Published on: Nov 8, 2022
Everything You Need To Know About The ISO 27001:2022 Update
The ISO 27001:2022 update was finally published this past October 25, 2022. So, if you are wondering what this means to you and your organization, we got your back!
This article will cover the main changes in the Mandatory Clauses, Annex A, and how to transition to the new ISO 27001:2022 update.
Let's dive right in!
ISO 27001 - Quick Overview
Technology has rapidly changed how people work in the past 20 years. Back then, less than 7% of the world was online, not even half of Americans had broadband access at home, social media was far from becoming a hot topic, and ISO 27001 didn't even exist.
The first edition of the internationally recognized information security standard was published in 2005. Then, it wasn't until 2013 that the International Standards Organization (ISO) reviewed the set of controls and issued a second revision.
Now, we are dealing with the third revision, and we expect further changes to happen much faster as cybersecurity threats grow exponentially.
The ISO/IEC 27001 Lifecycle Explained
It’s one thing to read about updates to the standard, it's another to understand how ISO/IEC 27001 actually evolves over time. Like an operating system that gets regular patches, security standards go through a distinct lifecycle.
Here’s how ISO/IEC 27001 makes its way from fresh idea to core part of the cybersecurity landscape:
Drafting and Approval: New versions and amendments start as proposals, making their way through various committees and review stages.
Publication: Once the experts finish fine-tuning, the updated standard is officially published. That's when it becomes the benchmark for organizations worldwide.
Regular Reviews & Amendments: To stay ahead of emerging threats, ISO/IEC 27001 undergoes periodic systematic reviews. These result in either confirmations, revisions, or—when needed—withdrawals of outdated versions.
Amendments: Think of these like software updates, providing targeted improvements or clarifications that organizations can adopt alongside the main standard. For example, fresh amendments accompanying the 2022 update provide additional guidance.
The bottom line? ISO/IEC 27001 isn’t static. It continually adapts to shifting technology and risk landscapes, and if you’re keeping up with the latest lifecycle stage, you’re far less likely to be caught off guard by an unexpected audit or compliance deadline.
What Are the Three Principles of Information Security in ISO 27001 (The CIA Triad)?
Before we get tangled in acronyms and jargon, let’s break down the backbone of information security—the CIA triad. No, this isn’t about secret agents, but it is about defending your organization’s most sensitive secrets.
Here’s what every company should know:
Confidentiality: Only the right eyes (think authorized users) get to see sensitive company data. Imagine your payroll spreadsheets or customer lists, if those ended up on social media or the Darknet, you’d have a real problem on your hands. Confidentiality helps keep private info out of the wrong inbox.
Integrity: This is about trust in your data. You want to make sure the info you’re working with hasn’t been tampered with, accidentally or on purpose. Think of it like a library book: you expect the text to be the same for every reader. If an employee accidentally deletes key financial figures or someone with sticky fingers edits customer records, you lose that trust and, possibly, your footing with clients.
Availability: Data should be there when you need it. If your sales database decides to take a day off because a server crashed and there’s no backup, customers and revenue walk out the door. Availability ensures your information remains accessible for those who need it, when they need it.
Put together, these three pillars are the crux of what ISO 27001 sets out to achieve—a practical, risk-based approach to keeping your organization’s data safe, uncorrupted, and always at the ready.
Remember: You can build all the firewalls you want, but if you aren’t looking after confidentiality, integrity, and availability, you’re still leaving the (virtual) front door wide open.
Refresher: What Is the Process for Developing and Implementing an ISMS According to ISO 27001?
Establishing an information security management system (ISMS) aligned with ISO 27001 may sound daunting, but the journey is surprisingly logical—and brings lasting benefit far beyond passing an audit. Let’s break down what that process looks like for organizations of all sizes.
1. Understand Your Organization’s Context
Before leaping into policies, start by mapping out what you need to protect and why. This means defining the scope of your ISMS—consider your business objectives, legal obligations, and who your stakeholders are (think: customers, partners, regulators). Clarify which parts of your company are covered (is it just IT, or the whole operation?). This early clarity is essential for targeting your efforts.
