What is the difference between ISO 27001:2013 and ISO 27001:2022?

In August 2022, the International Accreditation Forum (IAF) published ISO/IEC 27001:2022, replacing the previous version (ISO 27001:2013).

This revision included significant and long-overdue changes. It revised, supplemented, and reorganized 114 security controls from 14 categories into 93 controls, split into 4 categories. For a more detailed picture, learn more from our resource on ISO 27001 Annex A.

The changes in the new standard are noticeable, but there's no need to worry. If you were familiar with the 2013 version, you don't need to completely change your approach to information security.

However, it's important to note that there is a 36-month transition period, during which certified companies must adapt their security programs to the new version if they want to be ready for recertification.

The ISO 27001:2022 standard was published on October 25, 2022. The transition period has been set at three years (36 months). As a result, end-users have the following timeframes and deadlines for the transition:

• Last date for initial and recertification audits under the previous ISO 27001:2013: Until April 30, 2024.
• Transition of all existing certificates to the new ISO/IEC 27001:2022: Three years, based on the last day of the issuance month of ISO/IEC 27001:2022 (October 2025).

If you were previously certified, this means you must adapt and update all documentation to the new controls. Once you've made the proper adjustments, you can easily use your next audit to transition to certification under ISO 27001:2022.

ISO 27001: Who is the norm important for?

Information security is relevant in almost every company, making ISO 27001 crucial for nearly every organization that handles data. But what exactly is the ISO 27001 certification, and who does it concern?

ISO 27001 certification: What is it?

An ISO 27001 certification is confirmation from a third party that you meet the requirements of the ISO 27001 standard. Suppose you have built your Information Security Management System (ISMS) according to the ISO 27001 guidelines. In that case, an independent accredited certification body can conduct an audit and confirm your commitment to security with an official certificate.

Who needs an ISO 27001 certification?

While an ISO 27001 certification is not mandatory, it is common practice and, above all, a requirement for many important business relationships. Why do business partners expect this? Without transparent guidelines and measures for risk management, the information you handle on their behalf is at risk.Certain industries, particularly those frequently threatened by cyberattacks and ransomware, consider the ISO 27001 standard the norm. Based on revenue losses to cyberattacks, the most affected industries include:

• Tech
• Biotechnology
• Automotive industry
• Consumer goods and services
• Banking
• Healthcare
• Retail
• Insurance
• Mechanical engineering
• Communication and media

However, cybercrime is becoming more widespread, affecting nearly all companies—from SMEs to large corporations. The ISO 27001 controls provide a clear roadmap on how to minimize your chances of a damaging cyberattack.

Benefits of ISO 27001

Identifying and addressing security risks is beneficial for any business. The ISO 27001 controls play an essential role in clearly categorizing potential risks. But what are the specific benefits of mitigating risks?

Build trust with all stakeholders

ISO 27001 offers guidance on how to protect valuable data by applying good information security practices. ISO 27001 compliance assures customers, partners, and key stakeholders that your organization has taken the necessary security measures to treat valuable information and sensitive data appropriately.

Defend against and mitigate data breaches

The ISO 27001 standard defines policies and procedures for security measures that, when implemented, defend against unauthorized access to data and complete data loss.

By implementing the proposed measures, you not only reduce the risk of data breaches, but also the subsequent fines. The guidelines cover information security across all areas.

However, it is important to note that ISO 27001 does not offer an absolute guarantee against security incidents or data breaches. Instead, it creates a framework to reduce the likelihood of such incidents and strengthen your organization's ability to respond appropriately. The precise implementation and effectiveness of the measures depend on your team and environment.

If your data does become compromised in any way, the ISO 27001 standard sets out procedures for responsible and effective incident management.

Protect employees' personal data

Under ISO 27001, not only sensitive data from third parties but also employees' personal data is protected.

To be compliant with the standard, you need to disclose to all affected parties what security measures you have taken. This is not just so that everyone is informed, but so that employees can agree and consent.

Risks are avoided—and business can grow

In general, certified companies are more convincing to business partners than non-certified competitors and close new business contracts more efficiently. Of the many other advantages, these are just a few:

• Improved competitiveness
• Significantly reduced risk of fines and financial losses due to data breaches
• Positive brand perception
• Achieving compliance in all areas (business, legal, economic, and legal)
• Improved structure and focus
• The number of required audits decreases
• You receive an unbiased assessment of your security situation

To this end, we encourage every organization to establish an Information Security Management System (ISMS): an efficient, technology-independent, risk-based means of securing information.

ISO 27001:2022 Controls: What measures are included in Annex A?

