key changes brought by iso 27001 2022

Key Changes Introduced by ISO 27001:2022

The ISO/IEC 27001 standard provides an international framework for information security management systems (ISMS), outlining the processes organizations should follow to protect their information assets. The ISO/IEC 27001:2022 update, published on October 25, 2022, includes significant changes to align with developments in the field of information security.

Structural Changes

The new version has been aligned with other ISO management system standards by adopting what is known as the Harmonized Structure (HS). This change aims to facilitate the integration of different standards.

Important Note

Clause 6.3 "Planning of Changes" has been added, emphasizing the need for managing changes in the ISMS in a planned manner.

Changes in Annex A Controls

The controls in Annex A have been reorganized to better respond to today's information security needs.

Number and Structure of Controls

The 114 controls previously grouped under 14 categories have been reduced to 93 controls grouped under 4 main categories:

  • Organizational Controls (A.5): Covers management-related topics such as policies, roles, and responsibilities.
  • People Controls (A.6): Focuses on employee awareness, training, and behavior.
  • Physical Controls (A.7): Includes physical security measures and access controls.
  • Technological Controls (A.8): Defines technical measures on information systems.

11 Newly Added Controls

The updated standard includes the following 11 new controls:

A.5.7 Threat Intelligence

Processes aimed at anticipating potential threats.

A.5.23 Information Security for Cloud Services

Secure use of cloud services.

A.5.30 ICT Readiness for Business Continuity

Measures for maintaining IT service continuity.

A.7.4 Physical Security Monitoring

Monitoring systems such as security cameras.

A.8.9 Configuration Management

Tracking of system component configurations.

A.8.10 Information Deletion

Methods for secure disposal of information.

A.8.11 Data Masking

Protecting sensitive data using masking techniques.

A.8.12 Data Leakage Prevention

Techniques to prevent data loss and leakage.

A.8.16 Monitoring Activities

Continuous monitoring of information systems.

A.8.23 Web Filtering

Securely controlling internet access.

A.8.28 Secure Coding

Security measures in software development processes.

Transition Process

For organizations certified to ISO 27001:2013, the transition to the new version must be completed by October 31, 2025. During this time, organizations must update their existing ISMS to ensure compliance with the new standard.

Warning: The previous version will no longer be valid after the transition period ends.

The ISO/IEC 27001:2022 update introduces important changes aimed at making information security management systems more effective against modern threats. It is critical for organizations to comply with these new requirements to strengthen their information security processes.


Please Wait