Comparison of ISO/IEC 27001:2013 and ISO/IEC

27001:2022
(Rev 17/11/2022)

Just for Customer

Guide Series

Comparison of ISO/IEC 27001:2013 and ISO/IEC 27001:2022 Page 1 of 19

 Comparison of ISO/IEC 27001:2013 and ISO/IEC 27001:2022

y
Red: Text that have been changed or added
New clause heading or clause - Highlighted in yellow

l
ISO/IEC 27001:2013 ISO/IEC 27001:2022

on
4 Context of the organization 4 Context of the organization

4.1 Understanding the organization and its context 4.1 Understanding the organization and its context

The organization shall determine external and internal issues that are relevant to its The organization shall determine external and internal issues that are relevant to its
purpose and that affect its ability to achieve the intended outcome(s) of its information purpose and that affect its ability to achieve the intended outcome(s) of its information
security management system. security management system.

NOTE Determining these issues refers to establishing the external and internal context NOTE Determining these issues refers to establishing the external and internal context

g
of the organization considered in Clause 5.3 of ISO 31000:2009[5]. of the organization considered in Clause 5.4.1 of ISO 31000:2018[5].

4.2 Understanding the needs and expectations of interested parties 4.2 Understanding the needs and expectations of interested parties

in
The organization shall determine: The organization shall determine:

a) interested parties that are relevant to the information security a) interested parties that are relevant to the information security management system;

b) the requirements of these interested parties relevant to information b) the relevant requirements of these interested parties;

in
c) which of these requirements will be addressed through the information security
management system.

NOTE The requirements of interested parties may include legal and regulatory NOTE The requirements of interested parties can include legal and regulatory
requirements and contractual obligations.
ra requirements and contractual obligations.

4.3 Determining the scope of the information security management 4.3 Determining the scope of the information security management system

The organization shall determine the boundaries and applicability of the information The organization shall determine the boundaries and applicability of the information
security management system to establish its scope. security management system to establish its scope.
rt
When determining this scope, the organization shall consider: When determining this scope, the organization shall consider:

a) the external and internal issues referred to in 4.1; a) the external and internal issues referred to in 4.1;

b) the requirements referred to in 4.2; and b) the requirements referred to in 4.2;

Fo

c) interfaces and dependencies between activities performed by the organization, and c) interfaces and dependencies between activities performed by the organization, and
those that are performed by other organizations. those that are performed by other organizations.

The scope shall be available as documented information. The scope shall be available as documented information.

Comparison of ISO/IEC 27001:2013 and ISO/IEC 27001:2022 Page 2 of 19

4.4 Information security management system 4.4 Information security management system

The organization shall establish, implement, maintain and continually improve an The organization shall establish, implement, maintain and continually improve an

y
information security management system, in accordance with the requirements of this information security management system, including the processes needed and their
International Standard. interactions, in accordance with the requirements of this document.

5 Leadership 5 Leadership

l
on
5.1 Leadership and commitment 5.1 Leadership and commitment

Top management shall demonstrate leadership and commitment with respect to the Top management shall demonstrate leadership and commitment with respect to the
information security management system by: information security management system by:

a) ensuring the information security policy and the information security objectives are a) ensuring the information security policy and the information security objectives are
established and are compatible with the strategic direction of the organization; established and are compatible with the strategic direction of the organization;

b) ensuring the integration of the information security management system b) ensuring the integration of the information security management system
requirements into the organization’s processes; requirements into the organization’s processes;

g
c) ensuring that the resources needed for the information security management system c) ensuring that the resources needed for the information security management
are available; system are available;

in
d) communicating the importance of effective information security management and of d) communicating the importance of effective information security management and of
conforming to the information security management system requirements; conforming to the information security management system requirements;

e) ensuring that the information security management system achieves its intended e) ensuring that the information security management system achieves its intended
outcome(s); outcome(s);

in
f) directing and supporting persons to contribute to the effectiveness of the information f) directing and supporting persons to contribute to the effectiveness of the
security management system; information security management system;

g) promoting continual improvement; and g) promoting continual improvement; and

ra
h) supporting other relevant management roles to demonstrate their leadership as it h) supporting other relevant management roles to demonstrate their leadership as it
applies to their areas of responsibility. applies to their areas of responsibility.

