3rd November, 2022
The third edition (2022-10) of International Standard ISO 27001 arrived in the last week of October 2022.
ISO 27001:2013, that became famous as the Information Security Management System Standard (ISMS), is now re-named ISO 27001:2022 – International Standard for Information Security, Cybersecurity and Privacy Protection – Information Security Management Systems – Requirements. The additional domains that have been added in the title itself are Cybersecurity and Privacy Protection. This in keeping with the contemporary trend of heightened importance that is given to cybersecurity and privacy protection along with information security.
The new Standard ISO 27001:2022 is a leaner document with 19-pages as compared to the previous version ISO 27001:2013 version which was 23 pages.
In contrast, the supporting Standard ISO 27002: 2022 related to Information Security Controls titled as Information Security, Cybersecurity and Privacy Protection – Information Security Controls now has acquired bulk and is now 152 pages in contrast to the previous version of ISO 27002:2013 which was just 80 pages.
The decrease in size in terms of number of pages of ISO 27001:2022 going down by 4 pages indicates an attempt to streamline and re-structure the Standard for better understanding and comprehension. Whereas, the increase in size of the ISO 27002:2022, that is related to guidance on information security control implementation, by huge 72 pages (90%), is an indication of the elaboration on the various methods of control implementation.
For general understanding, all of us know that ISO 27001 is the Certification Standard used as a criteria for Certification and Surveillance Audits whereas ISO 27002 is the Guidance Standard which provides inputs and elaborations on how to implement various security controls. The transition time for certificate-transitioning from 2013 version to 2022 version would be three years from now.
As compared to the 14 clauses of ISO 27001:2013 Version of the Standard, the ISO 27001:2022 just has 04 main clauses – Organizational Controls, People Control, Physical Controls and Technological Controls. Another important change to be noted is that the categorization of controls (there used to be 114 controls under 35 categories in the ISO 27001:2013) has been abolished and the new ISO 27001:2022 now has 93 controls directly linked to the 04 main clauses.
Here is a bird’s eye-view comparison of the ISO 27001:2013 and ISO 27001:2022 Standard:
Published by CMMI Consultant
Previous PostLesser-known Sector-specific Quality Management System Standards AND Guidelines based on ISO 9001
Rajendra's LinkedIn Profile
Rajendra is a qualified and certified Lead Appraiser and Instructor for the following :
Rajendra is Lead Assessor for ISO 9001 (QMS), ISO 14001 (EMS), OHSAS 18001 (OHSMS) since 1994
International Automotive Task Force (IATF) approved Lead Assessor for Automotive Standard TS 16949:2009
Lead Assessor for ISO 27001 (ISMS) and ISO 20000-1 (ITSM)
Rajendra has 25 years experience in the industry.