Professional Documents
Culture Documents
Comparison of ISOIEC 27001 2013 and ISOIEC 27001 2022 (Rev.17Nov22)
Comparison of ISOIEC 27001 2013 and ISOIEC 27001 2022 (Rev.17Nov22)
27001:2022
(Rev 17/11/2022)
y
Red: Text that have been changed or added
New clause heading or clause - Highlighted in yellow
l
ISO/IEC 27001:2013 ISO/IEC 27001:2022
on
4 Context of the organization 4 Context of the organization
4.1 Understanding the organization and its context 4.1 Understanding the organization and its context
The organization shall determine external and internal issues that are relevant to its The organization shall determine external and internal issues that are relevant to its
purpose and that affect its ability to achieve the intended outcome(s) of its information purpose and that affect its ability to achieve the intended outcome(s) of its information
security management system. security management system.
NOTE Determining these issues refers to establishing the external and internal context NOTE Determining these issues refers to establishing the external and internal context
g
of the organization considered in Clause 5.3 of ISO 31000:2009[5]. of the organization considered in Clause 5.4.1 of ISO 31000:2018[5].
4.2 Understanding the needs and expectations of interested parties 4.2 Understanding the needs and expectations of interested parties
in
The organization shall determine: The organization shall determine:
a) interested parties that are relevant to the information security a) interested parties that are relevant to the information security management system;
b) the requirements of these interested parties relevant to information b) the relevant requirements of these interested parties;
in
c) which of these requirements will be addressed through the information security
management system.
NOTE The requirements of interested parties may include legal and regulatory NOTE The requirements of interested parties can include legal and regulatory
requirements and contractual obligations.
ra requirements and contractual obligations.
4.3 Determining the scope of the information security management 4.3 Determining the scope of the information security management system
The organization shall determine the boundaries and applicability of the information The organization shall determine the boundaries and applicability of the information
security management system to establish its scope. security management system to establish its scope.
rt
When determining this scope, the organization shall consider: When determining this scope, the organization shall consider:
a) the external and internal issues referred to in 4.1; a) the external and internal issues referred to in 4.1;
c) interfaces and dependencies between activities performed by the organization, and c) interfaces and dependencies between activities performed by the organization, and
those that are performed by other organizations. those that are performed by other organizations.
The scope shall be available as documented information. The scope shall be available as documented information.
The organization shall establish, implement, maintain and continually improve an The organization shall establish, implement, maintain and continually improve an
y
information security management system, in accordance with the requirements of this information security management system, including the processes needed and their
International Standard. interactions, in accordance with the requirements of this document.
5 Leadership 5 Leadership
l
on
5.1 Leadership and commitment 5.1 Leadership and commitment
Top management shall demonstrate leadership and commitment with respect to the Top management shall demonstrate leadership and commitment with respect to the
information security management system by: information security management system by:
a) ensuring the information security policy and the information security objectives are a) ensuring the information security policy and the information security objectives are
established and are compatible with the strategic direction of the organization; established and are compatible with the strategic direction of the organization;
b) ensuring the integration of the information security management system b) ensuring the integration of the information security management system
requirements into the organization’s processes; requirements into the organization’s processes;
g
c) ensuring that the resources needed for the information security management system c) ensuring that the resources needed for the information security management
are available; system are available;
in
d) communicating the importance of effective information security management and of d) communicating the importance of effective information security management and of
conforming to the information security management system requirements; conforming to the information security management system requirements;
e) ensuring that the information security management system achieves its intended e) ensuring that the information security management system achieves its intended
outcome(s); outcome(s);
in
f) directing and supporting persons to contribute to the effectiveness of the information f) directing and supporting persons to contribute to the effectiveness of the
security management system; information security management system;
Top management shall establish an information security policy that: Top management shall establish an information security policy that:
a) is appropriate to the purpose of the organization; a) is appropriate to the purpose of the organization;
Fo
b) includes information security objectives (see 6.2) or provides the framework for b) includes information security objectives (see 6.2) or provides the framework for
setting information security objectives; setting information security objectives;
y
d) includes a commitment to continual improvement of the information security d) includes a commitment to continual improvement of the information security
management system. management system.