NOTE Reference to “business” in this document can be interpreted broadly to mean

those activities that are core to the purposes of the organization’s existence.
rt
5.2 Policy 5.2 Policy

Top management shall establish an information security policy that: Top management shall establish an information security policy that:

a) is appropriate to the purpose of the organization; a) is appropriate to the purpose of the organization;
Fo

b) includes information security objectives (see 6.2) or provides the framework for b) includes information security objectives (see 6.2) or provides the framework for
setting information security objectives; setting information security objectives;

Comparison of ISO/IEC 27001:2013 and ISO/IEC 27001:2022 Page 3 of 19

c) includes a commitment to satisfy applicable requirements related to information c) includes a commitment to satisfy applicable requirements related to information
security; and security;

y
d) includes a commitment to continual improvement of the information security d) includes a commitment to continual improvement of the information security
management system. management system.

The information security policy shall: The information security policy shall:

l
e) be available as documented information; e) be available as documented information;

on
f) be communicated within the organization; and f) be communicated within the organization;

g) be available to interested parties, as appropriate. g) be available to interested parties, as appropriate.

5.3 Organizational roles, responsibilities and authorities 5.3 Organizational roles, responsibilities and authorities

Top management shall ensure that the responsibilities and authorities for roles relevant Top management shall ensure that the responsibilities and authorities for roles relevant
to information security are assigned and communicated. to information security are assigned and communicated within the organization.

g
Top management shall assign the responsibility and authority for: Top management shall assign the responsibility and authority for:

in
a) ensuring that the information security management system conforms to the a) ensuring that the information security management system conforms to the
requirements of this International Standard; and requirements of this document;

b) reporting on the performance of the information security management system to top b) reporting on the performance of the information security management system to
management. top management.

in
NOTE Top management may also assign responsibilities and authorities for reporting NOTE Top management can also assign responsibilities and authorities for reporting
performance of the information security management system within the organization. performance of the information security management system within the organization.

6 Planning 6 Planning
ra
6.1 Actions to address risks and opportunities 6.1 Actions to address risks and opportunities

6.1.1 General 6.1.1 General

When planning for the information security management system, the organization shall When planning for the information security management system, the organization shall
consider the issues referred to in 4.1 and the requirements referred to in 4.2 and consider the issues referred to in 4.1 and the requirements referred to in 4.2 and
rt
determine the risks and opportunities that need to be addressed to: determine the risks and opportunities that need to be addressed to:

a) ensure the information security management system can achieve its intended a) ensure the information security management system can achieve its intended
outcome(s); outcome(s);

b) prevent, or reduce, undesired effects; and b) prevent, or reduce, undesired effects;

Fo

c) achieve continual improvement. c) achieve continual improvement.

Comparison of ISO/IEC 27001:2013 and ISO/IEC 27001:2022 Page 4 of 19

The organization shall plan: The organization shall plan:

y
d) actions to address these risks and opportunities; and d) actions to address these risks and opportunities; and

e) how to e) how to

l
on
1) integrate and implement the actions into its information security management 1) integrate and implement the actions into its information security management
system processes; and system processes; and

2) evaluate the effectiveness of these actions. 2) evaluate the effectiveness of these actions.

6.1.2 Information security risk assessment 6.1.2 Information security risk assessment

The organization shall define and apply an information security risk assessment process The organization shall define and apply an information security risk assessment process
that: that:

g
a) establishes and maintains information security risk criteria that include: a) establishes and maintains information security risk criteria that include:

1) the risk acceptance criteria; and 1) the risk acceptance criteria; and

in
2) criteria for performing information security risk assessments; 2) criteria for performing information security risk assessments;

b) ensures that repeated information security risk assessments produce consistent, b) ensures that repeated information security risk assessments produce consistent,
valid and comparable results; valid and comparable results;

in
c) identifies the information security risks: c) identifies the information security risks:

1) apply the information security risk assessment process to identify risks associated
with the loss of confidentiality, integrity and availability for information within the scope
of the information security management system; and
ra
2) identify the risk owners;
1) apply the information security risk assessment process to identify risks associated
with the loss of confidentiality, integrity and availability for information within the scope
of the information security management system; and
2) identify the risk owners;

d) analyses the information security risks: d) analyses the information security risks:

1) assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) assess the potential consequences that would result if the risks identified in 6.1.2 c)
rt
1) were to materialize; 1) were to materialize;

2) assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1); 2) assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1);
and and

3) determine the levels of risk; 3) determine the levels of risk;

Fo

e) evaluates the information security risks: e) evaluates the information security risks:

1) compare the results of risk analysis with the risk criteria established in 6.1.2 a); and 1) compare the results of risk analysis with the risk criteria established in 6.1.2 a); and

Comparison of ISO/IEC 27001:2013 and ISO/IEC 27001:2022 Page 5 of 19

2) prioritize the analysed risks for risk treatment. 2) prioritize the analysed risks for risk treatment.