The controls outlined in ISO 27001 Annex A are the measures you can implement to significantly reduce risks. Which ones you select depends on the weaknesses you've identified through a risk assessment.

As of 2022, there are a total of 93 controls divided into 4 categories. 11 of these controls were newly added to ISO 27001 in 2022. Each category describes the focus area of the controls' application.

ISO 27001:2022: Eleven new controls

Since 2022, ISO 27001 has incorporated eleven new controls, each assigned to distinct categories:

A.5.7 Threat intelligence

The "Threat intelligence" measure relates to collecting data on potential threats to information security and analyzing them in depth.

A.5.23 Information security for the use of cloud services

To implement the "Information security for the use of cloud services" measure, you need to establish and manage information security for the utilization of cloud services.

A.5.30 ICT readiness for business continuity

With this measure, companies create an ICT continuity plan to maintain operational resilience.

A.7.4 Physical security monitoring

Companies need to employ suitable monitoring tools for the "Physical security monitoring" measure to detect and prevent external and internal intrusions.

A.8.9 Configuration management

As part of "Configuration management," you establish guidelines for the documentation, implementation, monitoring, and review of configurations across your entire network.

A.8.10 Information deletion

The document "Information deletion" contains instructions for managing data deletion to comply with laws and regulations.

A.8.11 Data masking

"Data masking" provides techniques for masking personally identifiable information (PII) to comply with laws and regulations.

A.8.12 Data leakage prevention

To implement the "Data leakage prevention" measure, you must take steps to detect and prevent the disclosure and/or extraction of information.

A.8.16 Monitoring activities

The "Monitoring activities" measure provides guidelines to enhance network monitoring activities that detect anomalous behaviour and respond to security events and incidents.

A.8.23 Web filtering

You must enforce access controls and measures for "Web filtering" to restrict and control access to external websites.

A.8.28 Secure coding

This control mandates best practices of secure coding to prevent vulnerabilities caused by inadequate coding methods.

Controls according to ISO 27001: The categories

The ISO 27001:2022 standard contains 93 controls, which are assigned to 4 categories: organizational, people, physical, and technological. The grouping of controls into different areas makes it easier to decide who is responsible for implementing the measures and which measures are relevant in the first place.

Organizational controls (37 measures)

These controls are applicable when the risks do not fall under the topics of people, technology, or physical security. They include, for example, identity management, responsibilities, and evidence collection.

New organizational controls include:

• 5.7: Threat intelligence
• 5.23: Information security for the use of cloud services
• 5.30: ICT readiness for business continuity

Threat intelligence is a significant innovation in this area. This measure goes beyond the detection of malicious domain names. Threat analysis helps organizations better understand how they can be attacked and take appropriate precautions.

People controls (8 measures)

Remote work is a hot topic in the people area. However, the restructuring of the working world also comes with risks. This is where the people measures of ISO 27001 come in.

The area related to personnel only includes eight controls. These focus on how employees handle sensitive information during their daily work, which includes topics such as remote work, non-disclosure agreements, and screenings. This category also covers onboarding and offboarding processes, as well as responsibilities for reporting incidents.

Physical controls (14 measures)

Physical controls include security monitoring, maintenance, facility security, and storage media. This category is about how you protect yourself against physical and environmental threats such as natural disasters, theft, and intentional destruction.

New physical controls include:

• 7.4: Physical security monitoring

Technological controls (34 measures)

Technology must also be properly secured to protect information. Technological controls, therefore, deal with authentication, encryption, and data leakage prevention. This can be achieved through various approaches, such as access rights, network security, and data masking.

New technological controls include:

• 8.1: Data masking
• 8.9: Configuration management
• 8.10: Information deletion
• 8.12: Data leakage prevention
• 8.16: Activity monitoring
• 8.23: Web filtering
• 8.28: Secure coding

One innovation in this area is particularly important: data leakage prevention. Web filtering is also helpful: this control describes how organizations should filter online traffic to prevent users from visiting potentially harmful websites.

Controls with the greatest potential for error

Information security is no longer a niche topic—it is the foundation for resilience, success, and growth for any business. Many organizations require their business partners and suppliers to be certified to an information security standard such as ISO/IEC 27001, which specifies the requirements for an information security management system (ISMS).

However, implementing ISO 27001 without a structured plan can be a major challenge. Based on our work with customers in a variety of industries, we have pulled together the four most common mistakes that happen when implementing controls according to ISO 27001, as well as tips on how you can avoid them.

