
ISO/IEC 27001:2022 is officially published on 25 Oct 2022. Last updated in 2013, the new edition is to be more relevant with latest security threats and technologies. Below are the changes in ISO/IEC 27001:2022 version:
Major changes in the ISO/IEC 27001:2022 revision
- Number of controls has decreased from 114 to 93;
- The controls are divided into 4 sections instead of 14 in 2013 version;
- 11 new security controls are created;
- 24 controls have been merged;
- 58 controls have been revised.
Although the number of controls deceased to 93, 11 new security controls have been added in new version as below:
Clause | Controls |
5.7 | Threat intelligence |
5.23 | Information security for use of cloud services |
5.30 | ICT readiness for business continuity |
7.4 | Physical security monitoring |
8.9 | Configuration management |
8.10 | Information deletion |
8.11 | Data masking |
8.12 | Data leakage prevention |
8.16 | Monitoring activities |
8.23 | Web filtering |
8.28 | Secure coding |
CASSolution can help your business with the following to migrate your current system to new version:
- Perform a gap analysis against the Annex A controls
- Review and update the procedures and policies of your company
- Update risk assessment based on new controls
- Update the SOA (Statement of Applicability)
- Provide transition training to your company
- Contact certification bodies about the transition plans
Transition period and arrangements
According to the Transition Requirements from the IAF (International Accreditation Forum), there is a 3-year transition period from the new revision publication date (25 Oct 2022). Therefore companies that are currently certified against ISO/IEC 27001:2013 need to finish the new version transition by 31 October 2025.
Companies already certified against ISO27001:
- Can start certify against 2022 version starting from 25 Oct 2022;
- Must transition to 2022 version by 31 Oct 2025 (3-year transition period);
- Old version certificate will be invalid after 31 Oct 2025.
Companies planning to certified against ISO27001:
- Can still certify against 2013 version until 31 Oct 2023 (1-year period);
- Only 2022 version is available after 31 Oct 2023; Old version will be invalid.
If you want to start implementing the 2022 version of ISO27001, or you would like to transition to new revision from 2013 version, you may schedule a consultation for FREE with our ISO27001 experts.
Whatsapp: +852 6777-6459
Email: info@cassolution.com