The information security policy shall: The information security policy shall:
l
e) be available as documented information; e) be available as documented information;
on
f) be communicated within the organization; and f) be communicated within the organization;
5.3 Organizational roles, responsibilities and authorities 5.3 Organizational roles, responsibilities and authorities
Top management shall ensure that the responsibilities and authorities for roles relevant Top management shall ensure that the responsibilities and authorities for roles relevant
to information security are assigned and communicated. to information security are assigned and communicated within the organization.
g
Top management shall assign the responsibility and authority for: Top management shall assign the responsibility and authority for:
in
a) ensuring that the information security management system conforms to the a) ensuring that the information security management system conforms to the
requirements of this International Standard; and requirements of this document;
b) reporting on the performance of the information security management system to top b) reporting on the performance of the information security management system to
management. top management.
in
NOTE Top management may also assign responsibilities and authorities for reporting NOTE Top management can also assign responsibilities and authorities for reporting
performance of the information security management system within the organization. performance of the information security management system within the organization.
6 Planning 6 Planning
ra
6.1 Actions to address risks and opportunities 6.1 Actions to address risks and opportunities
When planning for the information security management system, the organization shall When planning for the information security management system, the organization shall
consider the issues referred to in 4.1 and the requirements referred to in 4.2 and consider the issues referred to in 4.1 and the requirements referred to in 4.2 and
rt
determine the risks and opportunities that need to be addressed to: determine the risks and opportunities that need to be addressed to:
a) ensure the information security management system can achieve its intended a) ensure the information security management system can achieve its intended
outcome(s); outcome(s);
y
d) actions to address these risks and opportunities; and d) actions to address these risks and opportunities; and
e) how to e) how to
l
on
1) integrate and implement the actions into its information security management 1) integrate and implement the actions into its information security management
system processes; and system processes; and
2) evaluate the effectiveness of these actions. 2) evaluate the effectiveness of these actions.
6.1.2 Information security risk assessment 6.1.2 Information security risk assessment
The organization shall define and apply an information security risk assessment process The organization shall define and apply an information security risk assessment process
that: that:
g
a) establishes and maintains information security risk criteria that include: a) establishes and maintains information security risk criteria that include:
1) the risk acceptance criteria; and 1) the risk acceptance criteria; and
in
2) criteria for performing information security risk assessments; 2) criteria for performing information security risk assessments;
b) ensures that repeated information security risk assessments produce consistent, b) ensures that repeated information security risk assessments produce consistent,
valid and comparable results; valid and comparable results;
in
c) identifies the information security risks: c) identifies the information security risks:
1) apply the information security risk assessment process to identify risks associated 1) apply the information security risk assessment process to identify risks associated
with the loss of confidentiality, integrity and availability for information within the scope with the loss of confidentiality, integrity and availability for information within the scope
of the information security management system; and of the information security management system; and
ra
2) identify the risk owners; 2) identify the risk owners;
d) analyses the information security risks: d) analyses the information security risks:
1) assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) assess the potential consequences that would result if the risks identified in 6.1.2 c)
rt
1) were to materialize; 1) were to materialize;
2) assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1); 2) assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1);
and and
e) evaluates the information security risks: e) evaluates the information security risks:
1) compare the results of risk analysis with the risk criteria established in 6.1.2 a); and 1) compare the results of risk analysis with the risk criteria established in 6.1.2 a); and
The organization shall retain documented information about the information security The organization shall retain documented information about the information security
y
risk assessment process. risk assessment process.
