What are the differences between ISO 27001:2022 and ISO 27001:2013?

On 25 October 2022, the updated ISO 27001 standard was introduced in the Netherlands. The ISO 27001:2022 replaces the old ISO 27001:2013 standard. In this article, we explain what has changed from the old 2013 standard.

In brief:

• The name of the standard has been changed
• The number of chapters has been shortened
• The number of management measures has been reduced (much has been merged)
• 11 new management measures have been added
• Changes have also been made in the management system.

ISO 27001:2023

Note: ISO 27001:2023 has recently been published. This is the European version of ISO 27001. This version is completely identical to the global version, only a European preface has been added. What this means exactly read here.

Key insight: this does not affect your existing certifications achieved according to ISO 27001:2022.

Why has ISO 27001 been changed?

Standards are revised periodically to ensure they remain in line with practice. This is to prevent the standard from being overtaken by technological developments and new insights. Thanks to this revision from ISO 27001:2013 to ISO 27001:2022, the ISO standard meets the current times with threats and technology in the context of information security, cybersecurity and privacy.

The ISO 27001:2022 standard is leading

ISO introduced the standard in the Netherlands at the end of 2022. ISO 27001:2022 will therefore be leading and that means that ISO 27001:2013, ISO 27001:2013/Cor 1:2014, ISO 27001:2013/Cor 2:2015 and NEN-EN-EN-ISO/IEC 27002:2017 come to an end. Naturally, there is a transition period during which both the old and new standards are valid. This gives organisations room to incorporate the new standard rules into their information security systems (ISMS).

This transition period covers 3 years, meaning that all existing certificates must be switched to the new version by 1 November 2025.

A new name of the standard ISO 27001:2022 / ISO27001:2023

There have been considerable developments in cybersecurity and privacy protection in recent years. These are important pillars that fall under information security. Hence, these terms are included in the description of the ISO 27001 standard. This ensures that the descriptive name of this ISO standard is all-encompassing when it comes to information security.

• Old name: Information technology - Security techniques - Information security management systems - Requirements
• New name: Information security, cybersecurity and privacy protection - Information security management system - Requirements

Besides a new name, some changes have also been made to the HLS (High Level Structure). HLS is the uniform way established to build management system standards. ISO 27001:2022 has been adapted to the new HS (Harmonised Structure), which is the new basic structure of the ISO standard. These changes provide better alignment with Annex SL. Several points in chapters 4 to 10 have been tightened, added, rewritten or split. These are the changes:

• 4.1 Context tightened
• 4.2 Stakeholders tightened up
• 4.4 ISMS tightened up
• 6.1.3 Risk treatment tightened up
• 6.2 Targets tightened up
• 6.3 Change management added
• 8.1 Operational planning has been rewritten
• 9.1 Monitoring tightened up
• 9.2 General and audit programme is split
• 9.3 General, input and output split
• 10.1 Improvement and Deviations & Corrective Measures has been updated

ISO 27001: from 14 to 4 chapters

The Annex A of the ISO 27001 standard has been changed. Basically, the various chapters and control measures have been rearranged and merged. This brings more overview, as the number of chapters has been merged and shortened from 14 to 4.

• A5 - Organisational control measures: This section is a collection of all management measures not covered by man, physical security or engineering fall. It includes 37 measures.
• A6 - People-oriented management measures: This section includes all management measures that deal with people. Think of: awareness and working conditions. It includes 8 measures.
• A7 - Physical management measures: This section focuses on all measures that deal with the physical security of sites and, for example, equipment maintenance. In it, you will find 14 measures.
• A8 - Technological management measures: This section focuses on all technological measures. Think about the security of your network and information processing systems or how you technical staff work safely. Here you will find 34 measures.

Management measures of ISO 27001

The old standard ISO 27001:2013 included 114 control measures. A hefty list, which has been shortened in ISO 27001:2022. There are now 93 management measures. ISO decided to merge many measures, making the standard fit for the times. However, ISO did add 11 new management measures.

• 5.7 - Threat information and analysis:
  Information related to information security threats should be collected and analysed to produce threat intelligence.
• 5.23 - Information security for the use of cloud services:
  Processes for acquiring, using, managing and terminating cloud services should be established in accordance with the organisation's information security requirements.
• 5.30 - ICT readiness for business continuity:
  ICT readiness should be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.
• 7.4 - Monitoring physical security:
  The building and grounds should be continuously monitored for unauthorised physical access.
• 8.9 - Configuration management:
  Configurations, including security configurations, of hardware, software, services and networks should be identified, documented, implemented, monitored and reviewed.
• 8.10 - Deletion of information:
  Information stored in information systems, devices or other storage media should be deleted when no longer required.
• 8.11 - Masking data:
  Data should be masked in accordance with the subject-specific access security policy and other related subject-specific policies, and business requirements of the organisation, taking into account applicable legislation.
• 8.12 - Preventing data leaks:
  Measures to prevent data leaks should be implemented in systems, networks and other devices on or through which sensitive information is processed, stored or transported.
• 8.16 - Monitoring activities:
  Networks, systems and applications should be monitored for anomalous behaviour and appropriate measures should be taken to address potential information security incidents
  evaluate.
• 8.23 - Applying web filters:
  Access to external websites should be managed to limit exposure to malicious content.
• 8.28 - Secure coding:
  Secure coding principles should be applied to software development.

What does this mean for NEN 7510 or BIO?

To what extent do these ISO 27001 changes impact NEN 7510 or BIO? If the basic management measures are going to change, NEN 7510 and BIO will also have to be adapted. This is because NEN 7510 and BIO consist of additional control measures added to ISO 27001 Annex A. NEN 7510 is expected to be updated in 2024 based on the 2023 version. Our advice? Wait with a transition until these standards are updated.

View the ISO 27001:2022 transition deadlines

A transition period applies, meaning that your ISMS may be assessed against the old version of the standard for a certain period of time. The table below shows from when you will be assessed against the new ISO 27001:2022 standard and until when you may still be assessed against the old version of the standard.

Until 31 October 2023, companies can still get certified for ISO 27001:2013. However, they have until 31 October 2025 to switch to ISO 27001:2022.

Blue = DigiTrust can and may still run your ISMS against the old version of the standard.
Green = DigiTrust needs your ISMS against the new ISO27001:2022 standard. 

Schedule your transition audit for ISO 27001:2022 in good time

As an organisation, you need to make the transition from ISO 27001:2013 to ISO 27001:2022. The updated rules can be found in IAF MD26:2022. This document lists all the mandatory changes that need to be implemented to comply with the new standard. When your organisation complies with the new situation, we recommend scheduling a transition audit. This often takes place 2 weeks before the regular audit. The transition audit covers the following points:

• GAP Analysis
• Action plan
• Adjust risk analysis and treatment plan
• Annex A adapt management measures
• Adjusting VVT
• Internal audit
• Management review

It is important that you have prepared these topics and can provide evidence. In the case of recertification, the DigiTrust auditor will conduct a 4-hour remote audit with you and your CISO advisor. If your organisation meets the standard, DigiTrust will prepare your new ISO 27001:2022 certificate.

Tip: plan your transition audit in good time with our back office. Your auditor's agenda is already very full in 2024. Avoid waiting too long and make sure everything can take place within the desired timing.