The 2022 version of ISO/IEC 27001, the standard that defines the requirements for an
information security management system (ISMS), was published on 25 October 2022.
Certification bodies will have 12 months from the last day of the publication month of ISO/IEC 27001:2022 (i.e., 31 October 2023) to transition to ISO/IEC 27001:2022. Organizations will have 36 months from the last day of the publication month (i.e., 31 October 2025) to transition to the new version of the standard. Several clauses were reworded or reordered in ISO/IEC 27001:2022. There are minimal new requirements in clauses 4-10. However, the change in clause 4.4 will significantly impact how an organization manages their ISMS. New requirements include: Clause 3 – added links for ISO and IEC databases Clause 4.2(c) – added new bullet Clause 4.4 – added a requirement to establish, implement, maintain, and continually improve processes and their interactions. Clause 5.1 – added Note to clarify the term “business” Clause 6.3 – added a new section for “Planning of Changes” ISO/IEC 27001:2022 now has 93 controls compared to 114 controls in ISO/IEC 27001:2013. There are 11 new controls in 2022 version of the standard. 56 controls in ISO/IEC 27001:2013 have been merged into 24 controls in ISO/IEC 27001:2022. Many of the controls in the 2022 version have undergone some form of text change. The 93 controls are divided into 4 themes: Organizational 3 new 28 merged People No new controls 2 merged controls Physical 1 new 5 merged Technical 7 new 21 merged Below is a matrix that outlines the differences between ISO/IEC 27001:2013 and ISO/IEC 27001:2022. CONTROLS