ISO 27001 is an international standard that provides guidance for establishing, implementing, maintaining, and improving an information security management system (ISMS). As technology and cyber security threats evolve, ISO has revised this standard. The main differences between ISO 27001:2013 and ISO 27001:2022 provide organisations with insights to update their information security processes in line with evolving demands.
This article will discuss the main differences between ISO 27001:2013 and ISO 27001:2022, focusing on structural changes, security approaches, and additional security controls relevant to new threats.
ISO 27001:2022 introduces several changes in terms of structure and terminology that are more aligned with other management standards, such as ISO 9001 and ISO 14001, to facilitate management system integration. This includes the use of a high-level structure (HLS) that allows organisations to more easily integrate different management systems.
In the 2013 version, the standard was divided into several main chapters, namely:
In the latest version, ISO 27001:2022 retains the same structure, but with slight modifications to the sub-elements and refinements to the terminology used to make it more relevant to current developments in information security and risk management. For example, the concept of “information security risk oversight” has been expanded with an approach that focuses more on the analysis of current cyber threats.
Read: Employee Data Protection with Human Resource Security ISO 27002
One of the most significant changes in ISO 27001:2022 is the revision to Annex A, which includes a list of security controls referenced by the ISO 27002:2022 standard. Annex A is an integral part of ISO 27001 that contains specific security control guidelines that need to be implemented by organisations.
Annex A in ISO 27001:2013 contains 14 clauses covering 114 security controls. These include controls related to security policies, information security organisation, human resources security, access controls, cryptography, and asset management.
ISO 27001:2022 updates Annex A based on ISO 27002:2022, grouping controls into four main categories, namely:
The number of controls has been reduced to 93, but some old controls have been combined, removed, or updated to be more relevant. Examples of new controls introduced in ISO 27001:2022 include Threat Intelligence, Information Security for Use of Cloud Services, and Monitoring Activities (ISO 27001 2013) (ISO 27001 2022).
One of the main focuses of ISO 27001:2022 is a greater emphasis on cyber security and privacy protection, reflecting a growing global trend in line with increasing cyber threats.
This version placed greater emphasis on broad information security management, including the protection of information integrity, confidentiality, and availability, without explicit emphasis on cyber security threats.
In the 2022 version, there is a stronger emphasis on a risk-based approach to cyber security and data privacy. For example, the concept of Threat Intelligence is introduced as a new control that enables organisations to collect and analyse information related to cyber security threats, which helps in more effective attack prevention.
In addition, this standard also emphasises the importance of data privacy and security protection, especially amid increasing privacy regulations such as the GDPR in Europe or the PDP Law in Indonesia (ISO 27001 2022).
Another important change relates to security management for cloud services and outsourcing. With the increasing use of cloud technology, ISO 27001:2022 accommodates more specific controls for managing risks associated with third-party service providers.
This version covers basic controls related to third-party risk management, but does not specifically regulate the increasing use of cloud services today.
In the 2022 version, specific controls for cloud services have been introduced. Organisations using cloud services are now required to establish processes for the acquisition, use, management, and termination of cloud services in accordance with relevant information security requirements. This includes controls to manage risks arising from the information and communications technology (ICT) supply chain (ISO 27001:2022).
ISO 27001:2022 introduces greater flexibility in the approach to risk assessment and the implementation of security controls.
Risk assessment in the 2013 version focused more on identifying risks based on the loss of confidentiality, integrity, or availability of information. This approach was less dynamic in responding to rapidly changing cyber threats.
ISO 27001:2022 adopts a more flexible risk approach, allowing organisations to tailor their risk assessment processes to their specific needs and circumstances. This provides organisations with more flexibility to adapt and prioritise security controls based on the evolving threat landscape (ISO 27001:2013) (ISO 27001:2022).
Read: What are SOC 1 and SOC 2 Compliance?
ISO 27001:2022 brings significant updates that reflect changes in the information security threat landscape and technological developments. By aligning the standard with other management structures and adding new, more relevant controls, this latest version helps organisations improve their risk management approach and strengthen their protection against increasingly complex cyber threats.
The key differences between ISO 27001:2013 and ISO 27001:2022 demonstrate the evolution of this standard in addressing modern information security needs. Organisations that have already adopted ISO 27001:2013 need to immediately consider updating their information security management systems in accordance with the 2022 version in order to remain relevant and secure.