UNDERSTANDING

THE UPDATED ISO

27001:2022

© 2023 Tsaaro. All rights reserved.

TABLE OF CONTENTS

01 Introduction, Problem Statement and Scope

02 What is ISO 27001: 2022?

03 Comparison between 2022 and 2023 standards

04 New requirements in the 2022 standards

05 Change to the Mandatory Clauses

06 Change to the Annex A

07 What will ISO 27001:2022 Changes mean for the

organisations?

08 Benefits of ISO 27001:2022

09 Measures for the organisation

10 Conclusion and Bibliography

INTRODUCTION
The global challenges of cybersecurity are growing as cybercrimes become
more severe and sophisticated. The information security management system
preserves the confidentiality, integrity, and availability of information by
applying a risk management process and giving interested parties confidence
that risks are adequately managed. As cyber security vulnerabilities grow,
information security standards must be updated to ensure best security
practices and digital trust. This paper focuses on the key changes in ISO
27001:2022. It also discusses what these changes mean for organizations that
already have or are curious about the changes in ISO certification.

PROBLEM STATEMENT
From October 2022, the new ISO/IEC 27001 standard will be published,
meaning that you will need to update your ISMS and revise your infosec
security posture. The ISO 27001:2022 is the third revision to the internationally
recognized information security standards. These standards indicate the
exponential growth of cyber security. Organizations need to review their
certifications, apply for re-certification if they are ISO 27001:2013 compliant or
acquire new certification under the ISO 27001:2022 version.

SCOPE
The new ISO/IEC 27001:2022, combined with ISO/IEC 27002:2022, are aligned
with the recent cyber security trends and technologies to deal with
corresponding threats and vulnerabilities. In addition, the new structure and
categorisation with matching attributes enable better interoperability and
cross-referencing with other well-known standards and frameworks, such as
the NIST Cyber Security Framework. These standards and frameworks are
beneficial for an organisation's security. As ISO states, cyber security
compliance is much more than a tick-box exercise for organisations, and it is a
roadmap towards excellence in information security.
OVERVIEW TO ISO 27001: 2022
ISO 27001 is the only auditable international standard that defines the
requirements of an Information Security Management System (ISMS). An
ISMS is a set of policies, procedures, processes and systems that manage
information security risks, such as cyber-attacks, hacks, data leaks or theft .

ISO/IEC 27001:2022 – the newest version of ISO 27001 was published on

October 25, 2022. Originally, ISO/IEC 27001:2013 was titled ‘Information
Technology – Security techniques – information security management
systems – Requirements. It has now been renamed to ISO/ IEC 27001:2022
and is titled as ‘Information security, Cyber security – Information security
management systems – Requirements.

Organisations that are certified to ISO/IEC 27001:2013 have a three-year

transition period to make the necessary changes to their ISMS.

EDITORIAL CHANGES
Full alignment with new ISO Harmonized Structure
Re-arranging of some English to allow for easier translation
Minor numbering re-structure to align with the harmonized approach
Removal of reference to control objectives as they no longer exist either
in Annex A or ISO 27002

TRANSITION PERIOD
Organisations that are certified to ISO/IEC 27001:2013 have a three-year
transition period to make the necessary changes to their ISMS (information
security management system).
COMPARISON BETWEEEN 2022 & 2013 STANDARDS

CLAUSE ISO/IEC 27001:2022 ISO/IEC 27001:2013

Note: Determining these

Note: Determining these
4.1 issues refers to
issues refers to establishing
Understanding establishing the external
the external and internal
the and internal context of
context of the organization
organization the organization
considered in Clause 5.4.1 of
and its context considered in Clause 5.3
ISO 31000:2018
of ISO 31000:2009

Note: “Reference to
“business” in this document
5.1 Leadership
can be interpreted broadly to
and Nil.
mean those activities that are
commitment
core to the purposes of the
organization’s existence.”

Top management shall Top management shall

5.3
ensure that the ensure that the
Organizational
responsibilities and responsibilities and
roles,
authorities for roles relevant authorities for roles
responsibilities
to information security are relevant to information
and
assigned and communicated security are assigned and
authorities
within the organization. communicated.

c) Note 1: Annex A
6.1.3
c) Note 2: Annex A contains a contains a
Information
list of possible information comprehensive list of
security risk
security controls. control objectives and
treatment
controls.
COMPARISON BETWEEEN 2022 & 2013 STANDARDS

CLAUSE ISO/IEC 27001:2022 ISO/IEC 27001:2013

The organization shall

plan, implement and
control the processes
needed to meet
The organization shall plan,
information security
implement and control6.2theInformation Security
objectives requirements, and to
processes needed to meet
implement the actions
requirements, and to
determined in 6.1. The
implement the actions
organization shall also
determined in Clause 6
8.1 Operational implement plans to
planning and achieve information
control security objectives
determined in 6.2

The organization shall ensure

The organization shall
that externally provided
ensure that
processes, products or
outsourced
services that are relevant to
processes are
the information security
determined and
management system are
controlled.
controlled.

