Upcoming events

Latest ISLF News

Menu
Log in

Information Security Leadership Forum Interational

A Community of Today and Tomorrow's Leaders

ISO 27001: 2022 - A Detailed Summary of Change from 2013 to 2022 Version

Monday, June 12, 2023 1:33 PM | Timothy Phillips (Administrator)

Introduction

On Wednesday October 26th, 2022, International Organization for Standardization (ISO) released the long-awaited revised edition of the ISO 27001 standard. In general, the new version is a bit of a letdown, with few material changes other than those in Annex A, which we previewed in February’s release of ISO 27002: 2022, the new guide for the implementation of the ISO 27001 standard.


This article is intended for ISO 27001 practitioners familiar with, and actively using the ISO 27001 standard to build or operate an information security management system (ISMS). It has been written to help the audience quickly understand what changes are in the 2022 version of the standard, from its previous 2013 release, without having to do the line-by-line review that was done to prepare this article for you. It will make more sense to you if you have a copy of the standard on hand while reading through the detailed analysis provided below, but is not necessary. This article should not be considered a primer on the standard, as it only highlights changes. As Clauses 2 and 3 of the standard are administrative only, these areas are not addressed by this article.

If during your review of the article, you find any inaccuracies or erroneous information, kindly leave us a note and we will review and amend the article to ensure it remains an invaluable resource for others. Please note, comments to articles on the Information Security Leadership Forum are restricted to members of the Forum. This was implemented to avoid SPAM and the added overhead of moderating such content. If you are not a member of the Forum and wish to communicate an observation, please feel free to use the contact form here.


Clause 3 – Terms and Definitions

What’s the Same

Terminology reference document remains as ISO 27000. At the time of publication of this article ISO 27000’s current release is 2018.

What’s Different

Added links to online resources for ISO & IEC terminology database, where a visitor can do a search by word.

Clause 4 – Context of the Organization

4.1 Understanding the organization and its context

What’s the Same

The control heading remains the same and the control has not changed.

What’s Different

Replaced the referenced to ISO 31000 from the 2009 to the 2018 publication release.

4.2 Understanding the needs and expectations of interested parties

What’s the Same

The control heading remains the same. The wording of control 4.1 remain exactly the same.

What’s Different

The wording of the control 4.2 is reworded generalizing removing the specific focus “relevant to information security.” Essentially, they have taken this portion and created a new subsection “c”

The new 4.2 c) mandates identifying which of the requirements of the identified interested parties will be addressed in the organization’s Information Security Management System (ISMS).

4.3 Determining the Scope of the ISMS

What’s the Same

The complete text remains unchanged.

What’s Different

There are not changes to this subsection.

4.4 Information Security Management System

What’s the Same

The general context of the control remains the same.

What’s Different

The control has added a qualification or, called out that “processes needed and their interactions,” need for the ISMS must also be established, implemented, maintained, and continually improved upon.

Clause 5 – Leadership

5.1 Leadership & Commitment

What’s the Same

The control heading and content remains the same.

What’s Different

Added a qualifying note at the bottom of the control, giving reference to the interpretation of the word “business.”

5.2 Policy

What’s the Same

The control heading and content remains the same.

What’s Different

No changes were identified.

5.3 Organizational Roles, Responsibilities and Authorities

What’s the Same

The control heading remains the same.

What’s Different

The wording of the opening sentence of the control includes a new qualifier, “within the organization.”

In 5.3 a) an insignificant change that changed the reference to “this International Standard” to a more generic statement of “this document.”

In the control “NOTE” text, they have changed the statement from “may” to “can,” which presumably is to conform to revised terminology or more appropriately align with existing official terminology definitions. There does not appear to be any material impact result from this change.

Clause 6 – Planning

6.1 Actions to Address Risks and Opportunities

What’s the Same

The control heading and content for subsection 6.1.1, and 6.1.2 remains the same. The general contents of subsection 6.1.3 also remain materially consistent, with the exceptions noted below.

What’s Different

The “NOTE”s in subsection 6.1.3 have had some revision, as follows:

  • Formerly the first note under 6.1.3 b) was not numbered, however in the new version it has been assigned “NOTE 1,” however its contents remain the same.
  • Notes 1 and 2 under 6.1.3 c) have been renumbered to “NOTE 2” and “NOTE 3,” respectively.
  • NOTE 3 in the new version has been revised with the qualification that:
  • The focus is not on “control objectives” but rather “controls” from Annex A of the standard.
  • The reference to control objectives being implicitly included in controls chosen from Annex A, has been removed. This change does not appear to have any material impact.

