List of changes ISO 27001 2013 & 2022 version

Hello again!
We know that, like us, you always want to be at the forefront of your knowledge. Therefore, below you can find the changes that result in the new version of the standard:

  • Clauses 4 to 10 of the standard remain unchanged. These clauses represent the main part, and are as follows: Scope, Stakeholders, Context, Information Security Policy, Risk Management, Resources, Training and Awareness, Communications, Documentary Control, Monitoring and Measurement, Internal Audit, Senior Management Review and Corrective Actions.
  • Only the security controls listed in ISO 27001 Annex A and ISO 27002 will be updated. These changes seek to simplify the controls (They become 93, previously 114). There are 11 new controls:
    • Security information for the use of cloud services.
    • Controls around threat intelligence.
    • ICT (Information and communication technology) assurance for business continuity.
    • Physical security monitoring.
    • Configuration management.
    • Information disposal.
    • Data masking.
    • Information leakage prevention.
    • Monitoring activities.
    • Web filtering.
    • Security encryption.
    The 31 difference controls have been integrated into other controls. The only control completely eliminated has been "Removal of assets".
  • IS0 27002 includes adoption guidelines for security controls, these, however, are not mandatory for the adoption of the standard.
  • The following terms have been removed or replaced: "Code of practice", "Control objectives". Other relevant terms are:
  • Password control has been replaced by Identity and Autenthication management; this change is intended to recognize other methods of authentication.
  • Mobile devices has been replaced with the term User end point devices; this change is made in order to reflect different network access devices.
  • Asset management:In the 2013 standard it was required to maintain an inventory of assets related to security information. In the 2022 update the information itself is an asset. It is then necessary to create an inventory of information in order to consider security controls; this according to the different types of information.
  • Hashtags are included in the nomenclature of controls.
  • The controls will have attributes related to cybersecurity (Type of control, Classification, Concept of cybersecurity, security domains and operational skills).
  • We suggest the following for the adoption of ISO 27001 in case you have the standard in its 2013 version:
    • Update the risk treatment procedure with new controls.
    • Update the applicability statement
    • Adaptation of some sections in the policies and procedures.
Remember that you still have time. No need to rush. If you are about to recertify you can take the certification for the ISO standard in its 2013 version, and then calmly make the relevant changes to the update; a transition time of approximately 2 years is expected. If you have the time to wait, then you can afford to take it easy.
We hope this information helps satiate your desire to know!
But we are not selfish, if you require more information you can check out the following links: