ISO/IEC 27001:2022

Transition Guide
 1
Overview
This document provides an overview of the key changes
between the 2013/17 and 2022 version of ISO 27001. There
are several minor changes throughout the Annex SL (clauses 4
to 10) of 27001. In addition, there are large changes within
Annex A of the standard. To prepare, you will need to adapt and
change your Information Security Management System to meet
the new requirements.

Structure of the new Annex SL - ISO/IEC 27001:2022

1 - Scope
2 - Normative References
3 - Terms & definitions
4 - Context of the Organisation
5 - Leadership
6 - Planning
7 - Support
8 - Operation
9 - Performance evaluation
10 - Improvement

Structure of the new Annex A - ISO/IEC 27001:2022

There are now 93 main controls within Annex A. The controls are split
into the following areas:

Number Control Name

5 Organisational Controls (37 Controls)

6 People Controls (8 Controls)

7 Physical Controls (14 Controls)

8 Technological Controls (34 Controls)

 2
Transition Guide
ISO 27001:
ISO/IEC 27001: 2022 Guidance
2013/2017

0 - Introduction 0 - Introduction No Changes

1 - Scope 1 - Scope No Changes

2 - Normative 2 - Normative
No Changes
References References

3 - Terms and 3 - Terms and

Minor Changes
definitions definitions

4 - Context of
4 - Context of the
the Minor Changes
Organisation
Organisation

5 - Leadership 5 - Leadership Minor Changes

6 - Planning
6.1 - Actions to address Minor Changes to the
risks and opportunities Annex SL
6 - Planning 6.2 - Information security Major Changes to Annex
objectives and planning to A which corresponds
achieve them with clause 6.1.3D
6.3 - Planning of changes

7 - Support 7 - Support No Changes

8 - Operation 8 - Operation Minor Changes

9 - Performance 9 - Performance
Minor Changes
Evaluation Evaluation

10 -
10 - Improvement Minor Changes
Improvement
 3
Transition Guide
ISO 27001: ISO/IEC 27001:
Guidance
2013/2017 2022

4.2 Understanding the needs and expectations of interested parties

New requirement added to this

clause which dictates that you
4.2 (A&B) -
should determine which of the
Interested 4.2 (A, B & C)
requirements of your interested
Parties
parties should be addressed
through the ISMS.

4.4 - Information security management system

There is a very minor change to

the language here to ensure
adherence to the requirements
4.4 ISMS 4.4 ISMS within the document as opposed
to the standard. There is no
change to the fundamentals of
this requirement.

5.1 - Leadership and Commitment

There is the addition of the

following note at the end of this
subclause: ‘Reference to
“business” in this document can
N/A NOTE
be interpreted broadly to mean
those activities that are core to
the purposes of the
organization’s existence.’
 4
Transition Guide
ISO 27001: ISO/IEC 27001:
Guidance
2013/2017 2022

5.3 Organisational roles, responsibilities and authorities

Further emphasis has been

placed on communication of
5.3 Roles and 5.3 Roles and
ISMS related roles and
Responsibilities Responsibilities
responsibilities within the
organisation.

6.1 – Actions to address Risks and Opportunities

The notes of Clause 6.1.3 c) are

revised editorially, including
6.1.3 (C) 6.1.3 (C) deleting the control objectives
and using “information security
control” to replace “control

Firstly, note two has been

reworded and the word
‘comprehensive’ has been
replaced with ‘possible’. This is
because the main aims of the
controls within Annex A are
designed to be more flexible for
6.1.3 (D)
business’ to apply. There has
6.1.3 (D) (Subclauses 1,
also been an addition of NOTE
2, 3 and 4)
3.This puts further emphasis on
the fact that SOAs can now be
tailored and more flexible to the
specific operations of a
business. The wording of Clause
6.1.3 (D) is re-organized to
remove the potential ambiguity.
 5
Transition Guide
ISO 27001: ISO/IEC 27001:
Guidance
2013/2017 2022

To suit the new controls within

6.1.3 (D) Annex A, clause 6.1.3 (D) has
6.1.3 (D) (Subclauses 1, been itemised to ensure the
2, 3 and 4) requirements for a SOA are
entirely clear.

6.2 – Information security objectives and planning to achieve them

A further point has been added to

this clause to ensure that ISMS
objectives and targets are
monitored and clearly
communicated. Further emphasis
6.2 (D) 6.2 (D, E & G)
has also been placed on the
requirement to retain
documented evidence of the
objectives and targets by the
addition of bullet point G.

6.3 – Planning of changes

This is a new clause addition to

the 2022 version of the standard
which dictates that a clear and
N/A 6.3 concise process must be in place
to manage and oversee planned
changes to the management
system.
 6
Transition Guide
ISO 27001: ISO/IEC 27001:
Guidance
2013/2017 2022

7.4 - Communication

Sub clause E has been removed

from the 2022 version of the
standard and incorporated into
7.4 (E) 7.4 (D) subclause D. This makes the
requirement of clear
communication simpler and
easier to understand.

