What’s New in ISO 27001:2022? Here's Everything You Need to Know

At first glance, the recently published ISO 27001:2022 looks like an entirely new standard which can feel overwhelming. Even just glancing through the table of contents, you’ll see a change in formatting when compared to ISO 27001:2013. 

While the International Organization for Standardization (ISO) did shift its focus and requires you to think differently about your ISO 27001 program, the fundamental difference is the standard’s organization. Once you understand what’s new in ISO 27001:2022, you’ll realize that most of your current compliance program remains intact. 

Understanding the New Mindset

If you’re an organization that’s been following the ISO standard, a few quick notes here will help you understand the primary shift. 

First, the standardization body no longer refers to ISO 27001 as a “standard,” it consistently changes the word to “document.” While this seems like a minor change, it’s actually part of the larger refocus. The first place you see this change is in Note 2 under Subsection 6.1.3:

Annex A contains a list of possible information security controls. Users of this document are directed to Annex A to ensure that no necessary information security controls are overlooked.

In the 2013 publication, Note 1 reads:

Annex A contains a comprehensive list of control objectives and controls. Users of this International Standard are directed to Annex A to ensure that no necessary controls are overlooked.

These two major mindset changes for ISO 27001:2022 are:

• Recognizing that information security is dynamic. 

• Moving away from the “control objectives” language.

ISO considers 27001:2022 to create minimum baseline controls rather than a closed, comprehensive list. 

Additionally, by removing the phrase “control objectives” from the entire document, ISO is moving away from the future focused “we hope that this control works as intended.” The controls are now focused on “this is what we actually have in place, and this is why we did this.”

A High-Level View of the Table of Contents

If you’re just opening up the new publication, the table of contents might seem like it’s adding several new sections under:

• Planning

• Support

• Performance Evaluation

Once you start digging into the standard and comparing the two side-by-side, the reality is that these changes just serve to highlight pre-existing content, making them more obvious and indicating that ISO believes they should be considered on their own. 

What Do These Changes Mean for Your Compliance?

For the most part, ISO 27001:2022 changes very little. Only a few new controls have been added. However, it’s important to highlight one fundamental change surrounding compliance documentation. 

Everywhere that ISO 27001:2022 mentions documentation, the language now requires that: documented information shall be available.

The original 2013 language focus required that organizations: shall keep documented information.

The use of the word “availability” implies that companies should have the ability to provide the information when someone asks for it rather than just keeping it stored.

The Reorganization of ISO 27001:2022 Annex A

ISO 27001:2022’s changes don’t exist in a vacuum. ISO released 27001:2022, 27002:2022, and 27005:2022 all at the same time because they’re highly interconnected. The reorganization of 27001:2022’s Annex A corresponds directly to the reorganization of 27002:2022.

Instead of 14 categories of controls, 27002:2022 and 27001:2022 are now grouped into four categories, which ISO refers to as “themes”:

• Organizational Controls

• People Controls

• Physical Controls

• Technological Controls

Organizational Controls

The organizational controls are defined first within the ISO 27002:2022. This section defines the higher level, governance-focused controls of the ISO 27001 framework. These set the stage for the more actionable controls defined within the other three themes.

When you sift through and compare the two documents, you’ll notice that Organizational Controls aggregates the following under one heading:

• Management direction for information security

• Asset management

• Information classification

• Supplier relationships

• Access control

• Incident management

• Business continuity management

• Compliance with legal and contractual requirements

• Information security reviews

So what’s new in ISO 27001:2022?

Although ISO rewrote many controls so that they would better align with its new mindset, it did add a few new controls:

• 5.7 Threat intelligence

• 5.23 Information security for use of cloud services

• 5.30 ICT readiness for business continuity

Physical Controls

ISO categorizes controls as physical if they concern physical objects. 

The Physical Controls section aggregates:

• Physical and environmental security

• Equipment

Only one new physical control was added, “7.4 Physical security monitoring.” All the other controls are exactly the same as in the 2013 publication.

Technological Controls

According to ISO, Technological Controls are the ones that concern technology. 

The Technological Controls section aggregates:

• System and application access control

• Operational procedures

• Redundancies

• Protection from malware

• Test data

• Technical vulnerability management

• Security in development and support processes

• Backup

• System and application access control

• Cryptography

• Technical vulnerability management

The changes to previous controls and all new controls really respond to the risks arising from digital transformation, cloud-based environments, and new privacy laws.

The new Technological Controls are:

• 8.9 Configuration management

• 8.10 Information deletion

• 8.11 Data masking

• 8.12 Data leakage prevention

• 8.16 Monitoring activities

• 8.23 Web filtering

• 8.28 Secure coding

A few rewrites should also be highlighted. For example:

• 8.16 Monitoring activities: “anomalous behavior” responds to cloud risks

• 8.19 Installation of software on operational systems: old “restrictions on software installation” more aligned to remote work and mobile devices

• 8.30 Outsourced development: “direct” and “review” responds to third-party risks

Automated Compliance Monitoring for ISO 27001:2022

With Drata’s compliance solution, you can use pre-mapped controls to build on your current security and compliance posture to reduce costs and time associated with audit readiness. To streamline your audit activities, you can use workflows for things like formal documentation and employee acceptance, all within the platform for a single source of on-demand audit documentation. 

Our continuous control monitoring ensures that you have all the audit documentation available, whenever you need it. Using our automated monitoring, evidence collection, asset and personnel tracking, and access control workflows, you have everything you need to meet your ISO 27001:2022 compliance requirements for a faster, easier audit. Book a demo here.