The organization shall retain documented information about the information security The organization shall retain documented information about the information security

y
risk assessment process. risk assessment process.

6.1.3 Information security risk treatment 6.1.3 Information security risk treatment

l
The organization shall define and apply an information security risk treatment process The organization shall define and apply an information security risk treatment process

on
to: to:

a) select appropriate information security risk treatment options, taking account of the a) select appropriate information security risk treatment options, taking account of the
risk assessment results; risk assessment results;

b) determine all controls that are necessary to implement the information security risk b) determine all controls that are necessary to implement the information security risk
treatment option(s) chosen; treatment option(s) chosen;

NOTE 1 Organizations can design controls as required, or identify them from any
NOTE Organizations can design controls as required, or identify them from any source.
source.

g
c) compare the controls determined in 6.1.3 b) above with those in Annex A and verify c) compare the controls determined in 6.1.3 b) above with those in Annex A and verify
that no necessary controls have been omitted; that no necessary controls have been omitted;

in
NOTE 1 Annex A contains a comprehensive list of control objectives and controls. Users NOTE 2 Annex A contains a list of possible information security controls. Users of this
of this International Standard are directed to Annex A to ensure that no necessary document are directed to Annex A to ensure that no necessary information security
controls are overlooked. controls are overlooked.

NOTE 2 Control objectives are implicitly included in the controls chosen. The control

in
NOTE 3 The information security controls listed in Annex A are not exhaustive and
objectives and controls listed in Annex A are not exhaustive and additional control
additional information security controls can be included if needed.
objectives and controls may be needed.

d) produce a Statement of Applicability that contains: d) produce a Statement of Applicability that contains:
ra
— the necessary controls (see 6.1.3 b) and c)); — the necessary controls (see 6.1.3 b) and c));

— justification for their inclusion; — justification for their inclusion;

— whether the necessary controls are implemented or not; and — whether the necessary controls are implemented or not; and
rt
— the justification for excluding any of the Annex A controls. — the justification for excluding any of the Annex A controls.

e) formulate an information security risk treatment plan; and e) formulate an information security risk treatment plan; and

f) obtain risk owners’ approval of the information security risk treatment plan and f) obtain risk owners’ approval of the information security risk treatment plan and
Fo

acceptance of the residual information security risks. acceptance of the residual information security risks.

The organization shall retain documented information about the information security The organization shall retain documented information about the information security
risk treatment process. risk treatment process.

Comparison of ISO/IEC 27001:2013 and ISO/IEC 27001:2022 Page 6 of 19

NOTE The information security risk assessment and treatment process in this
NOTE 4 The information security risk assessment and treatment process in this
International Standard aligns with the principles and generic guidelines provided in ISO
document aligns with the principles and generic guidelines provided in ISO 31000[5].
31000[5].

y
6.2 Information security objectives and planning to achieve them 6.2 Information security objectives and planning to achieve them

The organization shall establish information security objectives at relevant functions and The organization shall establish information security objectives at relevant functions and

l
levels. levels.

on
The information security objectives shall: The information security objectives shall:

a) be consistent with the information security policy; a) be consistent with the information security policy;

b) be measurable (if practicable); b) be measurable (if practicable);

c) take into account applicable information security requirements, and results from risk c) take into account applicable information security requirements, and results from risk
assessment and risk treatment; assessment and risk treatment;

g
d) be monitored;

d) be communicated; and e) be communicated;

in
e) be updated as appropriate. f) be updated as appropriate;

g) be available as documented information.

in
The organization shall retain documented information on the information security The organization shall retain documented information on the information security
objectives. objectives.

When planning how to achieve its information security objectives, the organization shall When planning how to achieve its information security objectives, the organization shall
determine: determine:
ra
f) what will be done; h) what will be done;

g) what resources will be required; i) what resources will be required;

h) who will be responsible; j) who will be responsible;

rt
i) when it will be completed; and k) when it will be completed; and

j) how the results will be evaluated. l) how the results will be evaluated.