Subsection 6.1.3 d) has restructured the content of the control’s wording into bullet points, however no material change has resulted from this.

The final note (“NOTE 4”) in the new version, again changes the language “in this International Standard” to “in this document.” No material impact has resulted from this change.

6.2 Information Security Objectives and Planning to Achieve Them

What’s the Same

The control heading and content for 6.2 remains generally consistent with the exception of those noted below.

What’s Different

Two new qualifying requirements have been added in the 2022 version (“Edition 3”) in subsection 6.2, and has been inserted at 6.2 d) and 6.2 g).  All other requirements under 6.2 have remained intact, and simply reordered.

The new 6.2 d) mandates information security objectives must be “monitored.”

The new 6.2 g) mandates the objectives must be available as documented information. It is unclear if this was an oversight or why they added this, as the immediately following sentence states, “the organization shall retain documented information on the information security objectives,” which sounds the same.

6.3 Planning Changes

What’s the Same

Nothing … this subsection is new.

What’s Different

Subsection 6.3 is brand new to clause 6. In the new one sentence control, it mandates changes required of the ISMS must be done in a planned approach.  The inference here is that in addition to proper planning when implementing an ISMS, it requires an organization when making changes to an established ISMS, the changes must similarly be planned. One of the keys to ISO controls is to document and retained the planning documentation as an ISMS record (audit artifact or evidence of having performed it). It is unclear based on the writing in the new version of the standard, why the committee did not perceive this to have already been covered under clause 8.1

Clause 7 – Support

7.1 Resources

What’s the Same

The control heading and content for subsection 7.1 remains the same.

What’s Different

There have been no changes in this subsection.

7.2 Competence

What’s the Same

The control heading and content for subsection 7.2 remains the same.

What’s Different

There have been no changes in this subsection.

7.3 Awareness

What’s the Same

The control heading and content for subsection 7.3 remains the same.

What’s Different

There have been no changes in this subsection.

7.4 Communication

What’s the Same

The opening sentence and sub-subsections 7.4 a), and b), and C) are consistent, reflecting no changes.

What’s Different

In 7.4 d) and e) which previously offered “who shall communicate” and “the process by which communication shall be effected,” has been consolidated into one new 7.4 d) mandating the organization must also determine “how to communicate.”

7.5 Documented Information

What’s the Same

The control heading and content for 7.5 remains generally consistent with the exception of those noted below.

What’s Different

The subsection opens with a general housekeeping change in 7.5 a) with the wording “… by this International Standard,” which is generalized in the new version worded, “… by this document.”  Subsection 7.5.3 makes a similar amendment in the opening sentence.

Clause 8 – Operation

8.1 Operational Planning and Control

What’s the Same

The control heading and content for 8.1 remains generally consistent with the exception of those noted below.

What’s Different

Paragraph One

Changes in this clause begin in the opening sentence of 8.1 where it removes the qualifying text “… to meet information security requirements, …” and leaves it with only “… to meet requirements …, suggestive that it may have broadened expectations outside of solely information security requirements. As this sentence continues, ISO has also generalized in the new version “… requirements, and to implement the actions determined in Clause 6 ...,” which essentially summarized what it was saying the in previous version in less words.

This paragraph in the new version, now offers two new qualifying bullets mandating the requirement to establish criteria, and implement control of processes in accordance with the criteria.

Paragraph Two

The changes to this paragraph appears to be cosmetic as it is merely a rewording of the opening of the sentence from, “The organization shall keep documented information … “ to “Documented information shall be available …

Paragraph Four

This is another one sentence area, which has had significant qualifying requirements added into the new version. Specifically, the 2013 version generally stated that “outsourced processes” be determined and controlled. It did not delineate one outsourced business process from another. Under the 2022 version it now offers “eternally provided processes, products or services that are relevant to the information security management system are controlled.” While I think these represent potentially needed qualifications rolled into this one sentence, I still see the possibility for the open interpretation or subjectiveness of what “relevant to the information security management system” means. Presumably this refers to, within the scope of the ISMS.

8.2 Information Security Risk Assessment

What’s the Same

The control heading and content for subsection 8.2 remains the same.

What’s Different

There have been no changes in this subsection.

8.3 Information Security Risk Treatment

What’s the Same

The control heading and content for subsection 8.3 remains the same.

What’s Different

There have been no changes in this subsection.

Clause 9 – Performance Evaluation

9.1 Monitoring, Measurement, Analysis and Evaluation

Paragraph One

What’s the Same

The control heading and content for 9.1 remains generally consistent with the exception of those noted below.

