ISO/IEC 27001:2013 vs. ISO/IEC 27001:2022
The ISO/IEC 27001 standard provides guidance when it comes to understanding the requirements for establishing and then continually improving an Information Security Management System (ISMS) of an organization. This standard is applicable to all types of organizations regardless of its size or nature. An ISMS helps preserve the Confidentiality, Integrity, and Availability (CIA) of information (i.e. information assets) in the organization by applying a risk management process thus providing confidence to the interested parties that their risks are being adequately managed. Implementing an ISMS is a strategic decision for any organization and is influenced by the organization’s needs, objectives, security requirements, organizational processes, size, and structure of the organization. All these influencing factors vary over time. This document helps as a guide to assess an organization’s own information security requirement which also includes the assessment and treatment of information security risks within the context of the organization. Related standards include ISO/IEC 27003 (Guidance on ISMS), ISO/IEC 27004 (Monitoring, measurement, analysis, and evaluation of ISM), and ISO/IEC 27005 (Guidance for managing IS risks. Further, all the requirements specified in Clauses 4 to 10 must be conformed to by the organization. The terminology databases can be found on iso.org and electropedia.org.
The changes to the 2022 document can be found in clauses 4, 6, 7, 8, and 9. These changes have been marked *changes* in the respective explanation (given below) for the clauses (wherever distinctly applicable). There are some major changes to the list of controls (found in Annexure A of ISO/IEC 27001:2022 standard) which have been organized and attached towards the end of this article. The summary of the ISO/IEC 27001:2022 standard including the new additions has been outlined in a comprehensive mind map. Feel free to download a copy of it for your ready reference. Feel free to download a copy of it for your ready reference. The link to view/download the mind map is available towards the end of the blog.
Context of the Organization (Clause 4)
Before planning to assess/implement the ISMS in an organization, it is essential to establish its internal and external context specifying issues relevant to the purpose of the organization; and issues that affect the ability (or influence) to achieve the intended outcome of its ISMS. Next, it is important to determine the interested parties (or stakeholders) relevant to the ISMS and gather their requirements which would be addressed through the ISMS. These requirements should also include any legal/regulatory/contractual requirements/obligations. Based on the above requirements, the organization context, and inter-dependencies between activities performed by the organization and other organizations, the ISMS scope are established. The organization MUST DOCUMENT the SCOPE for ISMS. The organization should then prepare to establish, implement, maintain and continually improve the ISMS along with the processes needed for these activities and their interactions if any.
Leadership (Clause 5)
Planning for an ISMS requires commitment from the leadership. The top management must ensure to incorporate the information security (IS) objectives defined and requirements identified as part of the IS policy and organization’s processes. The leadership should allocate the appropriate resources required for the ISMS, define relevant management roles, and ensure that the ISMS achieves its intended outcome. The IS policy MUST be DOCUMENTED, COMMUNICATED, and made AVAILABLE to the interested parties.
Planning (Clause 6)
The organization needs to determine the various risks and opportunities that need to be addressed. The organization then needs to plan the set of actions to address the risks/opportunities identified and assess how they can be integrated into the ISMS. A formal IS risk assessment process needs to be followed that defines risk acceptance criteria, is repeatable, identifies risks associated with the loss of CIA, identifies risk owners, assesses the potential consequences of a threat exploiting a vulnerability, presents the realistic likelihood of risk occurrence and determines the level of risk. The risk assessment process MUST be DOCUMENTED and would further help to prioritize risks for treating them.
The organization has to prepare a risk treatment plan as the next step. Here, the organization needs to produce a Statement of Applicability (SoA) that includes a list of the necessary controls available to treat the risks identified (and prioritized), justification for the controls, status of implementation, and justification for excluding any controls. The organization is free to design the controls as required but must refer to the set of controls provided in Annex A to ensure no controls have been overlooked. The risk owner must approve the risk treatment plan documented and accept the residual risks if any. The risk treatment process MUST be DOCUMENTED. Guidelines for both the risk assessment and risk treatment processes can be found in ISO 31000. The organization should also establish IS objectives at relevant functions and levels within the organization which should be consistent with the IS policy, be monitored, communicated, updated, and MUST be DOCUMENTED. *Finally, if the organization feels the need for making changes to the ISMS, it needs to be carried out in a planned manner*.