6.3 Planning of changes

Fo

When the organization determines the need for changes to the information security
management system, the changes shall be carried out in a planned manner.

Comparison of ISO/IEC 27001:2013 and ISO/IEC 27001:2022 Page 7 of 19

7 Support 7 Support

7.1 Resources 7.1 Resources

y
The organization shall determine and provide the resources needed for the The organization shall determine and provide the resources needed for the
establishment, implementation, maintenance and continual improvement of the establishment, implementation, maintenance and continual improvement of the
information security management system. information security management system.

l
7.2 Competence 7.2 Competence

on
The organization shall: The organization shall:

a) determine the necessary competence of person(s) doing work under its control that a) determine the necessary competence of person(s) doing work under its control that
affects its information security performance; affects its information security performance;

b) ensure that these persons are competent on the basis of appropriate education, b) ensure that these persons are competent on the basis of appropriate education,
training, or experience; training, or experience;

g
c) where applicable, take actions to acquire the necessary competence, and evaluate c) where applicable, take actions to acquire the necessary competence, and evaluate
the effectiveness of the actions taken; and the effectiveness of the actions taken; and

d) retain appropriate documented information as evidence of competence. d) retain appropriate documented information as evidence of competence.

in
NOTE Applicable actions may include, for example: the provision of training to, the NOTE Applicable actions can include, for example: the provision of training to, the
mentoring of, or the re-assignment of current employees; or the hiring or contracting of mentoring of, or the re-assignment of current employees; or the hiring or contracting of
competent persons. competent persons.

in
7.3 Awareness 7.3 Awareness

Persons doing work under the organization’s control shall be aware of: Persons doing work under the organization’s control shall be aware of:

a) the information security policy; a) the information security policy;

ra
b) their contribution to the effectiveness of the information security management b) their contribution to the effectiveness of the information security management
system, including the benefits of improved information security performance; and system, including the benefits of improved information security performance; and

c) the implications of not conforming with the information security management system c) the implications of not conforming with the information security management system
rt
requirements. requirements.

7.4 Communication 7.4 Communication

The organization shall determine the need for internal and external communications The organization shall determine the need for internal and external communications
relevant to the information security management system including: relevant to the information security management system including:
Fo

a) on what to communicate; a) on what to communicate;

b) when to communicate; b) when to communicate;

Comparison of ISO/IEC 27001:2013 and ISO/IEC 27001:2022 Page 8 of 19

c) with whom to communicate; c) with whom to communicate;

d) who shall communicate; and d) how to communicate.

y
e) the processes by which communication shall be effected.

l
7.5 Documented information 7.5 Documented information

on
7.5.1 General 7.5.1 General

The organization’s information security management system shall include: The organization’s information security management system shall include:

a) documented information required by this International Standard; and a) documented information required by this document; and

b) documented information determined by the organization as being necessary for the b) documented information determined by the organization as being necessary for the
effectiveness of the information security management system. effectiveness of the information security management system.

g
NOTE The extent of documented information for an information security management NOTE The extent of documented information for an information security management
system can differ from one organization to another due to: system can differ from one organization to another due to:

in
1) the size of organization and its type of activities, processes, products and services; 1) the size of organization and its type of activities, processes, products and services;

2) the complexity of processes and their interactions; and 2) the complexity of processes and their interactions; and

3) the competence of persons. 3) the competence of persons.

in
7.5.2 Creating and updating 7.5.2 Creating and updating

When creating and updating documented information the organization shall ensure When creating and updating documented information the organization shall ensure
appropriate:
ra appropriate:

a) identification and description (e.g. a title, date, author, or reference number); a) identification and description (e.g. a title, date, author, or reference number);

b) format (e.g. language, software version, graphics) and media (e.g. paper, b) format (e.g. language, software version, graphics) and media (e.g. paper,
electronic); and electronic); and
rt
c) review and approval for suitability and adequacy. c) review and approval for suitability and adequacy.

