The latest revision of the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001 Information Security Management System (ISMS) standard was released on October 25, 2022, and represents the first time since 2013 that this standard was revised.

The proliferation and adoption of cloud computing, changes in the threat landscape, and increasing international legislative and regulatory requirements on the protection of personally identifiable information (PII) prompted the need for the ISO/IEC to update the ISO/IEC 27001 standard.

Many of the changes to the ISO/IEC 27001 standard focus on reducing redundancy of controls and a simpler approach to categorization and structure of Annex A. However, there are new requirements that organizations need to think through and implement to obtain conformance with the new standard.

Following is a summary of those changes, key dates, and tips for transitioning to the new standard.

• Updates to mandatory clauses
• Changes to Annex A
• Transition timeline
• Key considerations for ISO/IEC 27001:2022 transition

Updates to Mandatory Clauses

The 2022 revision of the standard made minor changes to the mandatory clauses. No requirements were removed from the 2013 version, but clarified language was provided to several requirements and a subclause was added.

Updated Requirements and Criteria for Mandatory Clauses

Changes to Annex A

ISO/IEC 27001:2022 Annex A has been restructured. The total number of controls has decreased from 114 to 93. Eleven controls are new, 24 controls are merged from the existing controls, and 58 controls were updated.

New Organization of Annex A

The previous 14 domains of Annex A have been restructured into four sections of controls:

• Organizational
• People
• Physical
• Technological

The biggest revision to the standard is the introduction of 11 new controls. The new Annex A controls follow.

Section 5: Organizational

• 5.23 Information security for use of cloud services
• 5.30 Information and communication technology readiness for business continuity
• 5.7 Threat intelligence

Section 7: Physical

• 7.4 Physical security monitoring

Section 8: Technological

• 8.9 Configuration management
• 8.10 Information deletion
• 8.11 Data masking
• 8.12 Data leakage prevention
• 8.16 Monitoring activities
• 8.23 Web filtering
• 8.28 Secure coding

Gap Assessment

An organization should identify gaps in its ISMS to reach conformance with the new standard. A gap assessment can help determine what the organization has in place and the new areas that need to be addressed. Gap assessments should:

• Compare new and modified mandatory clauses and Annex A controls
• Review ISMS documentation to understand the current structure and to assess gaps to conformance to the new standard
• Focus on areas where an organization needs to implement new ISMS policies, processes and controls, and updates to existing requirements

Implementation

Once an organization has identified its gaps, the next step is to implement any additional requirements, processes, and technical controls.

• Identify areas to realign your organization’s ISMS documentation with the updated standard including process enhancement and the implementation of new administrative, physical, and technical controls
• Develop a roadmap that aligns to the transition timeline using a prioritized approach that accounts for the time implementation requirements take to integrate
• Update your risk assessment and assess your residual risk post-implementation of new and updated policies, processes, and controls
• Schedule your internal audit and management review

We’re Here to Help

For guidance conducting a gap assessment or transitioning to the ISO/IEC 27001:2022 standard, contact your Moss Adams Certifications professional.