2. Secure Commitment and Assign Roles
Engaging leadership is crucial; ISO 27001 is not an IT-only affair. Executive buy-in ensures information security becomes part of your company’s DNA, not a project, but an ongoing way of working. Assign clear responsibilities (many organizations, for instance, appoint an Information Security Officer) to steer the ISMS and champion awareness.
3. Conduct a Thorough Risk Assessment
Think of this as crossing the street with your eyes open: identify what assets you have (data, systems, knowledge), what could go wrong (threats), and how vulnerable you are to each risk. Evaluate both the likelihood and potential impact. Tools like risk registers and third-party platforms (like StandardFusion or Vanta, to name a few) are handy at this stage.
4. Define and Implement Controls
Based on your risk assessment, decide which controls (safeguards) are appropriate—these could be technical (like firewalls), procedural (like onboarding checklists), or physical (like locked server rooms). Annex A of ISO 27001 lists suggestions, but you’re free to tailor them to your business.
5. Document Everything—But Keep It Practical
While documentation may sound bureaucratic, ISO 27001 rewards a pragmatic approach. Record your policies, processes, and responsibilities clearly enough that anyone can follow along. Avoid jargon and shelf-ware—your people need documents they’ll actually use.
6. Train and Raise Awareness
Security is everyone’s business. Deliver regular training to staff (from HR to developers), outlining not just policies, but also the “why” behind them. This transforms security from a box-ticking exercise into daily practice.
7. Monitor, Audit, and Improve
Once your ISMS is live, don’t set it and forget it. Monitor for incidents, conduct internal audits, and review performance against your goals. Gather feedback, learn from mistakes, and adjust your controls and processes as threats evolve (and as your business grows). Think of it as continuous improvement, not a one-time sprint.
8. Prepare for External Assessment
If you seek certification, select an accredited auditor to review your ISMS. They will check for conformity with the standard—and more importantly, whether your system works for your real-world risks.
Developing and implementing an ISMS takes commitment and continuous focus, but it pays off with improved resilience, a stronger reputation, and smoother regulatory compliance.
ISO 27001:2022 Challenges
The ISO 27001:2022 update has much more significant challenges when trying to maintain its current requirements.
Organizing a set of comprehensive controls to cover all potential security, cybersecurity, and privacy obligations is hard. However, writing it in a way that is simple enough to fit approximately 30 pages is even more complicated. Generally, the reviewers do a good job when simplifying the standard.
Simplification is critical if the intention is to have more companies adopt 27001 as a baseline for their security controls. With more adherents, ISO 27001 leads the InfoSec compliance world and becomes a must-have for anyone trying to sell technology.
In the B2B space, customers won't take less than an ISO 27001-certified product.
There is no question about the value of ISO certification. Nevertheless, for anyone looking forward to implementing this standard or transitioning from the previous version, there are key changes that require some planning.
The New Changes of ISO 27001:2022
Now, let’s talk amendments—because, yes, even international standards need a little touch-up now and then.
What Are Amendments?
An amendment is an official update made to an existing standard. Think of it as a “patch” for the rulebook, clearing up confusing sections, correcting minor mistakes, or adding important new information that’s come to light after the original publication.
Why do these happen? The world doesn’t stand still, especially in cybersecurity. Maybe a new technology rolls out that everyone suddenly uses, or perhaps a hidden loophole finally comes to light. When that happens, rather than rewriting the entire standard, an amendment steps in to address these specifics—keeping the whole system current and credible.
Amendments can:
Introduce brand-new requirements or guidance.
Clarify existing wording for better understanding.
Fix technical errors that slipped through editing.
So, whenever you see an amendment referenced, it just means the standard is evolving and adapting to the changing threat landscape so that organizations like yours aren't left working with outdated guidance.
Amendments to Mandatory Clauses
There aren't many significant changes there, but a few that deserve comments:
4.4 Information security management system - This new clause requires that processes and "their interactions" are identified, which reminds us a lot of ISO 9001. Therefore, you can design interactions as part of diagrams and flow chats.
Several clauses and notes make it clear that the Annex A controls are not exhaustive. You should use them as a baseline. However, all organizations should look at their environments to correctly identify any other necessary control, risks, etc.
6.2 Information Security objectives. Objectives must be documented and available for all stakeholders.
6.3 Planning of changes. From now on, all changes require documented planning.
8.1 Operational planning and control. Organizations must define a criteria for operational processes. However, a criteria can be a broad term, from a security requirement to a business need or customer request.
