Version 2022 of the ISO 27001

The international standard ISO 27001 has undergone a revision and undergone important improvements. In October 2022, the International Accreditation Forum (IAF) published the new and improved ISO/IEC 27001:2022, which replaces the previous version ISO 27001:2013. This article presents the most important changes, special features and challenges associated with the new ISO 27001 version from 2022.

Following the revision, the current ISO 27001:2022 no longer bears the name "Information technology - Security techniques - Information security management systems - Requirements", but has been changed to "Information security, cybersecurity and privacy protection - Information security management systems - Requirements". In the process, "privacy protection" has now been officially included in the title of the standard.

Structural Change

The structure has been summarized in four key areas Organizational, Human, Physical and Technological instead of 14 in the previous edition.

New Controls

The number of controls listed has been reduced from 114 to 93 Some controls have been merged, some have been removed, new ones have been introduced and others have been updated.

New Measures

• A.5.7 Threat Intelligence,
• A.5.23 Information Security for use of Cloud Services,
• A.5.30 ICT Readiness for Business Continuity,
• A.7.4 Physical Security Monitoring,
• A.8.9 Configuration Management,
• A.8.10 Information Deletion,
• A.8.11 Data Masking,
• A.8.12 Data Leakage Prevention,
• A.8.16 Monitoring Activities,
• A.8.23 Web Filtering and
• A.8.28 Secure Coding.

Each measure in was additionally categorized into five different attributes:

• Control Type,
• Attribute of Information Security,
• Cybersecurity Concepts,
• Operational Capabilities and
• Security Domains.

Visualization of the Changes to Version 2022

Overview of changes from version 2017 to 2022

Recommendations for Action

Although the changes are significant, this does not mean that we have to completely revisit the topic of information security or make major changes to an existing information security management system (ISMS). Instead, they merely reflect long overdue adjustments to the increasing understanding of information security.