ISO 27001:2022 Updates: What Is Changing and Why Does It Matter?

by Hannah Grace Holladay / October 31st, 2022

A revised version of ISO 27001 is expected this fall. When standards change, it’s natural for organizations to wonder whether it will impact their operations and compliance. Organizations about to undertake an ISO 27001 audit may hesitate until the new standards are published. 

In fact, the changes to ISO 27001 will not have an immediate impact on compliance, and there is no reason to postpone audit preparation. However, a new version of ISO 27002 was published earlier this year. The included changes will be replicated in the upcoming revisions to Annex A of ISO 27001, affecting future compliance efforts. 

In this article, we’ll explore what ISO 27001 is, how it’s different from ISO 27002, and the likely impact of the revised ISO 27001 and ISO 27002 standards. 

What is ISO 27001?

ISO/IEC 27001 is an international information security standard. It was developed as a solution to the problem of ad-hoc information security implementation. Organizations would implement controls to patch security in response to incidents, but they would not implement an overarching system that adequately accounts for potential risks. 

ISO 27001 describes security controls that, when implemented, constitute a comprehensive information security management system. It also provides a framework that auditors can use to certify that an organization complies with widely accepted standards for information security. 

The standard consists of sections that outline expectations for information security implementation. For example, Clause  4.4 requires an organization to establish, implement, and continually improve an information security management system. Clause  6.1.2 requires organizations to identify, analyze, and evaluate information security risks. 

In addition to the clauses, ISO 27001 includes Annex A, which lists specific control objectives and controls. There are dozens of paired objectives and controls, but let’s look at a few to get a clear idea of what’s expected. 

  • A.9.4.3 — Objective: Password management system. Control: Password management systems shall be interactive and shall ensure quality passwords. 
  • A.10.1.1 — Objective: Policy on the use of cryptographic controls. Control: A policy on the use of cryptographic controls for the protection of information shall be developed and implemented.
  • A.12.1.2 — Objective: Change management. Control: Changes to the organization, business processes, information processing facilities, and systems that affect information security shall be controlled.

The most substantial changes in the updated version of ISO 27001 are to the Annex A controls. We’ll see which controls have changed in a moment, but first, let’s look at the relationship between those controls and ISO 27002. 

What Is the Difference Between ISO 27001 and 27002?

ISO 27001 is the standard that organizations can be certified against. But, as we’ve just seen, the objectives and controls included in ISO 27001 Annex A are vague and non-specific. They don’t include any implementation details. That’s because organizations can choose how to implement the controls, provided their implementation meets the requirements, and document how the implemented controls map to the objectives in Annex A.

 ISO 27002 includes the “missing” implementation guidance.  It lists the same controls as ISO 27001 but provides more information and guidance to those seeking to implement the applicable controls. The implementation guidance doesn’t get into the technical details, but it does outline clear and detailed requirements for any compliant system. In the previous section, we quoted the password management system objective from ISO 27001 (A.9.4.3).  ISO 27002 has an equivalent section that goes into greater detail about what’s expected. The password system must enforce the use of individual IDs, allow users to change passwords, not display passwords on the screen, store passwords in a protected form, and so on.

It’s important to understand that an organization doesn’t have to follow the implementation guidelines in ISO 27002. It can use different information security standards, provided they can be mapped to the controls in ISO 27001 Annex A. That’s one reason there is no such thing as an ISO 27002 certification. ISO 27002 is a supplementary standard to help organizations comply with ISO 27001 and achieve certification. 

How Did ISO 27001/ISO 27002 Change in 2022?

ISO 27002 was updated at the beginning of 2022. New controls and control categories were added, and some control categories were consolidated. ISO 27002 provides implementation guidance for the controls included in ISO 27001 Annex A, so the updates necessitate changes to align Annex A with the controls in the implementation guidance. 

What Are the New Controls for ISO 27001?

There are 11 new controls in ISO 27002:2022, so we can expect the same new controls in Annex A of ISO 27001. They include:

  • Threat intelligence
  • Information security for use of cloud services
  • ICT readiness for business continuity
  • Physical security monitoring
  • Monitoring activities
  • Web filtering
  • Secure coding
  • Configuration management
  • Information deletion
  • Data masking
  • Data leakage prevention

Although controls have been added, the total number has reduced from 114 to 93. That’s because several controls have been merged. The categories have also been consolidated and merged. In ISO 27001:2013, the controls were divided into 14 different areas. In ISO 27001:2022, there will be four domains. 

  • People controls: remote work, confidentiality, non-disclosure, screening, etc. 
  • Organizational controls:  organizational information policies, cloud service use, asset use, etc. 
  • Physical controls: security monitoring, storage media, maintenance, facilities security, etc. 
  • Technological controls: authentication, encryption, data leak prevention, etc. 

To see a full list of the changes expected in ISO 27001: 2022, consult the controls and guidance in ISO 27002:2022

How To Prepare for ISO 27001:2022

Your organization does not need to make immediate changes, although you should familiarize yourself with the new and revised controls. If your information security management system is based on the implementation guidance in ISO 27002, you should put plans in place to update controls, if required. If you use a different set of standards, you will be expected to provide documentation mapping from your chosen controls to the controls in ISO 27001:2022 Annex A. 

Should My Organization Delay ISO 27001 Certification?

There is little reason to delay ISO27001 certification until the updated version is released. If your organization or its customers require an ISO 27001 audit or certification, waiting may not be beneficial to your business. There is likely to be a three-year transition period before documentation edits and control implementation are required to comply. 

Work With KirkpatrickPrice to Achieve Your ISO Certification

KirkpatrickPrice offers ISO 27001 audits and consulting services that help our clients to achieve ISO 27001 compliance. We will help you to identify, qualify, and catalog information security risks in your environment and provide the support you need to implement a compliant information security management system. Contact an information security specialist to learn more about our ISO 27001 compliance services.