How to achieve ISO 27001 compliance: Our checklist

Even if you are not pursuing formal certification, you always have the option to pursue the ISO 27001 standard requirements to simply strengthen your security. At minimum, you can apply the following best practices:

• Identify the expectations of your stakeholders regarding information security
• Define the scope of your ISMS and applicable information security measures
• Define a clear security policy
• Conduct a risk assessment to identify any existing and potential risks to your information security
• Implement measures and risk management methods that set clear objectives
• Continuously evaluate the effectiveness of your information security practices and conduct regular risk assessments

Checklist: ISO 27001 Compliance

Breaking down the path to ISO 27001 compliance into individual steps, the journey looks like this:

1. Prepare thoroughlyWhile reading the standard, you gain valuable insights into ISO 27001 and its requirements. Additionally, you gain numerous opportunities to further educate yourself on broader security best practices.You can download a detailed implementation roadmap from us for free, discussing the norm extensively.
2. Define your context, scope, and objectivesEstablish your project and ISMS objectives, along with an available budget and a realistic timeframe. At this point, you should decide whether you have the necessary expertise and resources for implementation or if you should engage a consultant.
3. Involve management properly and earlyAn organization's management framework defines all the procedures to achieve its ISO 27001 implementation goals. Think about accountability, specifying who in management is responsible for the ISMS, when all activities should happen, and how you can do regular ISMS reviews for continuous improvement.
4. Conduct a risk assessmentWhile ISO 27001 requires a formal risk assessment, it does not prescribe a methodology. "Formal" implies that the risk assessment approach is planned in advance, and the associated data and results are documented.
5. Implement risk treatment measuresDetermine how to proceed with the risks you've identified. Should they be avoided, addressed, or accepted? All decisions regarding risk treatment must be documented. During an ISO 27001 registration or certification audit, an auditor will want to see this documentation. If you choose to mitigate risks, it is crucial to implement the most applicable measures from the ISO 27002 controls.
6. Review and update the related documentationDocumentation is one of the requirements you shouldn't skip with ISO 27001. You must document all processes, rules, and procedures related to your ISMS to ensure their appropriate implementation. To pass an audit, you would have to document the following:
   • A description of the organization and its context
   • A list of affected stakeholders
   • ISMS scope
   • Communicated management commitment
   • Roles and responsibilities within the ISMS
   • Risk and opportunity management
   • Change management planning
   • Resource planning
   • Decision logs related to risk management
   • Training
   • Communication matrix
   • Documentation management planning/policy
   • Framework with information security policies and information security guidelines
   • Procedure for information security risk management
   • Statement of Applicability (SoA)
   • Information security objectives
   • Evidence of competence
   • Information necessary for the organization's ISMS effectiveness
   • Control and planning of activities
   • Evidence of monitoring and measurement results and evaluation
   • Procedure for internal audits
   • Procedure for management review
   • Evidence of the audit program and its results
   • Evidence of the results of management reviews
   • Evidence of the type of identified non-conformities and all subsequent actions
   • Evidence of the results of all corrective and improvement actions taken
7. Evaluate yourself: Measure, track, and assessContinuous improvement is one of the cornerstones of ISO 27001. To achieve this, you must understand how effective your ISMS measures are and whether your operations comply with your policies. Ongoing monitoring reveals which processes and measures require additional attention.
8. Conduct an internal auditAn internal auditor needs practical ISO 27001 knowledge and how to approach the task as a Lead Auditor, ensuring objectivity and impartiality.At this point, external ISO 27001 certification is also a viable option if your organization has already achieved full compliance. If your internal audit reveals few to no issues, this can be a strong signal that a third party can also verify that you have adhered to best practices.

Watch how DataGuard's expertise and guidance helped FRÄNKISCHE navigate the complex path to achieving robust data security and compliance.

How much does an ISO 27001 certification cost?

The cost question regarding ISO 27001 certification can't be answered universally. It holds true: the more complex the requirements, the more elaborate the preparation. Costs vary based on needs and the desired level of implementation. Project duration, the use of internal resources, the scope of existing infrastructure, and the size of your company all play a part.

Factors influencing cost estimation include:

• Organization size and complexity of information processes
• Application areas of the ISO 27001 certificate
• Maturity level of the existing ISMS
• Internal resources for ISO 27001 implementation
• Timeframe available for certification
• External consultation
• Costs for external audits by a certification body

For a detailed breakdown of costs, refer to our guide on the costs of ISO 27001 certification.

ISO 27001: Enhancing security with the framework

Getting ISO 27001 certified shows that your company takes security seriously and is compliant with important rules and regulations. This makes you a more trustworthy partner to businesses and customers, and it can help you attract new business. Explore our ISO 27001 checklist to understand the measures you need to implement for ISO 27001 compliance.

If you need assistance with information security or preparing for a certification audit, we can help. Call one of our experts today for personalized support.