787 974 136
On 25 October 2022, the long-awaited update to ISO 27001 – the international standard for information security management systems – was published. ISO standards are revised every few years, enabling them to respond to a rapidly changing reality and the needs of organisations operating within it. The update to ISO 27001 was particularly important as it is closely linked to the exceptionally fast-growing digital technology sector. Currently, these technologies are most commonly used to protect information, and their rapid evolution means we are constantly faced with new security challenges. What has changed in ISO/IEC 27001:2022 compared to the 2013 edition? How can you update your information security management system?
The ISO 27001 standard enables the creation of an effective information security management system (ISMS) – to protect assets such as know-how, customer data, the content of contracts with contractors, new project plans, etc. ISO 27001 serves to secure the company physically, but above all from an ICT perspective. An ISMS significantly streamlines work organisation and increases the company’s efficiency. ISO 27001:2022 certification, meanwhile, makes it easier to maintain the ISMS in good working order, whilst also serving as an important credential in business relations – it enhances the company’s credibility and its competitive advantage in the market.
ISO/IEC 27001:2022 contains a list of requirements that must be met to establish an ISMS compliant with international standards. These requirements also serve to ensure its efficient operation, monitoring and improvement. The requirements of the ISO 27001 standard are general in nature, allowing them to be applied to any organisation. The substantive extension of the standard is ISO 27002:2022, which is identical to Annex A of ISO/IEC 27001:2022. It contains practical guidelines for securing information. These guidelines enable ISO 27001 to be adapted to the specific context of a given organisation.
In February 2022, the International Organisation for Standardisation revised ISO 27002, necessitating an update to ISO 27001 to ensure these closely related standards remain consistent. Therefore, the changes in ISO/IEC 27001:2022 compared to the 2013 version mainly concern Annex A.
The core content of ISO 27001:2022 has changed only slightly compared to its predecessor. The title of the standard has been reworded – the phrases ‘Information technology – Security techniques’ have been replaced by ‘Information security, cybersecurity and privacy protection’, suggesting a greater focus on these issues. Clauses 4 to 10 have also undergone minor modifications – new content has been added in several places. Furthermore, some changes have been made to the terminology; specifically, the existing nomenclature has been simplified. However, these differences between the 2013 edition and ISO 27001:2022 do not have a significant impact on the operation of the ISMS.
Significant changes concern Annex A of the ISO/IEC 27001:2022 standard. The list of controls discussed therein has been restructured and expanded. Instead of 114, there are now 93, which does not mean that some have been removed. On the contrary – 11 new ones have been added (mainly concerning cloud data security and privacy protection), such as:
The total number of security measures has decreased, as some have been merged with others. Some of them have been improved. All security measures have been divided into four groups:
Changes to the structure of Annex A of ISO 27001:2022 are intended to make it easier for organisations to implement and effectively use information security measures, and the update reflects current legal requirements (e.g. regarding the GDPR) as well as changes that have taken place in the field of IT technology in recent years.
Although the changes in ISO/IEC 27001:2022 mainly concern the terminology and structure of the document, in practice they may affect operational procedures relating to information security and crisis management. Therefore, every company that currently holds an ISO 27001:2013 certificate must review its ISMS.
As with any revision of ISO standards, organisations have three years (until 31 October 2025) to adapt their management systems to the new guidelines. ISO 27001 certification must be renewed every three years anyway, so there is no need to replace the document with an ISO 27001:2022 certificate ahead of time. However, it is worth updating the ISMS now so that your organisation can consistently draw on the best global practices in information security, whilst also preparing thoroughly for the upcoming ISO 27001:2022 audit.
Those responsible for maintaining the ISMS within an organisation should familiarise themselves with the new structure and the expanded list of controls included in the revised ISO 27001, and then identify any gaps in the existing system. This analysis will show to what extent the new elements of the standard can assist in managing information security within the organisation. The changes to security controls included in Annex A must be reflected in the ISMS documentation. In most cases, this will involve adding descriptions of new procedures to the existing ones.
As regards the implementation of the 27001 standard in organisations that have not previously followed its guidelines, they may now develop their ISMS with a view to an ISO 27001:2022 certification audit by a certification body and apply for ISO 27001:2022 certification.
DJB DORADZTWO
Marcin Chorąży