7.5.3 Control of documented information 7.5.3 Control of documented information

Documented information required by the information security management system and Documented information required by the information security management system and
Fo

by this International Standard shall be controlled to ensure: by this document shall be controlled to ensure:

a) it is available and suitable for use, where and when it is needed; and a) it is available and suitable for use, where and when it is needed; and

Comparison of ISO/IEC 27001:2013 and ISO/IEC 27001:2022 Page 9 of 19

b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of
integrity). integrity).

y
For the control of documented information, the organization shall address the following For the control of documented information, the organization shall address the following
activities, as applicable: activities, as applicable:

c) distribution, access, retrieval and use; c) distribution, access, retrieval and use;

l
on
d) storage and preservation, including the preservation of legibility; d) storage and preservation, including the preservation of legibility;

e) control of changes (e.g. version control); and e) control of changes (e.g. version control); and

f) retention and disposition. f) retention and disposition.

Documented information of external origin, determined by the organization to be Documented information of external origin, determined by the organization to be
necessary for the planning and operation of the information security management necessary for the planning and operation of the information security management
system, shall be identified as appropriate, and controlled. system, shall be identified as appropriate, and controlled.

g
NOTE Access implies a decision regarding the permission to view the documented NOTE Access can imply a decision regarding the permission to view the documented
information only, or the permission and authority to view and change the documented information only, or the permission and authority to view and change the documented

in
information, etc. information, etc.

8 Operation 8 Operation

8.1 Operational planning and control 8.1 Operational planning and control

in
The organization shall plan, implement and control the processes needed to meet
information security requirements, and to implement the actions determined in 6.1. The The organization shall plan, implement and control the processes needed to meet
organization shall also implement plans to achieve information security objectives requirements, and to implement the actions determined in Clause 6, by:
determined in 6.2.
ra
— establishing criteria for the processes;

— implementing control of the processes in accordance with the criteria.

rt
The organization shall keep documented information to the extent necessary to have Documented information shall be available to the extent necessary to have confidence
confidence that the processes have been carried out as planned. that the processes have been carried out as planned.

The organization shall control planned changes and review the consequences of The organization shall control planned changes and review the consequences of
unintended changes, taking action to mitigate any adverse effects, as necessary. unintended changes, taking action to mitigate any adverse effects, as necessary.
Fo

The organization shall ensure that externally provided processes, products or services
The organization shall ensure that outsourced processes are determined and controlled.
that are relevant to the information security management system are controlled.

Comparison of ISO/IEC 27001:2013 and ISO/IEC 27001:2022 Page 10 of 19

8.2 Information security risk assessment 8.2 Information security risk assessment

The organization shall perform information security risk assessments at planned The organization shall perform information security risk assessments at planned

y
intervals or when significant changes are proposed or occur, taking account of the intervals or when significant changes are proposed or occur, taking account of the
criteria established in 6.1.2 a). criteria established in 6.1.2 a).

l
The organization shall retain documented information of the results of the information The organization shall retain documented information of the results of the information
security risk assessments. security risk assessments.

on
8.3 Information security risk treatment 8.3 Information security risk treatment

The organization shall implement the information security risk treatment plan. The organization shall implement the information security risk treatment plan.

The organization shall retain documented information of the results of the information The organization shall retain documented information of the results of the information
security risk treatment. security risk treatment.

9 Performance evaluation 9 Performance evaluation

g
9.1 Monitoring, measurement, analysis and evaluation 9.1 Monitoring, measurement, analysis and evaluation

The organization shall evaluate the information security performance and the

in
effectiveness of the information security management system.

The organization shall determine: The organization shall determine:

a) what needs to be monitored and measured, including information security processes a) what needs to be monitored and measured, including information security processes

in
and controls; and controls;

b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to

ensure valid results; b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to
ensure valid results. The methods selected should produce comparable and reproducible
NOTE The methods selected should produce comparable and reproducible results to be results to be considered valid;
ra
considered valid.

c) when the monitoring and measuring shall be performed; c) when the monitoring and measuring shall be performed;

d) who shall monitor and measure; d) who shall monitor and measure;
rt
e) when the results from monitoring and measurement shall be analysed and evaluated; e) when the results from monitoring and measurement shall be analysed and
and evaluated;

f) who shall analyse and evaluate these results. f) who shall analyse and evaluate these results.
Fo

The organization shall retain appropriate documented information as evidence of the

Documented information shall be available as evidence of the results.
monitoring and measurement results.

The organization shall evaluate the information security performance and the The organization shall evaluate the information security performance and the
effectiveness of the information security management system. effectiveness of the information security management system.