8.1 - Operational planning and control

The requirements within this

clause, whilst mostly the same
have been simplified to be more
8.1 8.1 aligned with the requirements of
clause 6 and the new Annex A
controls. Further emphasis on
clause 6.3 has been inputted.

Using “externally provided

process, products or services” to
8.1 8.1 replace “outsourced processes” in
Clause 8.1 and deleting the
term-”outsource”
 7
Transition Guide
ISO 27001: ISO/IEC 27001:
Guidance
2013/2017 2022

9.1 - Monitoring, measurement, analysis and evaluation

The 2022 version is simplified and

has removed the opening
9.1 9.1 statement of the clause. The
requirements of the standard are
clearer and easier to understand.

This subclause has been

expanded to encapsulate the note
9.1 (B) within the 2013 version and is
9.1 (B)
(NOTE) designed to ensure performance
evaluation methods are
reproducible and valid.

The last paragraph of this clause

has been simplified.
Further emphasis has been
9.1 9.1 placed on the overall evaluation
of the effectiveness of the ISMS.
2013 places less focus on this
point.

9.2 - Internal audit

Clause 9 has been expanded.

Clause 9.2.1 (a new addition to
the 2022 version) has been
9.2 (A&B) 9.2.1
designed to place focus on the
general requirements of internal
audit.
 8
Transition Guide
ISO 27001: ISO/IEC 27001:
Guidance
2013/2017 2022

Clause 9.2.2 has been designed to

ensure that additional focus is
9.2 (C, D, E, F
9.2.2 placed on designing and
& G)
implementing a robust internal
audit programme.

9.3 - Management review

Similar to the changes made to

clause 9.2, clause 9.3 has been
split to place further focus on the
overall general requirements of
9.3 9.3.1 management review and further
focus on the design,
implementation and operation of
a robust management review
programme.

Clearly outlines the input

requirements to ensure the output
of this management review
programme is fit for purpose.
Furthermore, an additional input
9.3 (A-F) 9.3.2
requirement has been added in
the form of 9.3.2 (C) which
dictates that changes in the
needs of interested parties
relevant to the ISMS are
reviewed.

This new clause focuses on the

9.3 9.3.3 requirements of the results of the
management review programme.
 9
Transition Guide
ISO 27001: ISO/IEC
Guidance
2013/2017 27001: 2022

10 - Improvement

Continual improvement is now

clause 10.2 although the
10.1 10.2 requirements of this clause have
not changed, its position within
the standard has.

Nonconformity and corrective

action is now clause 10.1
10.2 10.1 although the requirements of this
clause have not changed, its
position within the standard has.
 10
Transition Guide:
Annex A
The below demonstrates the amendments made to Annex A of the
standard which will subsequently reflect within a client’s SOA.

The first change is a change to the naming convention of Annex A. It is now

known as ‘Information security controls reference’. The term ‘code of
conduct’ or ‘code of practise’ has now been removed and replaced with the
above. Secondly, the mandatory controls have been removed.

The second major change is the introduction of ‘Attributes’. These

attributes have been designed to accurately describe the purpose and
function of a particular control. By applying a control that is entirely fit for
purpose to an identified risk area, will ensure that it is utilised to it
maximum potential. Furthermore, they are designed to make the controls
multi-functional and tailorable to a business, thus in turn, making the
Statement of Applicability more flexible to a business.

The diagram below shows the five attributes:

Control Type

Security InfoSec
Domains Properties

Operational Cybersecurity
capabilities Concepts
 11
Transition Guide:
Annex A

Attribute Description of Purpose

Control type Preventive, detective, corrective

Information
Confidentiality, integrity, availability (the familiar CIA
security
triad)
properties

Cybersecurity Identify, detect, protect, respond, recover (perfect for

concepts cross-referencing the NIST Cybersecurity Framework)

Application security, asset management, continuity,

governance, human resource security, identity and
access management, information protection,
Operational information security assurance, information security
capabilities event management, legal and compliance, physical
security, secure configuration, system and network
security, supplier relationships security, threat and
vulnerability management

Defence, governance and ecosystem, protection and

Security domains
resilience

Whilst the use of attributes is not mandatory, this could be interpreted as

best practise given their overall purpose. As referenced above, Attributes
are a simple means of categorising controls. These allow clients to quickly
align a control selection with common industry language and standards.
They provides a set of recommended associations which in turn will help
to strengthen an SOA and provide robust justification for the selection of a
particular control based on different outputs such as a risk assessment.
 12
Transition Guide:
Annex A
The below link will show a map of the 2013 controls mapped into
the 2022 controls.

Click here

Below is a generic example of what a new SOA could look like

should a business chose to adopt the utilisation and notation of the
selected attributes for a control.
 Head Office Contact Us
30 Tower View, info@british.assessment.co.uk
Kings Hill, 0800 404 7007
West Malling,
Kent ME19 4UY

Website
british-assessment.co.uk

BAB_MRKG56_030223_V2