What are changes in ISO 27001 2022 Version against ISO 27001 2013 Version
Following changes are interpretation of Blue Sky and for guidance only. Actual interpretation or implementation may vary. It is recommended to go through ISO 27001 2022 official standard copy for better understanding & implementation.
Change in Title of ISO 27001 2022 Version against ISO 27001 2013 Version
- ISO 27001 : 2013 Version Title was – Information Technology – Security techniques – Information security management system Requirements
- ISO 27001 : 2022 Version Title is – Information security, Cybersecurity and Privacy protection — Information security management systems — Requirements
- Key Take Away – Cyber security & Privacy protection are now in focus in consistency with changing digital era, Remote working, use of Cloud services & Privacy protection laws
- Apart from title, in whole ISO 27001 : 2022 version, " international Standard" word is replaced with " Document"
Change in Clause 4 – Context of Organization
- 4.2 – Which of interested party requirements will be addressed through Information Security Management system – ISMS ( Requirement added )
- 4.4 – Information security Management System processes to be determined & their interaction to be specified ( Requirement added )
Change in Clause 5 – Leadership
- 5.1 – Definition of Business is given ( Note added )
- 5.3 – Role, responsibility, authority related to information security shall be communicated within organization ( “Within Organization" is added for better clarity )
Change in Clause 6 – Planning
- 6.1.3 – Statement of Applicability (SOA ) shall include if determined information security controls ( may or may not be part of Annexure A ) are implemented or not. ( Added for better clarity )
- 6.2 – Information Security Objectives shall be monitored ( Added for better clarity )
- 6.3 – Planning of changes ( Newly added to make it consistent with ISO 9001 : 2015 )
Change in Clause 7 – Support
- 7.4 – How communication shall be done is added ( Added for better clarity )
Change in Clause 8 – Operation
- 8.1 – Establishing criterias for Information Security Management System processes & Implementing controls as per established criterias ( Requirement added )
- 8.1 – Outsourced processes are termed as Externally provided processes ( Added for better clarity )
Change in Clause 9 – Performance Evaluation
- 9.1 -The methods for monitoring & measurement selected should produce comparable & reproducable results to be considered valid ( Added in clause for better clarity )
- 9.1 – Periodic evaluation of Information Security Management System's Performance & Effectiveness shall be done
- 9.2 – Internal audit requirements are distributed in Clause 9.2.1 & 9.2.2
- 9.3 – Management Review requirements are distributed in Clause 9.3.1, 9.3.2 & 9.3.3. Aligned with ISO 9001 : 2015
High Level Changes in Annexure A of ISO 27001 2022 Information Security Management System Standard
- “Control Objective" of ISO 27001 : 2013 is termed as “Information Security Controls" in ISO 27001 : 2022 version
- Number of Controls are reduced from 114 to 93. Hence Total 21 controls are reduced with respect to earlier version .
- Information Security controls in ISO 27001 2022 standard is distributed in 4 categories instead of 14 domains of earlier version
- 11 Controls are newly added, 24 controls are clubbed with other previously existing controls & 58 controls are updated
Which are four categories of Annexure A controls in ISO 27001 2022 Standard
- Organizational Controls
- People Controls
- Physical Controls
- Technological Controls
Which new controls are added in annexure A of ISO 27001 2022 version
- Threat Intellegence
- Secure coding
- Web filtering
- Data masking
- Data leakage prevention
- Information Deletion
- Monitoring activities
- Configuration Management
- Information security for Cloud Services
- ICT Readiness for Business continuity
- Physical Security Monitoring
Which are key Annexure A controls in Category 5 – “Organizational Controls" those require change in implementation against ISO 27001 : 2013 version
- 5.1 – Topic Specific policies to be prepared. Policies shall be acknowledged by interested parties. Policies shall be reviewed at planned intervals
- 5.4 – Management Responsibilities added
- 5.7 – Threat Intellegence added
- 5.9 – Inventory of asset is now termed as Inventory of information & associated assets
- 5.12 – Classification of information now includes confidentiality, Integrity & availability and relevant interested parties
- 5.15 – Access control Policy is replaced with Access Control Rules
- 5.16 – User registration – deregistration is replaced with Identity life cycle management
- 5.21 – Information security risks related to ICT products & services supply chain shall be managed – Added
- 5.23 – Information security to be implemented for Cloud services
- 5.30 – ICT readiness for business continuity to be implemented
- 5.34 – Preservation & Protection of PII ( Personally identifiable information ) as per applicable laws and regulations
Which are key Annexure A controls in Category 6 – “People Controls" those require change in implementation against ISO 27001 : 2013 version
- 6.1 – Back ground verification shall be done before joining & on periodic basis
Which are key Annexure A controls in Category 7 – “Physical Controls" those require change in implementation against ISO 27001 : 2013 version
- 7.2 – Security shall be applied not only at physical entry place but also at physical access points
- 7.4 – Physical security of premises shall be continuously monitored ( Control added )
- 7.5 – Intentional & Unintentional threats are added along with Environmental threats
- 7.10 – Information security shall be managed during entire lifecycle of storage media
Which are key Annexure A controls in Category 8 – “Technological Controls" those require change in implementation against ISO 27001 : 2013 version
- 8.1 – User End point devices shall be protected for information being processes or information being accessed
- 8.4 – Control on read & write for source code, development tool & software libraries
- 8.9 – Configuration Management for security, hardware & software configurations ( Control added )
- 8.10 – Information to be deleted if no longer required ( Control added )
- 8.11 – To mask Data as per business or legislative requirements ( Control added )
- 8.12 – Data leakage prevention to be implemented ( Control added )
- 8.23 – Web filter ( Control added )
Organizations may contact us which are willing to
Upgrade their current ISO 27001 2013 certification to ISO 27001 2022 Version
Achieve fresh ISO 27001 2022 certification