Comparison of ISO/IEC 27001:2013 and ISO/IEC 27001:2022 Page 11 of 19

9.2 Internal audit 9.2 Internal audit

9.2.1 General

y
The organization shall conduct internal audits at planned intervals to provide The organization shall conduct internal audits at planned intervals to provide
information on whether the information security management system: information on whether the information security management system:

l
a) conforms to a) conforms to

on
1) the organization’s own requirements for its information security management 1) the organization’s own requirements for its information security management
system; and system;

2) the requirements of this International Standard; 2) the requirements of this document;

b) is effectively implemented and maintained. b) is effectively implemented and maintained.

9.2.2 Internal audit programme

g
c) plan, establish, implement and maintain an audit programme(s), including the
frequency, methods, responsibilities, planning requirements and reporting. The audit The organization shall plan, establish, implement and maintain an audit programme(s),
programme(s) shall take into consideration the importance of the processes concerned including the frequency, methods, responsibilities, planning requirements and reporting.

in
and the results of previous audits;

When establishing the internal audit programme(s), the organization shall consider the
importance of the processes concerned and the results of previous audits.

in
The organization shall: The organization shall:

d) define the audit criteria and scope for each audit; a) define the audit criteria and scope for each audit;

e) select auditors and conduct audits that ensure objectivity and the impartiality of the b) select auditors and conduct audits that ensure objectivity and the impartiality of the
audit process;
ra audit process;

f) ensure that the results of the audits are reported to relevant management; c) ensure that the results of the audits are reported to relevant management;

g) retain documented information as evidence of the audit programme(s) and the audit Documented information shall be available as evidence of the implementation of the
results. audit programme(s) and the audit results.
rt
9.3 Management review 9.3 Management review

9.3.1 General
Fo

Top management shall review the organization's information security management Top management shall review the organization's information security management
system at planned intervals to ensure its continuing suitability, adequacy and system at planned intervals to ensure its continuing suitability, adequacy and
effectiveness. effectiveness.

Comparison of ISO/IEC 27001:2013 and ISO/IEC 27001:2022 Page 12 of 19

 9.3.2 Management review inputs

The management review shall include consideration of: The management review shall include consideration of:

y
a) the status of actions from previous management reviews; a) the status of actions from previous management reviews;

l
b) changes in external and internal issues that are relevant to the information security b) changes in external and internal issues that are relevant to the information security
management system; management system;

on
c) changes in needs and expectations of interested parties that are relevant to the
information security management system;

c) feedback on the information security performance, including trends in: d) feedback on the information security performance, including trends in:

1) nonconformities and corrective actions; 1) nonconformities and corrective actions;

2) monitoring and measurement results; 2) monitoring and measurement results;

g
3) audit results; and 3) audit results;

4) fulfilment of information security objectives; 4) fulfilment of information security objectives;

in
d) feedback from interested parties; e) feedback from interested parties;

e) results of risk assessment and status of risk treatment plan; and f) results of risk assessment and status of risk treatment plan;

in
f) opportunities for continual improvement. g) opportunities for continual improvement.

9.3.3 Management review results

The outputs of the management review shall include decisions related to continual The results of the management review shall include decisions related to continual
ra
improvement opportunities and any needs for changes to the information security improvement opportunities and any needs for changes to the information security
management system. management system.

The organization shall retain documented information as evidence of the results of Documented information shall be available as evidence of the results of management
management reviews. reviews.
rt
The following Clause has been changed as follows: The numbering remains the same, however: They have changed so that 10.1 has text that was in 10.2 previously 10.2 has a
minimal change in the text.

10 Improvement 10 Improvement

10.1 Nonconformity and corrective action 10.1 Continual improvement

Fo

The organization shall continually improve the suitability, adequacy and effectiveness of
When a nonconformity occurs, the organization shall:
the information security management system

Comparison of ISO/IEC 27001:2013 and ISO/IEC 27001:2022 Page 13 of 19

a) react to the nonconformity, and as applicable: 10.2 Nonconformity and corrective action

1) take action to control and correct it; When a nonconformity occurs, the organization shall:

y
2) deal with the consequences; a) react to the nonconformity, and as applicable:

l
b) evaluate the need for action to eliminate the causes of nonconformity, in order that
1) take action to control and correct it;
it does not recur or occur elsewhere, by:

on
1) reviewing the nonconformity; 2) deal with the consequences;

b) evaluate the need for action to eliminate the causes of nonconformity, in order that
2) determining the causes of the nonconformity; and
it does not recur or occur elsewhere, by:

3) determining if similar nonconformities exist, or could potentially occur; 1) reviewing the nonconformity;

c) implement any action needed; 2) determining the causes of the nonconformity; and

g
d) review the effectiveness of any corrective action taken; and 3) determining if similar nonconformities exist, or could potentially occur;

e) make changes to the information security management system, if necessary. c) implement any action needed;

in
Corrective actions shall be appropriate to the effects of the nonconformities
d) review the effectiveness of any corrective action taken; and
encountered.

