ISO 27001 2013 vs 2022 Revision

Data is considered one of the most important assets today. Technology has rapidly changed the way people work in the past decades. People and organizations greatly depend on information services and systems, thus increasing the vulnerability to security threats. Data security is significant in almost all businesses particularly to those that handle sensitive and confidential data. ISO 27001 not only secures the businesses against hackers but also protects reputations. 

ISO 27001- Information and Data Security

The very first version of ISO 27001, under the name BS 7799-2, was published in 1999. Since then, it has undergone several changes. 

ISO 27001 presents the prerequisites of information security management systems. It is under the ISO 27000 umbrella that covers standards on information and cyber security and recommends set of controls according to the best practices available on data security.  Like in other standards for management, it is appropriate for different kinds and sizes of organizations.  

Benefits of having ISO 27001

Organizations with different kinds of data can be a target of misuse, fraud, and theft, which might negatively affect their reputations. If the systems of the organizations are found lacking in data security, then it can cause prosecution.  ISO 27001 can help businesses in a way that it can give confidence to the clients to trust them with securing their personal and other data. It can also show compliance with regulations and requirements on privacy, IT governance, and data security, and most importantly show corporate due diligence. 

ISO 27001 is not a one-time practice like with the other management standards.  Audits regularly ensure that businesses continue to comply with the obligations on data security. ISO 27001 helps businesses to seriously deal with data security, setting up procedures and systems for protection against threats of data misuse and security breaches. It can effectively work with different businesses and the different types of data they store. 

Other specific benefits from having ISO 27001 certification include implementation of a structured framework for risk management, prevention from penalties in case there will be an attack caused to lack of security, and change in corporate mindset about significance of cybersecurity.

Importance of ISO 27001 certification

Independent audit is an important step of ISO. It adds credibility and objectivity into the procedure. Moreover, self-regulation is important for ISO’s ongoing success. However, it is an independent audit that surely attests that the ISO standard is appropriately embedded in all system of the organization. 

Process of gaining ISO 27001 certification

Most organizations start the process of ISO certification with 9001. It establishes quality procedures and management systems which can be further improved to include data security and other standards. 

Difference between ISO 27001 standard of 2022 and 2013

As the world faces progressing security challenges, ISO 27001 has been updated and become more relevant. Even though the last update in ISO 27001 was done almost 10 years ago, further changes are expected to happen as cybersecurity threats keeps rapidly growing.  

The new version of ISO 27001 was published on 25 October 2022. One of the major updates in this new version include a change in standard title, key change of Annex A, and minor changes of the clauses.

Generally, in comparison to 2013 revision, the updates in the 2022 revision are minimal to moderate. The major section of the standard remains with 10 clauses. The revisions in this section are just minimal. Also, there are only few changes in the procedures and documentation. 

Different from the ISO 27001:2013, the complete title of the 2022 version is ISO/IEC 27001:2022 Information Security, Cybersecurity and Privacy Protection. Most significant changes were made in its Annex A. As for the other sections, there are only several minor updates on clauses 4 to 10. Specifically, new contents were added in clauses 4.2, 6.2, 6.3, and 8.1. Other changes include minor changes in sentences and clauses restructuring and terminology. But, the clause’s title and order remain the same:

  • Clause 4 Context of the organization
  • Clause 5 Leadership
  • Clause 6 Planning
  • Clause 7 Support
  • Clause 8 Operation
  • Clause 9 Performance evaluation
  • Clause 10 Improvement

Annex A Changes

Annex A of ISO/IEC 27001:2022 comprises the changes in the number of controls and their group listings. Its title also changed from “Reference Control Objectives and Controls” to “Information Security Controls Reference”. Thus, the reference objectives of every control groups present in the 2013 version were removed. 

The number of controls in Annex A was reduced from 114 to 93. Many of them were merged, thus, there was a reduction. Fifty-seven controls were merged into 24 controls while 35 remained the same, 23 were renamed, one was divided into two. The new 93 controls are restructured into four control sections, namely:

  1. A.5 Organizational controls –  37 controls
  2. A.6 People controls – 8 controls
  3. A.7 Physical controls – 14 controls
  4. A.8 Technological controls – 34 controls

Moreover, the following 11 new controls were added to Annex A of ISO/IEC 27001:2022:

  • 5.23 Information security for use of cloud services 
  • 5.30 ICT readiness for business continuity 
  • 5.7 Threat Intelligence 
  • 7.4 Physical security monitoring 
  • 8.1 Data masking 
  • 8.9 Configuration management 
  • 8.10 Information deletion 
  • 8.12 Data leakage prevention 
  • 8.16 Monitoring activities 
  • 8.23 Web filtering 
  • 8.28 Secure coding 

Transitioning from ISO 27001 2013 to 2022

Before the next internal audit, it is better to fully transition to the new requirements even though the organization has already been certified for years or still in the certification process. 

Based on the document “Transition requirements for ISO 27001:2022” from the International Accreditation Forum, the organizations already certified to ISO 27001:2013 only have until 31 October 2025 to complete transitioning to 2022 certification compliance.

Moderate efforts are needed by organizations already certified to ISO 27001:2013 when transitioning to the 2022 edition. Those efforts include updating internal policies according to the new subclauses and updated prerequisites as well as the risk evaluation and plan according to Annex A of 2022 edition. 

How ECCI can help in ISO 27001 certification?

ECCI can help in the smooth transition to ISO 27001:2022. Generally, ECCI helps different organizations in applying international management standards to guarantee that their clients consistently have good quality products and services. The experts in ECCI work with the procedures and systems in an organization to guarantee that the implementation of ISO 27001 really suits the data utilization of an organization. ECCI has 20 years of experience in the Philippines and in Southeast Asia regarding Management System Framework aligned with the international standards. It offers IT security services including risk and gap evaluations and implementation of management systems. Moreover, it has developed implementation toolkit containing artifacts and templates on information security. 

ECCI’s toolkits include information and step-by-step procedure on how to comply with the newly released ISO 27001:2022 standard. It is customizable for any kind of organization such as government agencies, IT industries, Telecommunications, Transportation, Manufacturing, and Finance and Insurance. Moreover, it can also be aligned to other international standards such as ISO 31000 Enterprise Risk Management, ISO 20000 Service Management System, ITIL4, PCI DSS, COBIT and other related to Information security.


Related Posts

Leave a Reply