The new ISO/IEC 27001:2022 standard

The new ISO/IEC 27001:2022 standard

Red Overlay
ISO/IEC 27001 - A modern approach to information security
ISO/IEC 27001 - A modern approach to information security
Red Overlay

The global digital landscape is changing. New business practices, such as remote working, “bring your own device” and Industry 4.0 to name a few, have become widespread, and core business practices are increasingly cloud-based and digitally reliant.

In response, the ISO/IEC 27001 Information Security Management and ISO/IEC 27002 Controls for Information Security standards are being updated to reflect this evolution.

These updates provide more robust controls, enabling your organization to address increasingly sophisticated security risks, ensure business continuity, and gain a competitive advantage. Understanding these changes and their impact on your organization as soon as possible will ensure your information remains protected, and that you continue to maximize your competitive edge.

Download the transition journey guide >

Watch the ISO/IEC 27001:2022 video to understand the changes

Changes to the ISO 27001 standard

There are editorial changes, including:

  • “International standard” replaced with “document” throughout
  • Re-arranging of some English phrases to allow for easier translation

There are also changes to align with the ISO harmonized approach:

  • Numbering re-structure
  • Requirement to define processes needed for implementing the ISMS and their interactions
  • Explicit requirement to communicate organizational roles relevant to information security within in the organization
  • New clause 6.3 – Planning of Changes
  • New requirement to ensure the organization determines how to communicate as part of clause 7.4
  • New requirements to establish criteria for operational processes and implementing control of the processes

Key changes in this revision come in Annex A, reflecting the changes made in ISO/IEC 27002:2022. These changes are:

  • The structure has been consolidated into four key areas
    Organizational, People, Physical and Technological instead of 14 in the previous edition
  • Controls listed have decreased from 114 to 93
    Some controls have been merged, some have been removed, new ones have been introduced, and others updated
  • The concept of attributes has been introduced
    Aligned with common terminology used within digital security, these five attributes are: Control type, Information security properties, Cybersecurity concepts, Operational capabilities, and Security domains

Strengthen your information security posture

By completing the transition and adopting the ISO/IEC 27001:2022 standard, you strengthen your organization’s information security posture, support your digitization strategy, reduce the risks of information breaches, build trust in your brand, and build your organization's information resilience.

Making a smooth ISO 27001 transition

BSI are ready to support you from the very first moment the next edition of the standard is published, through your understanding of the changes, checking the impact on your organization, implementing, and finally transitioning your certification.

During your transition audit, your BSI auditor's experience and knowledge of your processes, activities, and organization will help you identify any gaps and opportunities for improvement. In addition, we’ll help you leverage what you are doing well to strengthen your information security processes.