Support (Clause 7)
The organization must provide the necessary support for the ISMS. It needs to determine and provide the required resources for the establishment and improvement of ISMS. The organization must follow a thorough process of recruiting competent persons for handling the requirements of the ISMS. These employees need to be trained for acquiring the necessary competence as changes take place and a record of their competence MUST be DOCUMENTED. The organization should ensure to promote awareness with regards to the IS policy, their contribution towards the effectiveness of ISMS, benefits owing to their contribution, and implications for non-conformance. Further, the organization should determine what, when, with whom, and *how* any internal/external matters relevant to ISMS must be communicated. The organization MUST maintain all the necessary information as required by ISO/IEC 27001 in DOCUMENTED format along with any other documents deemed necessary by the organization. During the creation/modification of the documented information, the organization should follow a process of identifying the document with the appropriate version/reference number, format, and medium used and seek approval for its suitability. Any such documented information must be available for suitable use, protected from loss of confidentiality and integrity, distributed properly following the access control mechanism, and adhered to retention policies.
Operation (Clause 8)
The organization needs to plan, implement and control the processes for meeting the ISMS requirements and *establish criteria for the same*. Any planned changes should be controlled and reviewed for any unintended consequences. *The organization should also ensure to control the external processes, products or services relevant to ISMS*. Based on the risk assessment and risk treatment plan drafted in the earlier phase, the organization MUST now implement these plans and DOCUMENT the results obtained.
Performance Evaluation (Clause 9)
The organization should determine the IS processes, controls and other related functions to be monitored for its performance and effectiveness. This should follow an appropriate methodology that is reproducible, comparable, and valid and MUST DOCUMENT information related to results, the time of monitoring/measurement along with the person responsible for the same. The organization should conduct internal audits at planned intervals by defining the audit criteria and scope, selecting competent auditors, and ensuring that reports of the audit are communicated to the relevant management. The audit reports/results MUST be DOCUMENTED. The top management should review the ISMS at planned intervals to note the status of action taken based on previous management reviews, provide feedback on non-conformities, suggest corrective actions, monitor the results, provide inputs from interested parties and discuss opportunities for continual improvement. This information MUST be DOCUMENTED.
Improvement (Clause 10)
The last clause emphasizes on measures taken to continually improve the suitability, adequacy, and effectiveness of ISMS. The organization should take appropriate steps towards reporting a non-conformity, reacting to it by controlling/correcting the non-conformity, or dealing with the consequences. The organization should find ways for eliminating the nonconformity by reviewing it determining its cause and ensuring to check if similar nonconformities exist or could occur. Appropriate corrective action if taken must be reviewed for its effectiveness and respective changes to the ISMS can be made. The nature of these nonconformities, subsequent actions taken and results of corrective actions MUST be DOCUMENTED.
The following table summarizes the major highlights between ISO 27001:2013 vs. 2022
|Criteria||ISO/IEC 27001:2013||ISO/IEC 27001:2022|
|Clauses||11 (0 – 10)||11 (0 – 10)|
|Control Categories||14 (A.5 to A.18)||4 (A.5 to A.8)|
|Controls||114||93 (11 new controls added, 54 controls from 2013 merged under 22 controls)|
|Control Types||—||Preventive, Detective, Corrective|
|Mapping to NIST-CSF||—||Present|
In ISO/IEC 27001:2022, the controls have now been grouped into 4 major categories from the earlier 14 control categories namely, A.5 Organizational (OC), A.6 People (PC), A.7 Physical (PhyC), A.8 Technological (TC) controls. Organizations that are ISO/IEC 27001:2013 compliant (and certified), can refer to the following table to understand and assess the additional requirements under ISO/IEC 27001:2022. Using the ISO/IEC 27001:2013 annexure of controls as a reference, the ISO/IEC 27001:2022 controls have been carefully marked (and grouped) against the 2013 controls to provide better clarity. The link to view/download the table presenting these changes in the controls is available below.
- ISO/IEC 27001:2022, third edition
- ISO/IEC 27002, third edition, 2022
- Prozorov, A. (2022, Oct.25) ISO 27001:2022. What has changed?. Patreon