Strike Graph security compliance blog

How do I transition from ISO 27001: 2013 to ISO 27001: 2022?

Written by Michelle Strickler | Apr 24, 2023 7:00:00 AM

In October of 2022, ISO 27001 was updated from ISO 27001: 2013 to ISO 27001: 2022.

Why the change? Like all compliance frameworks, ISO 27001 is regularly updated to ensure that all security requirements meet the most recent industry standards, are in line with the latest technological advancements, and can stand up against constantly changing cyber threats.

In fact, all ISO standards are reviewed at least once every five years. ISO 27001 was revised in 2013, 2017, and 2019, but the changes were minor. This means that ISO 27001: 2022 is the biggest overhaul of the standard we’ve seen since the original ISO 27001: 2013 version.

So what’s the difference between ISO 27001: 2013 and ISO 27001: 2022, what’s staying the same, and when do you need to start making the transition to ISO 27001: 2022? Let’s take a look at those questions now.

First and foremost, the new version’s official title is ISO/IEC 27001:2022 Information Security, Cybersecurity, and Privacy Protection, and the main changes have to do with Annex A controls and domains and a few of the ISO 27001 clauses.

Changes to Annex A controls and domains

The biggest change can be found in the Annex A controls and domains. As a quick refresher, the number of controls has been reduced from 114 to 93, and the 14 “domains” have been replaced by four “themes” — people, organizational, technological, and physical. Additionally, some controls have been removed, 57 have been merged, one has been split, 23 have been renamed, 35 have stayed the same, and 11 have been added.

The 11 new controls are:

  • Threat intelligence
  • Information security for use of cloud services
  • ICT readiness for business continuity
  • Physical security monitoring
  • Configuration management
  • Information deletion
  • Data masking
  • Data leakage prevention
  • Monitoring activities
  • Web filtering
  • Secure coding

The new version’s controls are more specific and can be applied more flexibly according to how they relate to your organization’s scope. Furthermore, you may be required to implement new controls depending on the scope of your ISMS, so make sure you carefully review all of the 93 ISO 27001: 2022 controls.

Changes to clauses 4 to 10

ISO 27001 Clauses 4 to 10 are:

  • Clause 4: Context of the organization
  • Clause 5: Leadership
  • Clause 6: Planning
  • Clause 7: Support
  • Clause 8: Operation
  • Clause 9: Performance evaluation
  • Clause 10: Improvement

While the title and order of clauses 4 to 10 remain the same, minor changes have been made to the terminology, clause structure, and sentence structure. Additionally, new information has been sprinkled throughout the standard, so it is best to be attentive. For example, clause 6.3 adds a requirement that when the organization determines an internal and external change to the ISMS, the changes must be well planned.

What's staying the same? 

Clauses are still the main focus of the standard, and these always-applicable clauses must be implemented regardless of organization type or the type of data you’re handling. Also, it’s important to note that no significant requirements from ISO 27001: 2013 were deleted.

Don’t worry, there’s no need to panic — if your organization was assessed against ISO 27001: 2013 before October 2022, then you have between 18 to 36 months to transition from the old version. In other words, since the certification audit is on a three-year cycle, you’ll need to plan to transition to the 2022 version prior to your next ISO 27001 audit.

After the transition period, the ISO 27001: 2013 certificates will be withdrawn and considered expired, regardless of the certificate’s listed expiry date, so don’t delay! We recommend that you start revising your management system to ensure it’s in compliance with ISO 27001: 2022 as soon as possible.

In order to start preparing for ISO 27001: 2022, we recommend that you first review all of the amended, updated, and new ISO 27001: 2022 controls. From there, you’ll want to determine which are applicable to your organization, then carry out the appropriate steps in order to implement the necessary changes. When implementing new controls, make sure you enforce them with procedures and policies, and test them before proceeding to your audit.

How Strike Graph can make this shift easier

Thankfully, Strike Graph can make this ISO 27001 transition — as well as other regulatory shifts — easier with our pre-loaded controls, streamlined audit capabilities, and more.

Not only can we help you better understand what’s changed when it comes to ISO 27001, we make it simple to upgrade. Our ISO 27001:2002 pre-mapped controls are ready to implement with the click of your mouse.