The organization shall retain documented information as evidence of: e) make changes to the information security management system, if necessary.

in
Corrective actions shall be appropriate to the effects of the nonconformities
f) the nature of the nonconformities and any subsequent actions taken,
encountered.

g) the results of any corrective action. Documented information shall be available as evidence of:
ra
10.2 Continual improvement f) the nature of the nonconformities and any subsequent actions taken,

The organization shall continually improve the suitability, adequacy and effectiveness of
g) the results of any corrective action.
the information security management system
rt
Clauses 10.1 and 10.2 have been swapped around, but requirements remain the same
except for the highlighted change regarding documented information.
Fo

Comparison of ISO/IEC 27001:2013 and ISO/IEC 27001:2022 Page 14 of 19

 Correspondence of ISO/IEC 27001:2022 (Annex A) with ISO/IEC 27001:2013 (Annex A)

y
Correspondence between controls in ISO/IEC 27001:2022 (Annex A) and controls in ISO/IEC 27001:2013 (Annex A)

ISO/IEC 27001:2022 (Annex A) ISO/IEC 27001:2013 (Annex A) Control name according to ISO/IEC 27001:2022 (Annex A)

l
on
5.1 A.5.1.1, A.5.1.2 Policies for information security

5.2 A.6.1.1 Information security roles and responsibilities

5.3 A.6.1.2 Segregation of duties

5.4 A.7.2.1 Management responsibilities

5.5 A.6.1.3 Contact with authorities

g
5.6 A.6.1.4 Contact with special interest groups

in
5.7 New Threat intelligence

5.8 A.6.1.5, A.14.1.1 Information security in project management

5.9 A.8.1.1, A.8.1.2 Inventory of information and other associated assets

in
5.10 A.8.1.3, A.8.2.3 Acceptable use of information and other associated assets

5.11 A.8.1.4 Return of assets

5.12
ra
A.8.2.1 Classification of information

5.13 A.8.2.2 Labelling of information

5.14 A.13.2.1, A.13.2.2, A.13.2.3 Information transfer

rt
5.15 A.9.1.1, A.9.1.2 Access control

5.16 A.9.2.1 Identity management

5.17 A.9.2.4, A.9.3.1, A.9.4.3 Authentication information

Fo

5.18 A.9.2.2, A.9.2.5, A.9.2.6 Access rights

5.19 A.15.1.1 Information security in supplier relationships

Comparison of ISO/IEC 27001:2013 and ISO/IEC 27001:2022 Page 15 of 19

 ISO/IEC 27001:2022 (Annex A) ISO/IEC 27001:2013 (Annex A) Control name according to ISO/IEC 27001:2022 (Annex A)

5.20 A.15.1.2 Addressing information security within supplier agreements

y
5.21 A.15.1.3 Managing information security in the ICT supply chain

l
5.22 A.15.2.1, A.15.2.2 Monitoring, review and change management of supplier services

on
5.23 New Information security for use of cloud services

5.24 A.16.1.1 Information security incident management planning and preparation

5.25 A.16.1.4 Assessment and decision on information security events

5.26 A.16.1.5 Response to information security incidents

5.27 A.16.1.6 Learning from information security incidents

g
5.28 A.16.1.7 Collection of evidence

in
5.29 A.17.1.1, A.17.1.2, A.17.1.3 Information security during disruption

5.30 New ICT readiness for business continuity

5.31 A.18.1.1, A.18.1.5 Legal, statutory, regulatory and contractual requirements

in
5.32 A.18.1.2 Intellectual property rights

5.33 A.18.1.3 Protection of records

5.34
ra
A.18.1.4 Privacy and protection of PII

5.35 A.18.2.1 Independent review of information security

5.36 A.18.2.2, A.18.2.3 Compliance with policies, rules and standards for information security
rt
5.37 A.12.1.1 Documented operating procedures