9.1 Monitoring,
measurement,
analysis and
evaluation All three (sub-) clauses 9.1 / The organization shall
9.2.2 Internal 9.2.2 / 9.3.3 Documented retain documented
audit information shall be available information as
programme as evidence of ... evidence of ...
9.3.3
Management
review results
NEW REQUIREMENTS IN THE 2022 STANDARDS

CLAUSE New Requiremnts

The organization shall determine:

a) ......
b) ......
Understanding
c) which of these requirements will be
the needs and 6.2 Information Security security
4.2 addressed through the information
expectations of
managementobjectives
system.
interested parties
In the note to 4.2 ‘may include legal and regulatory
requirements’ becomes ‘can include legal and
regulatory requirements’.

The organization shall establish, implement,

Information
maintain and continually improve an information
security
4.4 security management system, including the
management
processes needed and their interactions, in
system
accordance with ...

Requirements unchanged, new note added below

Note – Reference to business in this document
Leadership and
5.1 can be interpreted broadly to mean those
Commitment
activities that are core to the purposes of the
organization’s existence.

Organizational
roles, In the note ‘top management may also’ becomes
5.3
responsibilities ‘top management can also’.
and authorities

Information
security objectives Clause 6.2 d) be monitored; and, g) be available
6.2
and planning to as documented information added.
achieve them
NEW REQUIREMENTS IN THE 2022 STANDARDS

CLAUSE New Requiremnts

This is a new subclause. It does not appear in the

2013 edition. 6.3 states ‘When the organization
Planning of determines the need for changes to the
6.3
changes information security management system, the
changes shall 6.2 Information
be carried out inSecurity
a planned
manner'. objectives

clause 7.4 d) how to communicate. replaces

7.4 Communication clause 7.4 d) who shall communication; and e) the
processes by which communication shall be effected

The organization shall plan, implement and

Operational control the processes ...... by:
8.1 planning and — establishing criteria for the processes;
control — implementing control of the processes in
accordance with the criteria.

'The methods selected should produce comparable

Monitoring,
and reproducible results to be considered valid'
measurement,
9.1 added to clause 9.1 b.
analysis and
evaluation
It was a note in ISO/IEC 27001:2013 clause 9.1.b).

The management review shall include

consideration of:
Management c) changes in needs and expectations of
9.3.2
review inputs interested parties that are relevant to the
information security management system
added.
Change to the Mandatory Clauses
Clauses 4 to 10 have undergone several minor updates especially in clauses
4.2, 6.2, 6.3, and 8.1 where additional new content has been added. Other
updates include minor changes in the terminology and restructuring of
sentences and clauses. However, the title and order of these clauses remain
the same.

4.4 Information security 6.2 Information Security

management objectives

The New clause requires that Objectives must be

processes and “their documented and available for
interactions” are identified. all stakeholders.

8.1 Operational planning &

6.3 Planning of changes
control
All changes require Organizations must define a
documented planning. criteria for operational
processes.

9 Performance evaluation 9.2 Internal audits

Methods to evaluate and monitor Internal assessments must

your controls should produce cover all organizations’
comparable results so the requirements, not only ISO
organization can assess trends. 27001.

4.2 Understanding needs & 9.3.2 Management review

expectations of interested inputs
parties
Addition of 'which of these 'Changes in needs & expectations
requirements will be addressed of interested parties that are
through the information security relevant to the ISMS system' has
management system.' been added.
Changes to Annex A

Controls are now split across four different groups

Organizational People Physical Technical
-28 merged -2 merged -5 merged -21 merged
-3 new -0 new -1 new -7 new

There are 1
now control has been The
93
split into two
seperate controls. majority

56
controls
instead of of controls are subject to
controls from ISO some form of text change

114 27001:2013 have

been merged into 24
controls in ISO
which could impact how
the standard is interpreted
and implemented
27001:2022

11 5
new controls:
1. Threat intelligence new control attributes
2. Information security for the use of to aid categorization:
cloud services Control type
3. ICT readiness for business continuity Information
4. Physical security monitoring security properties
5. Configuration management Cybersecurity
6. Information deletion concepts
7. Data masking Operational
8. Data leakage prevention capabilities
9. Monitoring activities Security domains
10. Web filtering
11. Secure coding
WHAT WILL ISO 27001:2022 CHANGES MEAN FOR
THE ORGANISATIONS?
ISO 27001 consists of two parts. The first part, which is the mandatory part,
consisting 11 clauses. The second part which is termed Annex A, provides a guideline
for 114 control objectives and controls. ISO 27002 provides guidelines on how to
establish an ISO 27001-certified ISMS. Hence while the revisions to the standard are
connected to enhanced controls in ISO 27002 and Annex A, the ISO 27001 standard
has not been amended or updated yet. Thus, organizations already certified to ISO
27001 will not be affected immediately.

