
Key Changes Introduced by ISO 27001:2022
The ISO/IEC 27001 standard provides an international framework for information security management systems (ISMS), outlining the processes organizations should follow to protect their information assets. The ISO/IEC 27001:2022 update, published on October 25, 2022, includes significant changes to align with developments in the field of information security.
Structural Changes
The new version has been aligned with other ISO management system standards by adopting what is known as the Harmonized Structure (HS). This change aims to facilitate the integration of different standards.
Important Note
Clause 6.3 "Planning of Changes" has been added, emphasizing the need for managing changes in the ISMS in a planned manner.
Changes in Annex A Controls
The controls in Annex A have been reorganized to better respond to today's information security needs.
Number and Structure of Controls
The 114 controls previously grouped under 14 categories have been reduced to 93 controls grouped under 4 main categories:
- Organizational Controls (A.5): Covers management-related topics such as policies, roles, and responsibilities.
- People Controls (A.6): Focuses on employee awareness, training, and behavior.
- Physical Controls (A.7): Includes physical security measures and access controls.
- Technological Controls (A.8): Defines technical measures on information systems.
11 Newly Added Controls
The updated standard includes the following 11 new controls:
A.5.7 Threat Intelligence
Processes aimed at anticipating potential threats.
A.5.23 Information Security for Cloud Services
Secure use of cloud services.
A.5.30 ICT Readiness for Business Continuity
Measures for maintaining IT service continuity.
A.7.4 Physical Security Monitoring
Monitoring systems such as security cameras.
A.8.9 Configuration Management
Tracking of system component configurations.
A.8.10 Information Deletion
Methods for secure disposal of information.
A.8.11 Data Masking
Protecting sensitive data using masking techniques.
A.8.12 Data Leakage Prevention
Techniques to prevent data loss and leakage.
A.8.16 Monitoring Activities
Continuous monitoring of information systems.
A.8.23 Web Filtering
Securely controlling internet access.
A.8.28 Secure Coding
Security measures in software development processes.
Transition Process
For organizations certified to ISO 27001:2013, the transition to the new version must be completed by October 31, 2025. During this time, organizations must update their existing ISMS to ensure compliance with the new standard.
The ISO/IEC 27001:2022 update introduces important changes aimed at making information security management systems more effective against modern threats. It is critical for organizations to comply with these new requirements to strengthen their information security processes.