Differences Between ISO 27001:2022 and ISO 27001:2013
In October 2022, the new and improved version of ISO/IEC 27001 was published with the guidelines of Annex A, which serve as an implementation guide. The ISO 27001 Information Security Management System Standard (ISMS) was published by ISO (International Organization for Standardization). If you wish to purchase the standard, you can click here to visit iso.org. The ISO 27002 standard only provides guidance on how the Annex A clauses should be implemented. It cannot be purchased separately from the ISO 27001 ISMS standard.
Our paths to follow regarding standard s as an organization;
For Organizations with ISO 27001 Certification:
The transition period to the new standard has been set to 2 years from the publication date of the ISO 27001 certification. Considering the changes made to the 27001 and 27002 standards, s to risk processes, information security procedures, and applicability statements should be made.
For Organizations without ISO 27001 Certification:
In order to obtain the ISO 27001 certificate, it would be appropriate to complete the necessary documentation and according to the revised standard. If the organization does not urgently need the ISO 27001 certification, creating the documents based on the revised standard and implementation guide may be the most suitable approach.
Changes in ISO 27001 Information Security are as follows:
- The main sections of the standard (Sections 4 – 10) remain the same.
- Annex A controls have been d.
- The number of controls has been reduced from 114 to 93.
- Controls are now grouped under 4 main headings instead of 14 (A.5-A.18 sections).
- 11 new controls have been added.
- No controls have been removed, and most of the controls have been consolidated under the same headings.
The fundamental changes in the d ISO 27002:2022 standard are as follows. The number of headings, which was 14 in the previous version, has now been arranged into 4 main headings:
- Organizational Controls
- Human Controls
- Physical Controls
- Technological Controls
In addition to these 4 main headings, two annexes have been added.
Annex A – Usage Characteristics: Contains definitions related to the characteristics and usage recommendations of the controls. The definitions made in this section facilitate the management of controls and ensure the easy matching of ISO 27001 with other widely accepted standards, frameworks, and good practices. Definitions made for each control:
Control Types: Preventive, Detective, Corrective
Information Security Characteristics: Confidentiality, Integrity, Availability
Cybersecurity Topics: Identification, Protection, Detection, Protection, Response, Recovery
Operational Capabilities: Communication, Asset Management, Information Protection, Human Resource Security, Physical Security, System and Network Security, Application Security, Secure Configuration, Identity and Access Management, Threat and Vulnerability Management, Continuity, Supply Chain Security, Legal and Compliance, Information Security Incident Management, Information Security Assurance
Security Domains: Communication and Ecosystem, Protection, Defense, Resilience
Annex B – Comparison with ISO 27002:2013: Includes the correlation of old and new version controls.
The number of controls, which was 114, has been reorganized as 93:
- 37 Organizational, 34 Technological, 14 Physical, and 8 Human Controls have been defined.
- No control has been removed.
- Many of the controls executed under the same processes have been grouped under the same headings.
- 11 new control clauses have been added:
- Threat Intelligence/Cyber Intelligence
- Information Security for Cloud Services Usage
- Information and Communication Technology for Business Continuity
- Physical Security Monitoring
- Configuration Management
- Data Deletion
- Data Masking
- Data Loss Prevention
- Monitoring Activities
- Internet Filtering
- Secure Coding
Sources
https://www.iso.org/standard/82875.html
https://instant27001.com/products/iso-27001-27002-2021-/
