Changes to ISO 27001

business consultancy

Certification body are going to start auditing against this new revision in March/April 2023, but companies can start their transition journey straight away.

The structure of ISO 27001 – Annex A has undergone a complete overhaul.

The updated version of ISO 27001 has been restructured and revised. First, the modified ISO 27001 does not identify with the commonly used phrase ‘code of practice’. This helps outline its purpose through the set of information security controls.

Secondly, the number of controls has decreased from 114 to 93 in the new version of ISO 27001. These security controls are now divided into four chapters instead of the previous 14. The new domains of ISO 27002:2022 are:

  • Clause 5: Organizational (37 controls)
  • Clause 6: People (8 controls)
  • Clause 7: Physical (14 controls)
  • Clause 8: Technology (34 controls)

In the newly revised ISO 27001, 35 controls remained unchanged, 23 controls have been renamed, and 57 controls have been merged to form 24 controls. Only one control was divided into two: Control 18.2.3 – Technical Compliance Review has been split into 8.8 – Management of technical vulnerabilities and 5.3.6 – Conformity with policies and standards of information security.

Eleven new controls have been added to the latest version:

  • Threat Intelligence
  • Physical security monitoring
  • Data masking
  • Information security for cloud services
  • Monitoring activities
  • ICT readiness for business continuity
  • Data leakage prevention
  • Configuration management
  • Web filtering
  • Information deletion
  • Secure coding

Futher information:

Contact Brook if you need help with the ISO 27001 transition or any of our other services.

Latest Blogs