6.1.3 Information security risk treatment 6.1.3 Information security risk treatment
l
The organization shall define and apply an information security risk treatment process The organization shall define and apply an information security risk treatment process
on
to: to:
a) select appropriate information security risk treatment options, taking account of the a) select appropriate information security risk treatment options, taking account of the
risk assessment results; risk assessment results;
b) determine all controls that are necessary to implement the information security risk b) determine all controls that are necessary to implement the information security risk
treatment option(s) chosen; treatment option(s) chosen;
NOTE 1 Organizations can design controls as required, or identify them from any
NOTE Organizations can design controls as required, or identify them from any source.
source.
g
c) compare the controls determined in 6.1.3 b) above with those in Annex A and verify c) compare the controls determined in 6.1.3 b) above with those in Annex A and verify
that no necessary controls have been omitted; that no necessary controls have been omitted;
in
NOTE 1 Annex A contains a comprehensive list of control objectives and controls. Users NOTE 2 Annex A contains a list of possible information security controls. Users of this
of this International Standard are directed to Annex A to ensure that no necessary document are directed to Annex A to ensure that no necessary information security
controls are overlooked. controls are overlooked.
NOTE 2 Control objectives are implicitly included in the controls chosen. The control
in
NOTE 3 The information security controls listed in Annex A are not exhaustive and
objectives and controls listed in Annex A are not exhaustive and additional control
additional information security controls can be included if needed.
objectives and controls may be needed.
d) produce a Statement of Applicability that contains: d) produce a Statement of Applicability that contains:
ra
— the necessary controls (see 6.1.3 b) and c)); — the necessary controls (see 6.1.3 b) and c));
— whether the necessary controls are implemented or not; and — whether the necessary controls are implemented or not; and
rt
— the justification for excluding any of the Annex A controls. — the justification for excluding any of the Annex A controls.
e) formulate an information security risk treatment plan; and e) formulate an information security risk treatment plan; and
f) obtain risk owners’ approval of the information security risk treatment plan and f) obtain risk owners’ approval of the information security risk treatment plan and
Fo
acceptance of the residual information security risks. acceptance of the residual information security risks.
The organization shall retain documented information about the information security The organization shall retain documented information about the information security
risk treatment process. risk treatment process.
y
6.2 Information security objectives and planning to achieve them 6.2 Information security objectives and planning to achieve them
The organization shall establish information security objectives at relevant functions and The organization shall establish information security objectives at relevant functions and
l
levels. levels.
on
The information security objectives shall: The information security objectives shall:
a) be consistent with the information security policy; a) be consistent with the information security policy;
c) take into account applicable information security requirements, and results from risk c) take into account applicable information security requirements, and results from risk
assessment and risk treatment; assessment and risk treatment;
g
d) be monitored;
in
e) be updated as appropriate. f) be updated as appropriate;
in
The organization shall retain documented information on the information security The organization shall retain documented information on the information security
objectives. objectives.
When planning how to achieve its information security objectives, the organization shall When planning how to achieve its information security objectives, the organization shall
determine: determine:
ra
f) what will be done; h) what will be done;
j) how the results will be evaluated. l) how the results will be evaluated.
When the organization determines the need for changes to the information security
management system, the changes shall be carried out in a planned manner.
y
The organization shall determine and provide the resources needed for the The organization shall determine and provide the resources needed for the
establishment, implementation, maintenance and continual improvement of the establishment, implementation, maintenance and continual improvement of the
information security management system. information security management system.
l
7.2 Competence 7.2 Competence
on
The organization shall: The organization shall:
a) determine the necessary competence of person(s) doing work under its control that a) determine the necessary competence of person(s) doing work under its control that
affects its information security performance; affects its information security performance;
b) ensure that these persons are competent on the basis of appropriate education, b) ensure that these persons are competent on the basis of appropriate education,
training, or experience; training, or experience;
g
c) where applicable, take actions to acquire the necessary competence, and evaluate c) where applicable, take actions to acquire the necessary competence, and evaluate
the effectiveness of the actions taken; and the effectiveness of the actions taken; and
d) retain appropriate documented information as evidence of competence. d) retain appropriate documented information as evidence of competence.
in
NOTE Applicable actions may include, for example: the provision of training to, the NOTE Applicable actions can include, for example: the provision of training to, the
mentoring of, or the re-assignment of current employees; or the hiring or contracting of mentoring of, or the re-assignment of current employees; or the hiring or contracting of
competent persons. competent persons.
in
7.3 Awareness 7.3 Awareness
Persons doing work under the organization’s control shall be aware of: Persons doing work under the organization’s control shall be aware of:
c) the implications of not conforming with the information security management system c) the implications of not conforming with the information security management system
rt
requirements. requirements.
