ISO 27001:2022 Information security, cybersecurity, and privacy protection

ISO 27001:2022

ISO 27001:2022 Information security, cybersecurity, and privacy protection – By Magnus Management Consulting LLC

ISO/IEC 27001:2022 Information security, cybersecurity, and privacy protection — Information security management systems — Requirements

This document specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization. This document also includes requirements for assessing and treating information security risks tailored to the organization’s needs. The requirements set out in this document are generic and are intended to be applicable to all organizations, regardless of type, size, or nature.

After nine years, ISO 27001, the world’s leading information security standard, has been updated – on October 25, 2022, the new ISO 27001:2022 was published. Even though this revision brings only moderate changes, it is important to study them closely – let’s go through all the changes and see how this 2022 revision compares to the old 2013 revision of ISO 27001.

Main changes in the ISO 27001:2022 revision:

  • The main part of ISO 27001, i.e., clauses 4 to 10, has changed only slightly.
  • The changes in Annex A security controls are moderate.
  • The number of controls has decreased from 114 to 93.
  • The controls are placed into 4 sections, instead of the previous 14.
  • There are 11 new controls, while none of the controls were deleted, and many controls were merged.


Overall, when compared to the 2013 revision, the changes in the ISO 27001:2022 revision are small to moderate. The main part of the standard remains with 11 clauses, and the changes in this part of the standard are small (see below).

At first glance, Annex A has changed a lot – the number of controls has dropped from 114 to 93 and is organized into only four sections versus the 14 sections in the 2013 revision. However, after a closer look, it becomes obvious that the changes in Annex A are only moderate – see the explanation below.

Changes in the management system

The text of the mandatory clauses 4 through 10 has changed only slightly, mainly to align with ISO 9001, ISO 14001, and other ISO management standards, and with Annex SL.

Here’s a brief overview of the changes in ISO 27001:2022:

  • In clause 4.2 (Understanding the needs and expectations of interested parties), item (c) was added requiring an analysis of which of the interested party requirements must be addressed through the ISMS.
  • In clause 4.4 (Information security management system), a phrase was added requiring planning for processes and their interactions as part of the ISMS.
  • In clause 5.3 (Organizational roles, responsibilities, and authorities), a phrase was added to clarify that communication of roles is done internally within the organization.
  • In clause 6.2 (Information security objectives and planning to achieve them), item (d) was added that requires objectives to be monitored.
  • Clause 6.3 (Planning of changes) was added, requiring that any change in the ISMS needs to be made in a planned manner.
  • In clause 7.4 (Communication), item (e) was deleted, which required setting up processes for communication.
  • In clause 8.1 (Operational planning and control), new requirements were added for establishing security processes and implementing processes according to those criteria. In the same clause, the requirement to implement plans for achieving objectives was deleted.
  • In clause 9.3 (Management review), the new item 9.3.2 c) was added that clarifies that inputs from interested parties need to be about their needs and expectations, and relevant to the ISMS.
  • In clause 10 (Improvement), the subclauses have changed places, so the first one is Continual improvement (10.1), and the second one is Nonconformity and corrective action (10.2), while the text of those clauses has not changed.

Overview of new security controls in ISO 27002:2022.

11 new controls introduced in the ISO 27001:2022 revision:

  • A.5.7 Threat intelligence
  • A.5.23 Information security for use of cloud services
  • A.5.30 ICT readiness for business continuity
  • A.7.4 Physical security monitoring
  • A.8.9 Configuration management
  • A.8.10 Information deletion
  • A.8.11 Data masking
  • A.8.12 Data leakage prevention
  • A.8.16 Monitoring activities
  • A.8.23 Web filtering
  • A.8.28 Secure coding


1.ISO – ISO/IEC 27001:2022 – Information security, cybersecurity and privacy protection — Information security management systems — Requirements

Contact us at: https://www.mmcc.qa/service/iso-270012018-iso-277012022/

Leave A Comment


Magnus Management Consulting LLC

At vero eos et accusamus et iusto odio digni goikussimos ducimus qui to bonfo blanditiis praese. Ntium voluum deleniti atque.

Melbourne, Australia
(Sat - Thursday)
(10am - 05 pm)

Iso Consulting in qatar

Iso Consulting in qatar
Iso Consulting in qatar
Melbourne, Australia
(Sat - Thursday)
(10am - 05 pm)
error: Content is protected !!