Value-added business processes are driven by information and data. Without information exchange, nothing works in our digital economy. Our basic services are based on critical infrastructures whose functionality is highly dependent on the exchange of information and data. Information security extends far into the reality of our work and lives. Protecting information-driven daily operations, critical data and intellectual property from cyber threats is therefore imperative for businesses of all sizes. In this age of industrialized cyberattacks, adapting to ever-changing information security risks requires a timely and flexible approach to building enterprise resilience.

And this is exactly where the new ISO/IEC 27001:2022 comes in with its focus on process orientation in information security management. For more than two decades, the ISO 27001 standard has been an established, but aging, basis for information security management systems. And despite its age, according to the ISO Survey, the standard was able to grow with an increase of 32% in certificates in the past year 2021. Against the backdrop of growing demand for a contemporary information security assessment framework, the new ISO/IEC 27001:2022 was published on October 25, 2022.  We will continue to add information about the changes as it comes available.


Overview of the new features of ISO 27001:2022

ISO 27001 describes the framework for an information security management system (ISMS for short) - and that for companies regardless of organizational structure, size or orientation. The linchpin here is risk management. Changing cyber threats are constantly exploiting new potential vulnerabilities in companies with the aim of attacking and compromising information flows and thus business processes. The risks arising from this mechanism on the three essential protection goals of information security - confidentiality, integrity and availability - must be identified and managed.

The update to ISO/IEC 27001:2022 addresses best practices for managing these information security risks. The list of possible information security controls in the normative Annex A of the new ISO/IEC 27001:2022 is identically derived from the revised ISO/IEC 27002:2022 guidance. The implementation guidance was already adopted in February of this year with a simpler taxonomy and contemporary security controls. With the new ISO/IEC 27001:2022 now published, the successful ISO standard tandem 27001/27002 with its valuable recommended measures is once again state of the art.

ISO/IEC 27001:2022-10 - Information security, cybersecurity and privacy protection - Information security management systems - Requirements
The standard is available in English on the ISO homepage.

Another significant change in the new ISO/IEC 27001:2022 is that, with adaptation to the so-called Harmonized Structure, the long overdue requirement for process orientation is placed in the focus of an effective ISMS. The basis of effective management systems are clear processes and their interactions as well as target-oriented criteria for these processes for their control.

In the following, we will take a closer look at the three change areas of the new version of ISO 27001.

High Level Structure becomes Harmonized Structure

As of May 2021, the previous High Level Structure (HLS) is being succeeded by the Harmonized Structure (HS). The HS is the basic structure and template for the development of new and future revisions of existing ISO management system standards. ISO/IEC 27001:2022 is one of the first management system standards to be adapted to the HS. Various clarifications, additions, but also deletions in the HS compared to the HLS are rather interesting for users who are familiar with the standard.

For ISO/IEC 27001:2022, however, a significant derivation from the HS is directly visible. In future, Clause 6.3 will require changes to the ISMS to be implemented in a planned manner. This requirement is familiar from other management systems and expresses the expectation that an ISMS-related change process has been mastered. For example, the transition from the previous ISO/IEC 27001:2013 to the new ISO/IEC 27001:2022 can be understood as a change to the ISMS that should be implemented in a planned manner with all its effects and interactions.

ISO 27001 - Information Security Management System

Holistic management system according to ISO standard ★ Effective implementation of a risk management process ★ Continuous improvement of the security level

More information about ISO 27001

Normative changes in ISO/IEC 27001:2022

A very significant change adds to the context of the organization in Clause 4.4 with the requirement to identify necessary processes and their interactions within the ISMS that are required for its implementation and maintenance. This explicit requirement brings ISO/IEC 27001:2022 in line with the best practice approach of other management systems according to HS (HLS). The information security management system must be based on established, traceable processes and their interactions. The Annex A information security controls are then designed and adapted around these processes.

The next relevant change in Clause 8.1 also emphasizes the importance of process orientation, which is common to all HS-based management systems. Organizations must realize processes as part of their operational planning and control to implement the measures to manage information security risks. What is new is that process criteria must now be defined. Process control must be implemented in accordance with these criteria.

Further, rather minor clarifications and specifications have been made in the following clauses:

  • Clause 5.3 is supplemented by the explicit requirement that the responsibilities and authorities for roles related to information security are made known within the organization.
  • Clause 7.4 regulates the need for internal and external communication regarding the ISMS. In addition to the still applicable provisions on what about, when, and with whom, the how of communication is a workable simplification from previous requirements.
  • Clause 9.2 Internal Audit and 9.3 Management Review have been adapted to the Harmonized Structure. Clause 9.2 is now subdivided into 9.2.1 and 9.2.2, Clause 9.3 is divided into three subdivisions 9.3.1, 9.3.2 and 9.3.3.
  • The order in which Clause 10.1 and Clause 10.2 are structured has been adapted to the Harmonized Structure. The aspect of prospective continuous improvement now precedes the retrospective handling of nonconformities and corrective actions in Clause10.2 in Clause 10.1 without any further changes in content. This adjustment emphasizes the importance of the continuous improvement process (CIP).