The organization shall determine the need for internal and external communications The organization shall determine the need for internal and external communications
relevant to the information security management system including: relevant to the information security management system including:
Fo
y
e) the processes by which communication shall be effected.
l
7.5 Documented information 7.5 Documented information
on
7.5.1 General 7.5.1 General
The organization’s information security management system shall include: The organization’s information security management system shall include:
a) documented information required by this International Standard; and a) documented information required by this document; and
b) documented information determined by the organization as being necessary for the b) documented information determined by the organization as being necessary for the
effectiveness of the information security management system. effectiveness of the information security management system.
g
NOTE The extent of documented information for an information security management NOTE The extent of documented information for an information security management
system can differ from one organization to another due to: system can differ from one organization to another due to:
in
1) the size of organization and its type of activities, processes, products and services; 1) the size of organization and its type of activities, processes, products and services;
2) the complexity of processes and their interactions; and 2) the complexity of processes and their interactions; and
in
7.5.2 Creating and updating 7.5.2 Creating and updating
When creating and updating documented information the organization shall ensure When creating and updating documented information the organization shall ensure
appropriate:
ra appropriate:
a) identification and description (e.g. a title, date, author, or reference number); a) identification and description (e.g. a title, date, author, or reference number);
b) format (e.g. language, software version, graphics) and media (e.g. paper, b) format (e.g. language, software version, graphics) and media (e.g. paper,
electronic); and electronic); and
rt
c) review and approval for suitability and adequacy. c) review and approval for suitability and adequacy.
Documented information required by the information security management system and Documented information required by the information security management system and
Fo
by this International Standard shall be controlled to ensure: by this document shall be controlled to ensure:
a) it is available and suitable for use, where and when it is needed; and a) it is available and suitable for use, where and when it is needed; and
y
For the control of documented information, the organization shall address the following For the control of documented information, the organization shall address the following
activities, as applicable: activities, as applicable:
c) distribution, access, retrieval and use; c) distribution, access, retrieval and use;
l
on
d) storage and preservation, including the preservation of legibility; d) storage and preservation, including the preservation of legibility;
e) control of changes (e.g. version control); and e) control of changes (e.g. version control); and
Documented information of external origin, determined by the organization to be Documented information of external origin, determined by the organization to be
necessary for the planning and operation of the information security management necessary for the planning and operation of the information security management
system, shall be identified as appropriate, and controlled. system, shall be identified as appropriate, and controlled.
g
NOTE Access implies a decision regarding the permission to view the documented NOTE Access can imply a decision regarding the permission to view the documented
information only, or the permission and authority to view and change the documented information only, or the permission and authority to view and change the documented
in
information, etc. information, etc.
8 Operation 8 Operation
8.1 Operational planning and control 8.1 Operational planning and control
in
The organization shall plan, implement and control the processes needed to meet
information security requirements, and to implement the actions determined in 6.1. The The organization shall plan, implement and control the processes needed to meet
organization shall also implement plans to achieve information security objectives requirements, and to implement the actions determined in Clause 6, by:
determined in 6.2.
ra
— establishing criteria for the processes;
The organization shall control planned changes and review the consequences of The organization shall control planned changes and review the consequences of
unintended changes, taking action to mitigate any adverse effects, as necessary. unintended changes, taking action to mitigate any adverse effects, as necessary.
Fo
The organization shall ensure that externally provided processes, products or services
The organization shall ensure that outsourced processes are determined and controlled.
that are relevant to the information security management system are controlled.
The organization shall perform information security risk assessments at planned The organization shall perform information security risk assessments at planned
y
intervals or when significant changes are proposed or occur, taking account of the intervals or when significant changes are proposed or occur, taking account of the
criteria established in 6.1.2 a). criteria established in 6.1.2 a).
l
The organization shall retain documented information of the results of the information The organization shall retain documented information of the results of the information
security risk assessments. security risk assessments.
on
8.3 Information security risk treatment 8.3 Information security risk treatment
The organization shall implement the information security risk treatment plan. The organization shall implement the information security risk treatment plan.