What’s Different

The opening, one sentence paragraph has been removed leaving no qualifying opening to the second paragraph, which reads, “the organization shall determine: ...” before going into a bulleted list of six specific requirements. Other than the heading, it does appear a bit odd not to have that qualifying requirements before going into the bulleted requirements. So, did they throw this out or do something else with it? If you look to the end of 9.1, you will find that they have moved it verbatim to the end.

In 9.1 b) they have moved the contents of the “NOTE” into the body of the bullet, so clearly only a cosmetic change.

Paragraph Two

In this single sentence 2nd paragraph, it is net new to the subsection, however mandating documented information be retained as evidence should not be a surprise to anyone who lives in an ISO standards world. I find it even more perplexing why ISO feels it relevant to only specifically mandate it here and there, where ISO audits are designed and appropriately so, as evidence-based audits. To be clearer, ISO should consider incorporating this into clause 7.5.3 as a general requirement.

9.2 Internal Audit

In the 2013 version of the standard, 9.2 was one consolidated topic with seven bulleted requirements (“a)” through “g)”), which has been broken into two area in the 2022 release. The bullets “a)” through “b)” inclusive are now in 9.2.1, whereas “c)” through “g)” are now in 9.2.2. Below are the changes noted in these new numbered areas.

9.2.1 General

What’s the Same

The control content for bullets “a)” through “b)” remains the same.

What’s Different

There have been no changes in this subsection.

9.2.2 Internal Audit Programme

What’s the Same

The control content for bullets “c)” through “g)” remains the same.

What’s Different

The contents of bullet “c)” has been restructured into an opening paragraph to 9.2.2.

The contents of bullet “g)” have been restructured as a closing paragraph with minor editorial changes that do not materially affect the control statement. This is another example where ISO could have been a little more efficient by centralizing the requirement under 7.5.3, as this is yet another statement that documented information must be retained.

9.3 Management Review

Similar to the previous control area, clause 9.3 had everything under one area, and has broken into three (3) sections as provided below, in its 2022 version.

9.3.1 General

What’s the Same

The opening sentence of the old version has been migrated into this area; however, the text has remained consistent.

What’s Different

As 9.3.1 is net new, there are no changes per se.

9.3.2 Management Review Inputs

What’s the Same

The control content for bullets “a)” through “b)” have been migrated into this area, but have remains the same.

What’s Different

Bullets “c)”  through “f)” have been migrated to 9.3.2, with no change to the content of the text, however they have been bumped down the line to become bullets “d)”  through “g)” in the 2022 version.

A new bullet has been introduced as the new “c)” mandating, “changes in the needs and expectations of interested parties …” relevant to the ISMS shall be reviewed. This one could be a material change, especially to organization’s that focused not on setting up a comprehensive ISMS, but rather focusing on meeting minimum necessary only. In the past, the minimum necessary might have been seen as only having to understand interested parties needs and expectations at the beginning, whereas this change suggests an ongoing need to solicit, and assess for changes in the needs and expectations of interested parties.

9.3.3 Management Review Results

What’s the Same

The last two paragraphs have been moved into this new sub area, with only cosmetic changes to the text. Specifically, in the second last paragraph it previously opened, with “the output of the management review …” and changed to “the results of the management review …”

What’s Different

As 9.3.3 is net new, there are no changes per se.

Clause 10 – Improvement

In the 2022 version they flipped the sub areas upside down, making 10.1 now 10.2, and 10.2 now 10.1 in 2022. This does appear to make sense, as this change now give clause 10 a qualified opening.

10.1 Continual Improvement

What’s the Same

The control content imported from 20.2 of the 2013 version and is now referenced as 10.1 remains the same.

What’s Different

Nothing.

10.2 Nonconformity and Corrective Action

What’s the Same

The control content imported from 20.1 of the 2013 version and is now referenced as 10.2 remains materially the same, with the exception noted below.

What’s Different

In the qualifying statement opening for bullets “f)” and “g)”  the previous version opened with “the organization shall retain documented as evidence of: …” and has been reworded in the 2022 version to state, “documented information shall be available as evidence of: …”

Annex A

Annex A is really where there have been a number of material changes. That said, the majority of Annex A has remained the same.

For a high-level overview of the changes here, please read our article entitled, “ISO 27002: 2022 - What Has Changed,” published on our site in March 2022.

Closing

If you are planning to implement the standard, or are supporting an organization already ISO 27001 certified, and need to better understand the full requirements, consider taking the Forum’s 5-day ISO 27001 Lead Implementer or Lead Auditor courses. By training with the Forum, you’re not just taking training, your support an institution that we’re building together to make training accessible by keeping costs down, as well as promoting the development of new practice models and methodologies.