022 Clause 4.3 Determining the scope of the information security management systemISO/IEC 27001:2013 Clause 4.3 Determining the scope of the information security management system
ISO/IEC 27001:2022 Clause 4.4 Information security management systemISO/IEC 27001:2013 Clause 4.4 Information security management system
ISO/IEC 27001:2022 Clause 5 LeadershipISO/IEC 27001:2013 Clause 5 Leadership
ISO/IEC 27001:2022 Clause 5.1 Leadership and commitmentISO/IEC 27001:2013 Clause 5.1 Leadership and commitment
ISO/IEC 27001:2022 Clause 5.2 PolicyISO/IEC 27001:2013 Clause 5.2 Policy
ISO/IEC 27001:2022 Clause 5.3 Organizational roles, responsibilities and authoritiesISO/IEC 27001:2013 Clause 5.3 Organizational roles, responsibilities and authorities
ISO/IEC 27001:2022 Clause 6 PlanningISO/IEC 27001:2013 Clause 6 Planning
ISO/IEC 27001:2022 Clause 6.1 Actions to address risks and opportunitiesISO/IEC 27001:2013 Clause 6.1 Actions to address risks and opportunities
ISO/IEC 27001:2022 Clause 6.1.1 GeneralISO/IEC 27001:2013 Clause 6.1.1 General
ISO/IEC 27001:2022 Clause 6.1.3 Information security risk assessmentISO/IEC 27001:2013 Clause 6.1.3 Information security risk assessment
ISO/IEC 27001:2022 Clause 6.1.3 Information security risk treatmentISO/IEC 27001:2013 Clause 6.1.3 Information security risk treatment
ISO/IEC 27001:2022 Clause 6.2 Information security objectives and planning to achieve themISO/IEC 27001:2013 Clause 6.2 Information security objectives and planning to achieve them
ISO/IEC 27001:2022 Clause 6.3 Planning of Changes
ISO/IEC 27001:2022 Clause 7 SupportISO/IEC 27001:2013 Clause 7 Support
ISO/IEC 27001:2022 Clause 7.1 ResourcesISO/IEC 27001:2013 Clause 7.1 Resources
ISO/IEC 27001:2022 Clause 7.2 CompetenceISO/IEC 27001:2013 Clause 7.2 Competence
ISO/IEC 27001:2022 Clause 7.3 AwarenessISO/IEC 27001:2013 Clause 7.3 Awareness
ISO/IEC 27001:2022 Clause 7.4 CommunicationISO/IEC 27001:2013 Clause 7.4 Communication
ISO/IEC 27001:2022 Clause 7.5 Documented informationISO/IEC 27001:2013 Clause 7.5 Documented information
ISO/IEC 27001:2022 Clause 7.5.1 GeneralISO/IEC 27001:2013 Clause 7.5.1 General
ISO/IEC 27001:2022 Clause 7.5.2 Creating and updatingISO/IEC 27001:2013 Clause 7.5.2 Creating and updating
ISO/IEC 27001:2022 Clause 7.5.3 Control of documented informationISO/IEC 27001:2013 Clause 7.5.3 Control of documented information
ISO/IEC 27001:2022 Clause 8 OperationISO/IEC 27001:2013 Clause 8 Operation
ISO/IEC 27001:2022 Clause 8.1 Operational planning and controlISO/IEC 27001:2013 Clause 8.1 Operational planning and control
ISO/IEC 27001:2022 Clause 8.2 Information security risk assessmentISO/IEC 27001:2013 Clause 8.2 Information security risk assessment
ISO/IEC 27001:2022 Clause 8.3 Information security risk treatmentISO/IEC 27001:2013 Clause 8.3 Information security risk treatment
ISO/IEC 27001:2022 Clause 9 Performance evaluationISO/IEC 27001:2013 Clause 9 Performance evaluation
ISO/IEC 27001:2022 Clause 9.1 Monitoring, measurement, analysis and evaluationISO/IEC 27001:2013 Clause 9.1 Monitoring, measurement, analysis and evaluation
ISO/IEC 27001:2022 Clause 9.2 Internal auditISO/IEC 27001:2013 Clause 9.2 Internal audit
ISO/IEC 27001:2022 Clause 9.2.1 GeneralNEW
ISO/IEC 27001:2022 Clause 9.2.2 Internal audit programmeNEW
ISO/IEC 27001:2022 Clause 9.3 Management reviewISO/IEC 27001:2013 Clause 9.3 Management review
ISO/IEC 27001:2022 Clause 9.3.1 GeneralNEW
ISO/IEC 27001:2022 Clause 9.3.2 Management review inputsNEW
ISO/IEC 27001:2022 Clause 9.3.3 Management review resultsNEW
ISO/IEC 27001:2022 Clause 10 ImprovementISO/IEC 27001:2013 Clause 10 Improvement
ISO/IEC 27001:2022 Clause 10.1 Continual improvement ISO/IEC 27001:2013 Clause 10.1 Nonconformity and corrective action
ISO/IEC 27001:2022 Clause 10.2 Nonconformity and corrective action ISO/IEC 27001:2013 Clause 10.2 Continual improvement
ISO/IEC 27001:2022 Clause Annex A (normative) Information security controls referenceISO 27002: 2022 new version of control set