The organization shall retain documented information of the results of the information The organization shall retain documented information of the results of the information
security risk treatment. security risk treatment.
g
9.1 Monitoring, measurement, analysis and evaluation 9.1 Monitoring, measurement, analysis and evaluation
The organization shall evaluate the information security performance and the
in
effectiveness of the information security management system.
a) what needs to be monitored and measured, including information security processes a) what needs to be monitored and measured, including information security processes
in
and controls; and controls;
c) when the monitoring and measuring shall be performed; c) when the monitoring and measuring shall be performed;
d) who shall monitor and measure; d) who shall monitor and measure;
rt
e) when the results from monitoring and measurement shall be analysed and evaluated; e) when the results from monitoring and measurement shall be analysed and
and evaluated;
f) who shall analyse and evaluate these results. f) who shall analyse and evaluate these results.
Fo
The organization shall evaluate the information security performance and the The organization shall evaluate the information security performance and the
effectiveness of the information security management system. effectiveness of the information security management system.
9.2.1 General
y
The organization shall conduct internal audits at planned intervals to provide The organization shall conduct internal audits at planned intervals to provide
information on whether the information security management system: information on whether the information security management system:
l
a) conforms to a) conforms to
on
1) the organization’s own requirements for its information security management 1) the organization’s own requirements for its information security management
system; and system;
g
c) plan, establish, implement and maintain an audit programme(s), including the
frequency, methods, responsibilities, planning requirements and reporting. The audit The organization shall plan, establish, implement and maintain an audit programme(s),
programme(s) shall take into consideration the importance of the processes concerned including the frequency, methods, responsibilities, planning requirements and reporting.
in
and the results of previous audits;
When establishing the internal audit programme(s), the organization shall consider the
importance of the processes concerned and the results of previous audits.
in
The organization shall: The organization shall:
d) define the audit criteria and scope for each audit; a) define the audit criteria and scope for each audit;
e) select auditors and conduct audits that ensure objectivity and the impartiality of the b) select auditors and conduct audits that ensure objectivity and the impartiality of the
audit process;
ra audit process;
f) ensure that the results of the audits are reported to relevant management; c) ensure that the results of the audits are reported to relevant management;
g) retain documented information as evidence of the audit programme(s) and the audit Documented information shall be available as evidence of the implementation of the
results. audit programme(s) and the audit results.
rt
9.3 Management review 9.3 Management review
9.3.1 General
Fo
Top management shall review the organization's information security management Top management shall review the organization's information security management
system at planned intervals to ensure its continuing suitability, adequacy and system at planned intervals to ensure its continuing suitability, adequacy and
effectiveness. effectiveness.
The management review shall include consideration of: The management review shall include consideration of:
y
a) the status of actions from previous management reviews; a) the status of actions from previous management reviews;
l
b) changes in external and internal issues that are relevant to the information security b) changes in external and internal issues that are relevant to the information security
management system; management system;
on
c) changes in needs and expectations of interested parties that are relevant to the
information security management system;
c) feedback on the information security performance, including trends in: d) feedback on the information security performance, including trends in:
g
3) audit results; and 3) audit results;
in
d) feedback from interested parties; e) feedback from interested parties;
e) results of risk assessment and status of risk treatment plan; and f) results of risk assessment and status of risk treatment plan;
in
f) opportunities for continual improvement. g) opportunities for continual improvement.
The outputs of the management review shall include decisions related to continual The results of the management review shall include decisions related to continual
ra
improvement opportunities and any needs for changes to the information security improvement opportunities and any needs for changes to the information security
management system. management system.
The organization shall retain documented information as evidence of the results of Documented information shall be available as evidence of the results of management
management reviews. reviews.
rt
The following Clause has been changed as follows: The numbering remains the same, however: They have changed so that 10.1 has text that was in 10.2 previously 10.2 has a
minimal change in the text.
