ISO 27001:2013 vs. ISO 27001:2022

ISO 27001:2013 vs. ISO 27001:2022

ISO 27001 stands as a globally recognized standard for Information Security Management Systems (ISMS), systematically safeguarding vital company data. It furnishes a thorough blueprint for establishing, executing, sustaining, and refining an ISMS, centering on the assessment and control of information security risks customized to the organization’s unique requirements. Over time, the ISO 27001 standard undergoes periodic updates to adapt to evolving information security risks, technological progressions, and shifts in regulatory landscapes.

ISO 27001 2022

The transition from ISO 27001:2013 to ISO 27001:2022 signifies a significant advancement in the standard’s approach to addressing the intricacies of information security in today’s digital milieu. While the 2013 iteration laid the groundwork for best practices in information security management, the latest 2022 revision builds upon these foundations with updated directives that confront current and emerging threats in the field.

Difference between ISO 27001:2022 and ISO 27001:2013:

Let’s compare ISO 27001:2013 with ISO 27001:2022 to see what’s changed in the standard, based on the clauses.

Clause (4-10)

ISO 27001:2013

ISO 27001:2022

4.2 Understanding the Needs and Expectations of Interested Parties

Not explicitly requiring an analysis of interested parties’ requirements to be addressed through the ISMS.

Introduced a new item (c) mandating an analysis to determine which requirements from interested parties needs and expectations to be managed through the ISMS.

4.4 Information Security Management System

Less specific language around the identification of necessary processes within the ISMS.

A new phrase was added that requires organizations to identify relevant processes and their interactions within the ISMS, emphasizing a more comprehensive approach.

5.3 Organizational Roles, Responsibilities, and Authorities

Contained general instructions on communicating roles related to information security.

A minor phrase was updated to clarify the communication of roles relevant to information security within the organization.

6.2 Information Security Objectives and Planning to Achieve Them

Provided general guidance on setting information security objectives.

Additional guidance (d and e) on the information security objectives was introduced, including the need for regular monitoring and formal documentation.

6.3 Planning of Changes


A new sub-clause was added, which sets a standard for planning changes to the ISMS, ensuring changes are controlled.

7.4 Communication

Included detailed instructions for communication (items a-c), with separate points (d and e) for who should communicate and how.

Items a-c remain the same; simplified and combined items related to communication (previously d and e) into a new item (d), streamlined focusing on how to communicate.

8.1 Operational Planning and Control

Offers basic guidance on operational planning and control.

New guidance was added to establish criteria for operational actions identified in Clause 6 and control those actions according to the criteria.

9.2 Internal Audit

Separate sections for Clause 9.2.1 and 9.2.2.

A clause was revised to consolidate previous subclauses (9.2.1 and 9.2.2) into a single section without materially changing its content.

9.3 Management Review

No explicit mention of considering changes to the needs and expectations of interested parties.

A new item (9.3.2 c) was added, which included a requirement for the management review to consider changes to interested parties’ needs and expectations.

10 Improvement

Structure did not prioritize Continual Improvement.

Reorganized subclauses to prioritize Continual Improvement (10.1) before Nonconformity and Corrective Action (10.2), emphasizing the importance of ongoing improvement in the ISMS.


Updated Controls in Annex A Structure

The transition from ISO 27001:2013 to ISO 27001:2022 brings about a modernization and simplification of the framework, adapting it to present information security risks and technologies by reorganizing the controls. The annex’s title has been changed to “Information security controls reference” from its previous name, “Reference control objectives and controls.



