2022 ISO 27001 changes

2022 ISO 27001 Updates: Everything You Need To Know

Wesley Van Zyl

Senior Compliance Success Manager


ISO 27001 is a globally-recognized compliance certification and while you may know what ISO 27001 is all about, things are changing with the rapidly growing cyber world. So read on to make sure you’re on top of all the latest updates.

What is ISO 27001 certification?

ISO 27001 certification is an international standard on how to manage information security. This standard helps organizations protect the confidentiality, integrity, and availability of data. ISO 27001 is the only auditable international standard that defines the requirements of an information security management system (ISMS). 

ISO 27001 compliance includes specific security controls that organizations need to follow and are listed in Annex A. To understand the details of these controls and how they could be implemented, you need to consult ISO 27002, which serves as a guidance document of the ISO 27001 security controls.

It may also be helpful to read our blog detailing ISO 27001 vs SOC 2 and peruse our glossary, specifically the ISO 27001 glossary section.

Understanding ISO 27001 compliance in 2022

The 2022 updates apply to the security controls of ISO 27002 and therefore, Annex A of ISO 27001 will be updated accordingly.

Interestingly enough, ISO 27001 was last updated almost a decade ago and therefore, close attention needs to be paid to these changes and what they mean for organizations.

You may ask why ISO 27001 has now been updated. Simply put, it is time. Information security in 2022 is rather different from information security a decade ago. The cyber landscape has evolved significantly and become a lot more complex with more innovative technologies, online businesses and cloud operations.

ISO 27002 was officially updated on February 15, 2022, and updates in ISO 27001 Annex A will take place during 2022, however the date is not announced yet.

So, what are the changes to the ISO 27001 framework?

Changes to the ISO 27001 framework

Even though only Annex A has been changed, this makes up a significant amount of ISO 27001 implementation.

Update 1 

The previous version of Annex A contained 114 controls across 14 families, while the new version contains 93 controls across 4 families (People, Organizational, Technological and Physical). The decrease in the number of controls is due to many controls being merged.

However, 11 new ISO 27001 controls have been added to Annex A:

  • Threat intelligence
  • Information security for the use of cloud services
  • ICT readiness for business continuity
  • Physical security monitoring
  • Configuration management
  • Information deletion
  • Data masking
  • Data leakage prevention
  • Monitoring activities
  • Web filtering
  • Secure coding

Update 2

The previous version only required policies, while the new version requires documented operating procedures.

Procedures lay out the operational steps you will take to pursue the policies, which are the high-level parameters of your information security management system. 

Update 3

In the new version, the security controls are organized by 5 attributes:

  • Control type
  • Cybersecurity concept
  • Information security properties
  • Operational capabilities
  • Security domains

These attributes help businesses prioritize certain controls that are relevant to their specific business operations and main concerns.

In summary, the ISO 27001 2022 updates makes the documentation and guidelines more hefty, as well as adds additional responsibilities but it also provides more clear and detailed explanations of each control.

Should organizations planning to undergo ISO 27001 certification process, wait until the new version is published?

ISO 27001 certification process

If existing customers or prospects are requesting your ISO 27001 certification, then you should start as soon as possible in accordance with ISO 27001: 2013. However,  the decision should have nothing to do with the updated version, as it depends on how quickly you need the ISO 27001 report. Waiting until the new version of ISO 27001 is published will most likely leave your organization at greater risk.

In addition, for ISO 27001 first-timers, it is strongly recommended that these organizations utilize compliance automation tools in order to benefit from automated evidence collection, and the increased efficiency that it provides.

How do the changes affect your organization?

If your organization is already ISO 27001 compliant, it is important to note that no changes in technology are needed, only changes in the documentation. So when does the documentation need to be changed? The transition period for these relevant changes is not published yet, but it will most likely be 2 years from the date of the official ISO 27001:2022 update. Therefore, your organization will have more than enough time to comply.

Your ISO 27001 audit report will remain valid and no additional training will be needed. The certification body will ensure that you have adapted the documentation within the transition period. And therefore, no new audits need to be scheduled, as this will take place during your regular surveillance audits. However, when you renew your certification during the transition period, you could work against the new control set in order to not leave it for the last minute.
You can read about Scytale’s ISO 27001 certification and what this means for us and our customers. Also, take a look at how Scytale’s compliance automation platform can change the game for your ISO 27001 compliance process.

Share this article

A CTO’s Roadmap to Security Compliance: Your Go-To Handbook for Attaining SOC 2 and ISO 27001

Security Compliance for CTOs