Value-added business processes are driven by information and data. Without information exchange, nothing works in our digital economy. Our basic services are based on critical infrastructures whose functionality is highly dependent on the exchange of information and data. Information security extends far into the reality of our work and lives. Protecting information-driven daily operations, critical data and intellectual property from cyber threats is therefore imperative for businesses of all sizes. In this age of industrialized cyberattacks, adapting to ever-changing information security risks requires a timely and flexible approach to building enterprise resilience.

And this is exactly where the new ISO/IEC 27001:2022 comes in with its focus on process orientation in information security management. For more than two decades, the ISO 27001 standard has been an established, but aging, basis for information security management systems. And despite its age, according to the ISO Survey, the standard was able to grow with an increase of 32% in certificates in the past year 2021. Against the backdrop of growing demand for a contemporary information security assessment framework, the new ISO/IEC 27001:2022 was published on October 25, 2022. What's in store?


Overview of the new features of ISO 27001:2022

ISO 27001 describes the framework for an information security management system (ISMS for short) - and that for companies regardless of organizational structure, size or orientation. The linchpin here is risk management. Changing cyber threats are constantly exploiting new potential vulnerabilities in companies with the aim of attacking and compromising information flows and thus business processes. The risks arising from this mechanism on the three essential protection goals of information security - confidentiality, integrity and availability - must be identified and managed.

The update to ISO/IEC 27001:2022 addresses best practices for managing these information security risks. The list of possible information security controls in the normative Annex A of the new ISO/IEC 27001:2022 is identically derived from the revised ISO/IEC 27002:2022 guidance. The implementation guidance was already adopted in February of this year with a simpler taxonomy and contemporary security controls. With the new ISO/IEC 27001:2022 now published, the successful ISO standard tandem 27001/27002 with its valuable recommended measures is once again state of the art.

ISO/IEC 27001:2022-10 - Information security, cybersecurity and privacy protection - Information security management systems - Requirements
The standard is available in English on the ISO homepage.

Another significant change in the new ISO/IEC 27001:2022 is that, with adaptation to the so-called Harmonized Structure, the long overdue requirement for process orientation is placed in the focus of an effective ISMS. The basis of effective management systems are clear processes and their interactions as well as target-oriented criteria for these processes for their control.

In the following, we will take a closer look at the three change areas of the new version of ISO 27001.

High Level Structure becomes Harmonized Structure

As of May 2021, the previous High Level Structure (HLS) is being succeeded by the Harmonized Structure (HS). The HS is the basic structure and template for the development of new and future revisions of existing ISO management system standards. ISO/IEC 27001:2022 is one of the first management system standards to be adapted to the HS. Various clarifications, additions, but also deletions in the HS compared to the HLS are rather interesting for users who are familiar with the standard.

For ISO/IEC 27001:2022, however, a significant derivation from the HS is directly visible. In future, Clause 6.3 will require changes to the ISMS to be implemented in a planned manner. This requirement is familiar from other management systems and expresses the expectation that an ISMS-related change process has been mastered. For example, the transition from the previous ISO/IEC 27001:2013 to the new ISO/IEC 27001:2022 can be understood as a change to the ISMS that should be implemented in a planned manner with all its effects and interactions.

ISO 27001 - Information Security Management System

Holistic management system according to ISO standard ★ Effective implementation of a risk management process ★ Continuous improvement of the security level

More information about ISO 27001

Normative changes in ISO/IEC 27001:2022

A very significant change adds to the context of the organization in Clause 4.4 with the requirement to identify necessary processes and their interactions within the ISMS that are required for its implementation and maintenance. This explicit requirement brings ISO/IEC 27001:2022 in line with the best practice approach of other management systems according to HS (HLS). The information security management system must be based on established, traceable processes and their interactions. The Annex A information security controls are then designed and adapted around these processes.

The next relevant change in Clause 8.1 also emphasizes the importance of process orientation, which is common to all HS-based management systems. Organizations must realize processes as part of their operational planning and control to implement the measures to manage information security risks. What is new is that process criteria must now be defined. Process control must be implemented in accordance with these criteria.

Further, rather minor clarifications and specifications have been made in the following clauses:

  • Clause 5.3 is supplemented by the explicit requirement that the responsibilities and authorities for roles related to information security are made known within the organization.
  • Clause 7.4 regulates the need for internal and external communication regarding the ISMS. In addition to the still applicable provisions on what about, when, and with whom, the how of communication is a workable simplification from previous requirements.
  • Clause 9.2 Internal Audit and 9.3 Management Review have been adapted to the Harmonized Structure. Clause 9.2 is now subdivided into 9.2.1 and 9.2.2, Clause 9.3 is divided into three subdivisions 9.3.1, 9.3.2 and 9.3.3.
  • The order in which Clause 10.1 and Clause 10.2 are structured has been adapted to the Harmonized Structure. The aspect of prospective continuous improvement now precedes the retrospective handling of nonconformities and corrective actions in Clause10.2 in Clause 10.1 without any further changes in content. This adjustment emphasizes the importance of the continuous improvement process (CIP).