10 Improvement 10 Improvement
The organization shall continually improve the suitability, adequacy and effectiveness of
When a nonconformity occurs, the organization shall:
the information security management system
1) take action to control and correct it; When a nonconformity occurs, the organization shall:
y
2) deal with the consequences; a) react to the nonconformity, and as applicable:
l
b) evaluate the need for action to eliminate the causes of nonconformity, in order that
1) take action to control and correct it;
it does not recur or occur elsewhere, by:
on
1) reviewing the nonconformity; 2) deal with the consequences;
b) evaluate the need for action to eliminate the causes of nonconformity, in order that
2) determining the causes of the nonconformity; and
it does not recur or occur elsewhere, by:
3) determining if similar nonconformities exist, or could potentially occur; 1) reviewing the nonconformity;
c) implement any action needed; 2) determining the causes of the nonconformity; and
g
d) review the effectiveness of any corrective action taken; and 3) determining if similar nonconformities exist, or could potentially occur;
e) make changes to the information security management system, if necessary. c) implement any action needed;
in
Corrective actions shall be appropriate to the effects of the nonconformities
d) review the effectiveness of any corrective action taken; and
encountered.
The organization shall retain documented information as evidence of: e) make changes to the information security management system, if necessary.
in
Corrective actions shall be appropriate to the effects of the nonconformities
f) the nature of the nonconformities and any subsequent actions taken,
encountered.
g) the results of any corrective action. Documented information shall be available as evidence of:
ra
10.2 Continual improvement f) the nature of the nonconformities and any subsequent actions taken,
The organization shall continually improve the suitability, adequacy and effectiveness of
g) the results of any corrective action.
the information security management system
rt
Clauses 10.1 and 10.2 have been swapped around, but requirements remain the same
except for the highlighted change regarding documented information.
Fo
y
Correspondence between controls in ISO/IEC 27001:2022 (Annex A) and controls in ISO/IEC 27001:2013 (Annex A)
ISO/IEC 27001:2022 (Annex A) ISO/IEC 27001:2013 (Annex A) Control name according to ISO/IEC 27001:2022 (Annex A)
l
on
5.1 A.5.1.1, A.5.1.2 Policies for information security
g
5.6 A.6.1.4 Contact with special interest groups
in
5.7 New Threat intelligence
in
5.10 A.8.1.3, A.8.2.3 Acceptable use of information and other associated assets
5.12
ra
A.8.2.1 Classification of information
y
5.21 A.15.1.3 Managing information security in the ICT supply chain
l
5.22 A.15.2.1, A.15.2.2 Monitoring, review and change management of supplier services
on
5.23 New Information security for use of cloud services
g
5.28 A.16.1.7 Collection of evidence
in
5.29 A.17.1.1, A.17.1.2, A.17.1.3 Information security during disruption
in
5.32 A.18.1.2 Intellectual property rights
5.34
ra
A.18.1.4 Privacy and protection of PII
5.36 A.18.2.2, A.18.2.3 Compliance with policies, rules and standards for information security
rt
5.37 A.12.1.1 Documented operating procedures
y
6.6 A.13.2.4 Confidentiality or non-disclosure agreements
l
6.7 A.6.2.2 Remote working
on
6.8 A.16.1.2, A.16.1.3 Information security event reporting
g
7.5 A.11.1.4 Protecting against physical and environmental threats
in
7.6 A.11.1.5 Working in secure areas
in
7.9 A.11.2.6 Security of assets off-premises
7.11
ra
A.11.2.2 Supporting utilities
y
8.6 A.12.1.3 Capacity management
l
8.7 A.12.2.1 Protection against malware
on
8.8 A.12.6.1, A.18.2.3 Management of technical vulnerabilities
g
8.13 A.12.3.1 Information backup
in
8.14 A.17.2.1 Redundancy of information processing facilities
in
8.17 A.12.4.4 Clock synchronization
8.19
ra
A.12.5.1, A.12.6.2 Installation of software on operational systems
y
8.28 New Secure coding
l
8.29 A.14.2.8, A.14.2.9 Security testing in development and acceptance
on
8.30 A.14.2.7 Outsourced development
g
in
in
ra
rt
Fo