9 Performance evaluation. Methods to evaluate and monitor your controls should produce comparable results so the organization can assess trends.
9.2 Internal audits. Internal assessments must cover all organizations' requirements, not only ISO 27001. This may be a broader attempt to be more comprehensive as a Management System.
Annex A Amendments
Annex A has seen the greatest change. The updated version of ISO 27001 Annex A has been completely restructured and revised. As a result, the number of controls has decreased from 114 to 93 in the new version of ISO 27001. Also, these security controls are now divided into four sections instead of the previous 14.
Furthermore, this change represents a tangible attempt to make the standard more concise and simpler to implement. The overlaps and repetitions have been eliminated to create five major security attributes that make them easier to group.
The new Sections and Controls of ISO 27002:2022 are:
Section 5: Organizational (37 controls)
Section 6: People (8 controls)
Section 7: Physical (14 controls)
Section 8: Technology (34 controls)
In summary, 35 controls remained unchanged, 23 controls were renamed, 57 controls were merged to form 24 controls, and 11 new controls were added:
5.23 Information security for use of cloud services
5.30 ICT readiness for business continuity
5.7 Threat Intelligence
7.4 Physical security monitoring
8.1 Data masking
8.9 Configuration management
8.10 Information deletion
8.12 Data leakage prevention
8.16 Monitoring activities
8.23 Web filtering
8.28 Secure coding
How Will The Update Affect Your Organization if You Are Implementing ISO 27001?
First of all, don't panic. Certification entities will likely offer certification to ISO 27001:2022 just six months after its publication. Also, ISO 27001:2013 will be retained for another three years, so all your work to implement 27001:2013 will still be worth it.
However, you might want to use the new Annex A controls from ISO 27001:2022 as an alternative control set, depending on the progress of your ISO 27001:2013 implementation project. If you want to do this, you will still need to compare the new controls with the 2013 Annex A controls in your Statement of Applicability.
How Will The Update Affect Your Organization if You Are Already Certified to ISO 27001:2013?
Remember, you will have time ("Transition Period") to fully migrate to the new requirements. However, the best moment to do that is before your next internal audit, no matter if you have been certified for years or even if you are in the process of certification.
The internal ISO 27001 audit involves a detailed assessment of your organization's ISMS to ensure it complies with the standard's criteria. That would allow you to evaluate if you deployed the changes correctly without putting the certification at risk.
Another critical decision would be allocating the internal audit activities, at least, three months before the external assessment. This timeline would allow you to identify any potential nonconformities and fix those before the external assessor comes in.
Not sure how to start?
Connect with StandardFusion's team to help you overcome your ISO and GRC challenges. Also, you can check out this guide, complying with the changes to ISO 27001:2022, if you need more help transitioning to the updated standard.
What can GRC do for you?
A powerful GRC platform can be your best friend when mapping controls across your organization, identifying potential risks, and allocating ownership. Moreover, the software allows a centralized approach to information security as a "management system," exactly how the new standard suggests.
Also, you can integrate records, allowing you to visualize and understand the interaction between processes, the creation of workflows and rapidly visualizing these interconnections will also streamline your transition.
Key takeaways
Although the last ISO 27001 update was almost 10 years ago, we expect further changes to happen much faster as cybersecurity threats keep growing exponentially.
Following, are some of the most significant ISO 27001:2022 updates:
Mandatory Clauses
4.4 Information security management system
Several clauses and notes make it clear that the Annex A controls are not exhaustive
6.2 Information Security objectives
6.3 Planning of changes
8.1 Operational planning and control
9 Performance evaluation
9.2 Internal audits
Annex A
The main changes include: 35 controls remained unchanged, 23 controls were renamed, 57 controls were merged to form 24 controls, and 11 new controls were added.
Remember, you will have time ("Transition Period") to fully migrate to the new requirements. The best moment to do that is before your next internal audit. It doesn't matter if you have been certified for years or are in the process of certification.
Smooth Transition
Lastly, GRC software can help you transition smoothly to ISO 27001:2022 by mapping controls across your organization, identifying potential risks, and allocating ownership. Moreover, GRC tools like StandardFusion allow you to build a centralized approach to information security as a "management system," precisely as the new standard suggests.