Another clarification relates to the selection of information security risk handling measures Clause 6.1.3 c). These are to be defined taking into account the results of the risk assessment and compared with the controls Appendix A. The approach remains unchanged. However, the explanatory note in the previous ISO 27001 referred to Annex A with the rather obsessive requirement that it contain a comprehensive list of control objectives and controls.

In the new ISO/IEC 27001:2022, this reference to Annex A can be understood as a list of possible information security controls that is more open and thus more flexibly applicable.

In a nutshell, Annex A of ISO/IEC 27001:2022 is still to be considered as a whole as part of the mandatory requirement in Clause 6.1.3 c), but the set of individual information security measures contained therein can be more flexibly selected, designed and extended by the user. The new version of ISO/IEC 27001 emphasizes here the opening of the management system framework for organization-specific sets of controls.

The new Annex A of ISO/IEC 27001:2022

The list of possible information security (IS) controls in the normative Annex A of ISO/IEC 27001:2022 is derived identically from ISO/IEC 27002:2022. The catalog of general security controls was published in February 2022. Therefore, the changes to Annex A of ISO/IEC 27001:2022 have been foreseeable for some time. Previously, Annex A included a total of 114 controls that could be used to address information security risks under 35 control objectives organized into 14 clauses.

Apart from the fact that the new ISO/IEC 27001:2022 eliminates the control objectives, the information security controls in Annex A have been revised, brought up to date, and supplemented and reorganized with some new controls.

The former 14 clauses of Annex A are now focused on the 4 following topics:

A.5 Organizational controls (with 37 controls).

A.6 Personal controls (with 8 controls)

A.7 Physical controls (with 14 controls )

A.8 Technical controls (with 34 controls)

Annex A of the new ISO/IEC 27001:2022 version now includes a total of 93 controls, of which the following 11 controls are new:

A.5.7 Threat Intelligence

A.5.23 Information security for the use of cloud services

A.5.30 ICT readiness for business continuity

A.7.4 Physical security monitoring

A.8.9 Configuration management

A.8.10 Deletion of information

A.8.11 Data masking

A.8.12 Data leak prevention

A.8.16 Activity monitoring

A.8.23 Web filtering

A.8.28 Secure coding

While Annex A of ISO/IEC 27001:2022 is limited to naming the controls, the ISO/IEC 27002:2022 implementation guide provides further options for categorizing them. There, each control is assigned five attributes that allow different views and perspectives on them. The attributes or their attribute values can be used to filter, sort, or display for different organizational views.

The five attributes are:

Control Type is an attribute for the view of the controls from the perspective of when and how a measure changes the risk related to the occurrence of an information security incident.

Information security properties is an attribute for viewing controls from the perspective of what protection goal the measure is intended to support.

Cybersecurity Concepts looks at controls from the perspective of how they map to the cybersecurity framework described in ISO/IEC TS 27110.

Operational Capability considers controls from the perspective of their operational information security capabilities and supports a practical user view of the measures.

Security domains is an attribute that allows controls to be viewed from the perspective of four information security domains.

What does the update mean for your certification?

ISO/IEC 27001:2022 was published on October 25, 2022. This results in the following deadlines and timeframes for users to transition:

Certification readiness according to ISO/IEC 27001:202

  • From November 2023 at the latest (depending on the German Accreditation Body DAkkS)   

Last date for initial/re-certification audits according to the "old" ISO 27001:2013 

  • After April 30, 2024, DQS will conduct initial and recertification audits only according to the new standard ISO/IEC 27001:2022

Transition of all existing certificates according to the "old" ISO/IEC 27001:2013 to the new ISO/IEC 27001:2022 

  • There is a 3-year transition period starting from October 31, 2022 
  • Certificates issued according to ISO/IEC 27001:2013 or DIN EN ISO/IEC 27001:2017 are valid until October 31, 2025 at the latest, or have to be withdrawn on this date.

ISO 27001 - Information Security Management System

Holistic management system according to ISO standard ★ Effective implementation of a risk management process ★ Continuous improvement of the security level

More information about ISO 27001

The new ISO/IEC 27001:2022 - Conclusion

The new ISO/IEC 27001:2022 is available. This marks the beginning of the 3-year transition period.

In summary, the main innovations are the following:

  • Conformity of the management system with the Harmonized Structure.
  • Emphasis on process orientation, its interactions and criteria.
  • Simplified and streamlined categorization of controls into thematic blocks.
  • Contemporary measures aligned with current organizational methods and associated threats.
  • Attributes for aligning controls with various risk management methodologies, including global cybersecurity frameworks.
gerber-hermsdorf-werner-korall-audit dqs

Do you have any questions?

Contact us!

No obligation and free of charge.

Trust and expertise

Our texts and brochures are written exclusively by our standards experts or long-standing auditors. If you have any questions about the text content or our services to our author, please feel free to send us an e-mail.

Markus Jegelka

The graduate engineer works for DQS as an expert and auditor for information security in the product management and accreditation department. He looks back on more than three decades of experience, first as an expert for radiation protection of nuclear facilities and then as an auditor and deputy certification body manager for ISMS. In this function, he demonstrated his information security expertise (ISO/IEC 27001, IT security catalog according to para 11.1a of the German Energy Industry Act (EnWG) both to the German accreditation body DAkkS and in many customer audits.