The key and unambiguous requirements in ISO/IEC 27001 that reference the set of controls in Annex A are, according to Clause 6.1.3 c), the comparison process between the organization-specific information security controls with those in Annex A and, according to Clause 6.1.3 d), the preparation of a Statement of Applicability (SoA). These core requirements remain unchanged!

The explanations in the informative (non-normative) notes to Clause 6.1.3 c) with the reference to Annex A as a list of possible information security controls indicate the possibility of selecting additional measures from further sources supplementary to Annex A.

The new Annex A of ISO/IEC 27001:2022

The list of possible information security (IS) controls in the normative Annex A of ISO/IEC 27001:2022 is derived identically from ISO/IEC 27002:2022. The catalog of general security controls was published in February 2022. Therefore, the changes to Annex A of ISO/IEC 27001:2022 have been foreseeable for some time. Previously, Annex A included a total of 114 controls that could be used to address information security risks under 35 control objectives organized into 14 clauses.

Apart from the fact that the new ISO/IEC 27001:2022 eliminates the control objectives, the information security controls in Annex A have been revised, brought up to date, and supplemented and reorganized with some new controls.

The former 14 clauses of Annex A are now focused on the 4 following topics:

A.5 Organizational controls (with 37 controls).

A.6 Personal controls (with 8 controls)

A.7 Physical controls (with 14 controls )

A.8 Technical controls (with 34 controls)

Annex A of the new ISO/IEC 27001:2022 version now includes a total of 93 controls, of which the following 11 controls are new:

A.5.7 Threat Intelligence

A.5.23 Information security for the use of cloud services

A.5.30 ICT readiness for business continuity

A.7.4 Physical security monitoring

A.8.9 Configuration management

A.8.10 Deletion of information

A.8.11 Data masking

A.8.12 Data leak prevention

A.8.16 Activity monitoring

A.8.23 Web filtering

A.8.28 Secure coding

While Annex A of ISO/IEC 27001:2022 is limited to naming the controls, the ISO/IEC 27002:2022 implementation guide provides further options for categorizing them. There, each control is assigned five attributes that allow different views and perspectives on them. The attributes or their attribute values can be used to filter, sort, or display for different organizational views.

The five attributes are:

Control Type is an attribute for the view of the controls from the perspective of when and how a measure changes the risk related to the occurrence of an information security incident.

Information security properties is an attribute for viewing controls from the perspective of what protection goal the measure is intended to support.

Cybersecurity Concepts looks at controls from the perspective of how they map to the cybersecurity framework described in ISO/IEC TS 27110.

Operational Capability considers controls from the perspective of their operational information security capabilities and supports a practical user view of the measures.

Security domains is an attribute that allows controls to be viewed from the perspective of four information security domains.

What does the update mean for your certification?

The new and improved version of ISO/IEC 27001 was published on October 25, 2022. This results in the following transition timeframes and deadlines for standard users:

  • Certification readiness according to ISO/IEC 27001:2022
    -> probably from February - April 2023
    (depending on the German Accreditation Body DAkkS)
  • Last date for initial/re-certification audits according to former ISO 27001:2013
    -> 18 months after publication of new ISO/IEC 27001:2022
  • Transition of all existing certificates to the new ISO/IEC 27001:2022
    -> 3 years, related to last day of issue month of
    ISO/IEC 27001:2022 (October 2025)

The deadlines for the transition are ISO standard.

ISO 27001 - Information Security Management System

Holistic management system according to ISO standard ★ Effective implementation of a risk management process ★ Continuous improvement of the security level

More information about ISO 27001

The new ISO/IEC 27001:2022 - Conclusion

The new ISO/IEC 27001:2022 is available. This marks the beginning of the 3-year transition period.

In summary, the main innovations are the following:

  • Conformity of the management system with the Harmonized Structure.
  • Emphasis on process orientation, its interactions and criteria.
  • Simplified and streamlined categorization of controls into thematic blocks.
  • Contemporary measures aligned with current organizational methods and associated threats.
  • Attributes for aligning controls with various risk management methodologies, including global cybersecurity frameworks.
gerber-hermsdorf-werner-korall-audit dqs

Do you have any questions?

Contact us!

No obligation and free of charge.

Trust and expertise

Our texts and brochures are written exclusively by our standards experts or long-standing auditors. If you have any questions about the text content or our services to our author, please feel free to send us an e-mail.

Markus Jegelka

The graduate engineer works for DQS as an expert and auditor for information security in the product management and accreditation department. He looks back on more than three decades of experience, first as an expert for radiation protection of nuclear facilities and then as an auditor and deputy certification body manager for ISMS. In this function, he demonstrated his information security expertise (ISO/IEC 27001, IT security catalog according to para 11.1a of the German Energy Industry Act (EnWG) both to the German accreditation body DAkkS and in many customer audits.