ISO 27001:2013

ISO 27001:2022

Control Domains/Themes

14 domains

4 categories

Total Number of Controls

114 controls (across 14 domains)

Decreased overall 114 controls into 93 controls (across 4 categories)

New Controls Introduced


Introduction of 11 new controls

Controls Merged


Consolidation of 57 controls into fewer overarching controls

Controls Renamed


Renaming of 23 controls for clarity or relevance

Controls Removed


Elimination of 3 controls  deemed no longer necessary

Reorganization of Controls

1. Information security policies
2. Organization of information security
3. Human resource security
4. Asset management
5. Access control
6. Cryptography
7. Physical and environmental security
8. Operations security
9. Communications security
10. System acquisition, development, and maintenance
11. Supplier relationships
12. Information security incident management
13. Information security aspects of business continuity management
14. Compliance

1. A.5 Organizational controls (37 controls)
2. A.6 People controls (8 controls)
3. A.7 Physical controls (14 controls)
4. A.8 Technological controls (34 controls)


Updated Controls in ISO 27001:2022 Annex A

The ISO 27001:2022 version introduces 11 new controls within Annex A.

  1. 5.7 Threat Intelligence:This control requires organizations to collect and analyze threat-related information to manage and reduce risks proactively.
  2. 5.23 Information Security for Use of Cloud Services:This control highlights the importance of securing cloud-based environments, mandating organizations to define security standards for cloud services, including specific processes and procedures tailored for cloud usage.
  3. 5.30 ICT Readiness for Business Continuity:This control requires organizations to guarantee the resilience and recoverability of information and communication technologies when disruptions occur.
  4. 7.4 Physical Security Monitoring:This control mandates the surveillance of critical physical locations like data centers and production sites to ensure access is restricted to authorized personnel, enhancing breach awareness.
  5. 8.9 Configuration Management:This control obliges organizations to oversee the configuration of their technological assets to safeguard against unauthorized modifications and maintain security.
  6. 8.10 Information Deletion:This control involves systematically deleting obsolete data to prevent unauthorized disclosure and comply with data privacy regulations.
  7. 8.11 Data Masking:This control directs organizations to obscure sensitive data, aligning with access control policies to shield confidential information from unauthorized viewers.
  8. 8.12 Data Leakage Prevention:This control requires implementing security measures to avert unauthorized exposure and leakage of sensitive data across systems, networks, and devices.
  9. 8.16 Monitoring Activities:This control requires the continuous surveillance of systems for anomalous behavior, coupled with the execution of effective incident response strategies.
  10. 8.23 Web Filtering:This control mandates the regulation of internet access within an organization to protect against digital threats and ensure the security of IT infrastructures.
  11. 8.28 Secure Coding:This control mandates the incorporation of secure coding practices throughout the software development lifecycle to reduce vulnerabilities and improve the security of applications.


ISO 27001:2022 Transition Guidelines

  • Organizations currently holding an ISO 27001:2013 certification are required to undergo transition within a 36-month period. Throughout this transition period, their existing ISO 27001:2013 certificates will remain valid. Subsequently, ISO 27001:2022 certificates will be issued in accordance with the standard 3-year re-certification cycle.
  • Transition audits to ISO 27001:2022 can be conducted through various means, including surveillance audits, recertification audits, or special audits. Notably, initial certification does not necessitate a transition audit.
  • Transition audits must comprehensively address several factors, such as conducting a gap analysis against ISO 27001:2013, implementing any required changes to the auditee’s Information Security Management System (ISMS), updating the Statement of Applicability (SoA), and revising the risk treatment plan as needed. For a detailed breakdown of the transition requirements, please refer to the provided

How Ana-Data Can Assist You

Whether you’re currently certified to ISO/IEC 27001 or new to the standard, Ana-Data offers a comprehensive range of services to guide you towards successful certification.

Our services encompass:

Conducting ISO 27001 gap assessments and providing remediation support to prepare you for the certification audit. We cover all facets of remediation activities needed, from designing processes and architecture to implementing solutions, developing documentation, and offering project and program management. Additionally, we provide subject matter expert support in specific areas.

Performing ISO 27001 internal audits as mandated by clause 9.2 of the standard.

Equipping your team with the necessary knowledge and providing support throughout the certification process.

Let Ana-Data be your partner in achieving ISO 27001 certification excellence.