Key Changes Brought by ISO 27001:2022
The ISO/IEC 27001 standard provides an international framework for information security management systems (ISMS), outlining the processes for organizations to protect their information assets. The ISO/IEC 27001:2022 update, published on October 25, 2022, contains significant changes to align with developments in the field of information security.
Structural Changes
The new version has been adapted to the structure known as the Harmonized Structure (HS), aligning it with other ISO management system standards. This change aims to facilitate the integration of standards. For example, Clause 6.3 "Planning of Changes" has been added, emphasizing the need to manage changes in the ISMS in a planned manner.
Changes in Annex A Controls
The controls in Annex A have been reorganized to better respond to today's information security needs:
Control Number and Structure
The previous 114 controls under 14 control headings have been reduced to 93 controls under 4 main headings in the new version. These headings are:
- Organizational Controls (A.5)
- Personal Controls (A.6)
- Physical Controls (A.7)
- Technical Controls (A.8)
11 New Controls Added
The updated standard includes the following new controls:
- A.5.7 Threat Intelligence
- A.5.23 Information Security for Cloud Services Usage
- A.5.30 IT Readiness for Business Continuity
- A.7.4 Physical Security Monitoring
- A.8.9 Configuration Management
- A.8.10 Information Deletion
- A.8.11 Data Masking
- A.8.12 Data Loss Prevention
- A.8.16 Monitoring Activities
- A.8.23 Web Filtering
- A.8.28 Secure Coding
Transition Process
For organizations with ISO 27001:2013 certification, the transition to the new version must be completed by October 31, 2025. During this period, organizations must update their existing ISMS to align with the new standard.
The ISO/IEC 27001:2022 update includes significant changes aimed at making information security management systems more effective against modern threats. It is critical for organizations to strengthen their information security processes by complying with these new requirements.