The top 3 Mistakes People make with the new ISO27001:2022

The top 3 mistakes people make with the new ISO27001 standard

1. Assuming it is different

Assuming that it is vastly different and panicking. Worrying the organisation unduly and seeking massive budget for something that fundamentally is no different to what they have or are already working towards.

2. Paying consultants to work out the impact

Paying consultants to tell you that nothing has fundamentally changed when you can buy the standard yourself and read it and around 15 minutes.

3. Not buying and reading the standard

Relying on the internet and free resources rather than getting a copy of the standard and reading it yourself.

The 3 things you missed that have changed in ISO27001:2022

1. Fundamentally nothing has changed

ISO27001 2022 is fundamentally the same with minor wording changes, a numbering change on 2 controls and some clarifications.

2. The biggest change was to ISO27002 / Annex A

The biggest change has already happened with the control set when ISO27002 was updated to the 2022 version.

3. It is a version alignment

As the standard has not changed significantly since the 2013 version, as the approach seems to be to name the standard followed by a year it is kind of embarrassing that people are working to what appears to be a 2013 version of an information security standard so to make it more relevant they have changed the name to 2022.

ISO/IEC 27001:2022 Release Date

ISO27001 2022 was released in October 2022.

ISO/IEC 27001:2022 FAQ

Is ISO27001 being updated?

Yes. The ISO27001 2022 version is not really an update but yes there is a new version of the standard set for release in October 2022.

When is ISO27001 being updated?

The ISO27001 standard has been amended and is set for release in October 2022.

What is the latest version of ISO27001?

The latest version of ISO27001 is ISO/IEC 27001:2022

Will I get audited on the new version of ISO27001?

No. The industry is not ready to officially audit against the new version of the standard. It is unlikely until the end of 2023 or 2024 that you will be audited against the new version of the standard.

What has changed in ISO27001?

Very little has changed in ISO27001. It is minor wording updates, a change of name to reflect the release date of 2022 and bring the versioning into alignment and a numbering change on 2 controls.

Is there a migration plan for the new version of ISO27001?

Yes. The ISO27001 Toolkit includes both versions of the ISO27001 standard and both versions of the ISO27002 standard and a migration plan.

How long will it take me to transition to the new version of ISO27001?

It will take you about a week to migrate from the old version of ISO27001 to the new version of ISO27001.

When was ISO27001 last updated?

ISO27001 was last updated in October 2022.

Is there an ISO/IEC 27001:2022 PDF?

Yes, you can download a copy of the ISO27001:2022 PDF here: https://hightable.io/iso-27001-toolkit/

ISO27001 2022: Is the new version of the standard still releasing this year?

ISO/IEC 27001:2022 will be released in October 2022.

Share with your network
ISO 27001 Templates Toolkit Business Edition Black
ISO27001 Policy Templates Pack Green
Free ISO27001 Strategy Call
Shopping Cart