Navigate the changes between ISO 27001:2013 and ISO 27001:2022

Estimated reading: 5 minutes 142 views

Down memory lane with ISO 27001

To navigate the changes between ISO 27001:2013 and ISO 27001:2022, this article helps you understand the changes between the two versions of ISO. As an organization, thinking about implementing and managing information security and having ISO 270001 certified is a “must” these days. It doesn’t matter if you are an SMB (small-to-medium-sized business) or a large-scale organization, a financial service, or if your organization handles sensitive personal data; the important point here is to keep your data safe and secure. A data security protocol like ISO 27001 helps you prevent data breaches and ensures you stay in compliance with industry-specific regulations. ISO 27001 describes best practices for an ISMS (information security management system).

Achieving ISO 27001 certification demonstrates that your organization is adhering to international information security best practices and provides assurance that information security is managed according to international standards to achieve business objectives.

It is also important to keep yourself updated or adhere to the latest standards. If we talk about the ISO standards, ISO 27001 is a code of practice for information security management, supported so far by ISO/IEC 27002:2013. But the International Organization for Standardization (‘ISO’) announced on October 25, 2022, that it had updated its standard ISO/IEC 27001:2022 for information security, cybersecurity, and privacy protection information security management system requirements (‘ISO/IEC 27001:2022’).

So the latest version of ISO 27001 is ISO 27001:2022, which allows organizations to implement information security procedures while minimizing the risks associated with data storage and the management of information sources in a better way than ISO 27001:2013.

Here is an “ISO 27001 Overview and Guides” by TrustCloud”.

What has changed since 27001:2013?

Before we dive in, please note that ISO 27001:2013 will be valid for another three years, so you need not worry if you have already been certified against implementing ISO 27001:2013. Certification against ISO 27001:2013 is still allowed until April 30, 2024. But organizations should begin to update controls and processes to comply with the requirements in ISO 27001:2022 as soon as possible.

The changes in the ISO 27001:2022 updates are small and easy to implement. These changes can be categorized into two parts:

  1. Changes to the Management System Clauses: The main 11 clauses remain, though small changes to the clauses were made.
  2. Changes to the Annex A Controls: Annex A number of controls dropped from 114 to 93 and is organized into four sections instead of the 14 sections in 2013.
Item 2013 Version 2022 Version Changes
Clause # 11 11 None, though new requirements were added
Security Controls 114 93 Consolidated, new security controls
Annex A Control Categories 14 4 Consolidated


A Deep dive into the Management System clause changes:

Here are the clause changes:

  1. Clause 4.2 – Understanding the needs and expectations of interested parties.
    Item (c) was added, requiring an analysis of which of the interested parties requirements must be addressed through the ISMS.
  2. Clause 4.4 –  Information Security Management System.
    adds to the context of the organization by identifying required processes and their interactions within your ISMS.
  3. Clause 8.1 adds a requirement to define process criteria.

A deep dive into the Annex A Changes

Annex A control updates are moderate. The ISO 27001:2022 Annex controls are now restructured and collaborate on how to resolve current security challenges. The majority of the controls remain the same (about 35) or are renamed (about 23). Another group of controls is merged (about 57), reducing the total number of controls.

There are also 11 new controls that are meeting the trends in cybersecurity.

The updated four control classifications in ISO 27001:2022 Annex A with respect to ISO 27001:2013 are:

  1. Organizational Controls
    • Number of controls: 37
    • Control numbers: ISO 27001 Annex A 5.1 to 5.37
  2. People Controls
    • Number of controls: 8
    • Control numbers: ISO 27001 Annex A 6.1 to 6.8
  3. Physical Controls
    • Number of controls: 14
    • Control numbers: ISO 27001 Annex A 7.1 to 7.13
  4. Technological Controls
    • Number of controls: 34
    • Control numbers: ISO 27001 Annex A 8.1 to 8.34

Each control is assigned an attribute. So, each control has a table with a set of suggested attributes.

The 11 new control categories are as follows:

  • 7 – Threat intelligence – Control Attributes
  • 23 – Information security for the use of cloud services
  • 30 – Information and communications technology for business continuity
  • 4 – Physical security monitoring
  • 9 – Configuration management
  • 10 – Information deletion
  • 11 – Data masking
  • 12 – Data leakage prevention
  • 16 – Monitoring activities
  • 23 – Web filtering
  • 28 – Secure coding

NOTE: You need to make sure your existing Annex A is revised and aligned with ISO 27002:2022.

Check the newly added controls and the mapping of controls from ISO 27001:2013 to ISO 27001:2022.

Remember: This new update does not impact your existing certification. Certification against ISO 27001:2013 is still allowed until April 30, 2024. But organizations should begin to update controls and processes to comply with the requirements in ISO 27001:2022 as soon as possible.

Check ISO 27001:2013 vs ISO 27001:2022 Clauses and Annexes.

How can TrustCloud help you?

At TrustCloud, we fulfill all your compliance needs to implement an ISO 27001-compliant ISMS and achieve certification to the standard.

Whether you are looking to achieve ISO 27001:2013 accreditation or need help transitioning to the soon-to-be-published ISO 27001:2022, TrustCloud is here to help. We are an ISO 27001-certified company, and our audit partners are certified as ISO 27001 auditors.

Learn more to get started on your ISO 27001 journey.

If you are an existing customer of TrustCloud and are ready to conduct your readiness assessment, please contact your account manager today.

New to compliance? Get our fast and affordable way to achieve compliance for free.



Join the conversation