6.1 A.7.1.1 Screening

6.2 A.7.1.2 Terms and conditions of employment

Fo

6.3 A.7.2.2 Information security awareness, education and training

6.4 A.7.2.3 Disciplinary process

Comparison of ISO/IEC 27001:2013 and ISO/IEC 27001:2022 Page 16 of 19

 ISO/IEC 27001:2022 (Annex A) ISO/IEC 27001:2013 (Annex A) Control name according to ISO/IEC 27001:2022 (Annex A)

6.5 A.7.3.1 Responsibilities after termination or change of employment

y
6.6 A.13.2.4 Confidentiality or non-disclosure agreements

l
6.7 A.6.2.2 Remote working

on
6.8 A.16.1.2, A.16.1.3 Information security event reporting

7.1 A.11.1.1 Physical security perimeters

7.2 A.11.1.2, A.11.1.6 Physical entry

7.3 A.11.1.3 Securing offices, rooms and facilities

7.4 New Physical security monitoring

g
7.5 A.11.1.4 Protecting against physical and environmental threats

in
7.6 A.11.1.5 Working in secure areas

7.7 A.11.2.9 Clear desk and clear screen

7.8 A.11.2.1 Equipment siting and protection

in
7.9 A.11.2.6 Security of assets off-premises

7.10 A.8.3.1, A.8.3.2, A.8.3.3, A.11.2.5 Storage media

7.11
ra
A.11.2.2 Supporting utilities

7.12 A.11.2.3 Cabling security

7.13 A.11.2.4 Equipment maintenance

rt
7.14 A.11.2.7 Secure disposal or re-use of equipment

8.1 A.6.2.1, A.11.2.8 User endpoint devices

8.2 A.9.2.3 Privileged access rights

Fo

8.3 A.9.4.1 Information access restriction

8.4 A.9.4.5 Access to source code

Comparison of ISO/IEC 27001:2013 and ISO/IEC 27001:2022 Page 17 of 19

 ISO/IEC 27001:2022 (Annex A) ISO/IEC 27001:2013 (Annex A) Control name according to ISO/IEC 27001:2022 (Annex A)

8.5 A.9.4.2 Secure authentication

y
8.6 A.12.1.3 Capacity management

l
8.7 A.12.2.1 Protection against malware

on
8.8 A.12.6.1, A.18.2.3 Management of technical vulnerabilities

8.9 New Configuration management

8.10 New Information deletion

8.11 New Data masking

8.12 New Data leakage prevention

g
8.13 A.12.3.1 Information backup

in
8.14 A.17.2.1 Redundancy of information processing facilities

8.15 A.12.4.1, A.12.4.2, A.12.4.3 Logging

8.16 New Monitoring activities

in
8.17 A.12.4.4 Clock synchronization

8.18 A.9.4.4 Use of privileged utility programs

8.19
ra
A.12.5.1, A.12.6.2 Installation of software on operational systems

8.20 A.13.1.1 Networks security

8.21 A.13.1.2 Security of network services

rt
8.22 A.13.1.3 Segregation of networks

8.23 New Web filtering

8.24 A.10.1.1, A.10.1.2 Use of cryptography

Fo

8.25 A.14.2.1 Secure development life cycle

8.26 A.14.1.2, A.14.1.3 Application security requirements

Comparison of ISO/IEC 27001:2013 and ISO/IEC 27001:2022 Page 18 of 19

 ISO/IEC 27001:2022 (Annex A) ISO/IEC 27001:2013 (Annex A) Control name according to ISO/IEC 27001:2022 (Annex A)

8.27 A.14.2.5 Secure system architecture and engineering principles

y
8.28 New Secure coding

l
8.29 A.14.2.8, A.14.2.9 Security testing in development and acceptance

on
8.30 A.14.2.7 Outsourced development

8.31 A.12.1.4, A.14.2.6 Separation of development, test and production environments

8.32 A.12.1.2, A.14.2.2, A.14.2.3, A.14.2.4 Change management

8.33 A.14.3.1 Test information

8.34 A.12.7.1 Protection of information systems during audit testing

g
in
in
ra
rt
Fo

Comparison of ISO/IEC 27001:2013 and ISO/IEC 27001:2022 Page 19 of 19