Already certified organisations with the ISO 27001:2013 standard will be

given a three-year transition period to upgrade their Information Security
Management system.

Excluding any of the requirements specified in Clauses 4 to 10 is not

acceptable when an organization claims conformity to the new document.

The organisation should understand the needs and expectations of

interested parties and address these requirements through an
information security management system and shall determine the
boundaries and applicability of the ISMS.

An information security policy shall be established which should include

information security objectives or provisions for a framework of the same.
It should be documented, communicated within the organisation and
made available to the interested parties.

The organisation shall conduct internal audits at planned intervals. The

organisation shall determine and provide the resources needed for the
establishment, implementation, maintenance and continual improvement
of the information security management system.

Review the organisation's information security management system at

planned intervals to ensure its continuing suitability, adequacy and
effectiveness.
BENEFITS OF ISO 27001:2022

Culture of cyber security and privacy in organization with

regular training and checks.

Lays down a foundation for other compliance requirements

with laws like the EU GDPR and the NIS Directive.

Enhances business reputation and credibility of the

organisation.

Enhances business partners’ confidence & perception of

your organization.

Establishment of best practices within an organization and

saves from the cost of breach and attack.

A defined process for implementation, management,

maintenance, and ISMS evaluation.

Gives structures to the ISMS approach of the organisation.

MEASURES FOR THE ORGANISATION
Every five years, the International Standards Organization changes the standards of
ISO 27001. The most current version, ISO 27001:2022, has the same two-part
structure as the ISO 27001:2013 specifications. Eleven clauses in Part One provide a
high-level overview of the rules and crucial paperwork your company must utilise
while developing an ISMS. Part two contains Annex A, a checklist of the criteria for
ISO 27001 that lists the four types of controls required to comply with ISO IEC 27001.
Hence, Tsaaro proposes the following measures for smooth transitioning to the ISO
27001:2022.

Align the Risk treatment plan with the

new controls and structure.

Implement new controls or modify

the existing controls as needed.

Checklist for Evaluate and possibly adapt third-party

Organizations for a
security tools to ensure the records you
are using to demonstrate compliance
support to the new requirements.
Smooth Transition

Review and update Statement of

Applicability, ISMS Management review
procedure, and ISMS Communication
Plan.

Companies should not delay their

certification application process
because of the updates to ISO
27001:2013.
CONCLUSION
ISO 27001:2022 is a welcomed change and ISO certifications are valuable. The
organisations which are looking forward to the implementation of this standard
or transitioning from the previous version, there are key changes that require
some planning. It will undoubtedly make a move smoother. The new structure
makes it easier to understand the applicability of the controls and the
designation of responsibilities.

To assist organisations in identifying the important areas they need to evaluate

to either get re-certification if they now possess ISO 27001: 2013 or earn brand-
new certification against the new ISO 27001: 2022 edition, for which Tsaaro has
summarised some of the basic changes to the standard as below.

BIBLIOGRAPHY

https://www.iso.org/standard/82875.html
https://www.iso.org/isoiec-27001-information-security.html
https://www.itgovernance.co.uk/iso27001-and-iso27002-2022-updates
https://www.itgovernance.eu/blog/en/category/cyber-security/iso27001
https://www.itgovernanceusa.com/iso27001-benefits
WHY TSAARO?
At Tsaaro, we offer top-notch privacy and cybersecurity services to help organizations comply
with regulations and maintain a secure infrastructure.

Our team of expert privacy professionals recognized by IAPP provides industry-standard services
such as Data Protection Services, Information Security Services, Penetration Testing Services,
Security and Privacy Standards Audit Services, Security Operations Center Services, and Training
Services. Choose Tsaaro to ensure your organization meets its regulatory requirements while
keeping your security infrastructure robust.

Akarsh Singh
(CEO & Co-Founder, Tsaaro)
CONTACT US
Akarsh is a fellow in Information Privacy
[email protected]
by IAPP, the highest certification in the
You can assess risk with respect to
field of privacy. His expertise lies in Data
personal data and strengthen your data
Privacy and Information Security
security by contacting Tsaaro.
Compliance.
Tsaaro Netherlands Office
Krishna Srivastava Regus Schiphol Rijk
(Co-Founder & Head of Cyber
Beech Avenue 54-62,
Security, Het Poortgebouw,
Tsaaro) Amsterdam, 1119 PW,
Krishna is a xKPMG data security Netherlands
consultant. He has vast experience in P: +31-686053719
Information Security and Data Privacy

Compliance. Tsaaro India Office

Level 1, Building 10A,
Rishita Saxena Cyber Hub, DLF Cyber City, Gurugram,
Data Protection Consultant Haryana- 122002
india
Kahkashan Anjum P: +91-0522-3581306
Data Protection Consultant

Tsaaro India Office

Manyata Embassy Business
Jithesh Vijayakumar Park, Ground Floor, E1 Block,
Data Protection Consultant Beech Building, Outer
RingRoad,
Bangalore- 560045
India
P: +91-0522–3581