What is the difference between ISO 27001:2013 and ISO 27001:2022?

In 2022, the international standard ISO 27001 was revised again, now as the 2022 version. This revision included significant and long-overdue changes. In August, ISO/IEC 27001:2022 was published by the International Accreditation Forum (IAF), replacing the previous ISO 27001:2013.

The controls were revised, supplemented, and reorganised in the 2022 version, alongside a name change and editorial adjustments. 114 controls and 14 categories were reduced to 93 controls in four categories. Additionally, eleven controls were added. Learn more in our chapter on ISO 27001 Controls in Annex A.

What impacts does ISO 2022 have on companies?

The changes in the new ISO 2022 are noticeable, but there's no need to worry. A complete change in the approach is not required. Instead, the adjustments align with a growing understanding of information security.

Important to note: a 36-month transition period, during which certified companies can adapt their measures to the new version for recertification. This aligns with the regular audit process, as certified organisations must repeat their audit every three years to remain certified.

Key dates:

The ISO 27001:2022 was published on October 25, 2022. The transition period has been set at three years (36 months). As a result, end-users have the following timeframes and deadlines for the transition:

Certification readiness for ISO/IEC 27001:2022:

Expected from February to April 2023 (dependent on the German Accreditation Body GmbH).

Last date for initial and recertification audits under the previous ISO 27001:2013:

Until April 30, 2024.

Transition of all existing certificates to the new ISO/IEC 27001:2022:

Three years, based on the last day of the issuance month of ISO/IEC 27001:2022 (October 2025).

This means all documentation must be adapted and updated to the new controls before the next re-audit. Once the preparations for the new version are appropriately adjusted, the next audit can easily be used to transition to certification under ISO 27001:2022.

ISO 27001: Who is the norm important for?

Information security is relevant in almost every company, making ISO 27001 crucial for nearly every organisation that handles information and data. But what exactly is the ISO 27001 certification, and who does it concern?

ISO 27001 certification: What is it?

ISO 27001 certification confirms that your organisation meets the requirements of the ISO 27001 standard. Suppose you have established your Information Security Management System (ISMS) according to ISO 27001 guidelines. In that case, an independent accredited certification body conducts an audit and confirms your results with an ISO 27001 certificate upon successful completion.

Who needs ISO 27001 certification?

While ISO 27001 certification is not mandatory, it is common practice and, above all, a requirement for important business relationships. Without transparent guidelines and measures for risk management in your organisation, your information is at risk.

Certain industries, particularly those threatened by cyberattacks and ransomware, consider ISO 27001 application to be the norm. The most revenue has been lost in these industries since 2019:

• High Tech
  
  
• Biotechnology
  
  
• Automotive Industry
  
  
• Consumer Goods and Services
  
  
• Banking
  
  
• Health
  
  
• Retail
  
  
• Insurance
  
  
• Mechanical Engineering
  
  
• Communication and Media

However, given the rise in cybercrime, all companies - from SMEs to large corporations - need to consider their information security. The ISO 27001 controls provide a clear roadmap for businesses to prioritise their information security.

Benefits of ISO 27001

Clearly, identifying and addressing security risks is beneficial for any business. The ISO 27001 controls play an essential role in clearly categorising potential risks. But what are the specific benefits of mitigating risks?

Build trust with all stakeholders

ISO 27001 equips organisations with the information they need to protect valuable data by applying good information security practices. ISO 27001 compliance assures customers, partners, and key stakeholders that the organisation has taken the necessary security measures to treat valuable information and sensitive data appropriately.

Protect organisations from data breaches

The ISO 27001 standard defines policies and procedures for security measures that, when implemented, protect an organisation from unauthorised access to its data and complete data loss.

By implementing the proposed measures, the risk of data breaches or fines for such incidents is also reduced. The guidelines cover information security across all areas.
However, it is important to note that ISO 27001 does not offer an absolute guarantee against security incidents or data breaches. However, it creates a framework to reduce the likelihood of such incidents and strengthen an organisation's ability to respond appropriately. The precise implementation and effectiveness of the measures depend on the individual organisation and its environment.

If data is compromised in any way, the ISO 27001 standard sets out procedures for responsible and effective incident management.

Protect the personal data of employees

Under ISO 27001, not only sensitive data from third parties but also the personal data of employees of an organisation is protected. An organisation is required to disclose the information security measures it has taken to all parties so that they are aware of them, agree with them, and can consent to them.

This is one of the prerequisites for an organisation to be considered compliant with industry guidelines and work instructions under this standard.
Trust and security in the company and the protection of important data also provide some competitive advantages.

Risks are avoided - business deals are potentially increased

In general, certified companies are more convincing in the perception of their business partners than non-certified competitors and conclude new business contracts more efficiently. Of the many other advantages, these are just a few:

• Improved competitiveness
  
  
• Significantly reduced risk of fines and financial losses due to data breaches
  
  
• Brand perception is constantly improving.
  
  
• Achieving compliance in all areas (business, legal, economic, and legal)
  
  
• Improved structure and focus
  
  
• The number of required audits decreases
  
  
• You receive an unbiased assessment of your security situation.

To this end, every organisation and company is encouraged to establish an information security management system (ISMS) - an efficient, technology-independent, risk-based means of securing information values based on regular information security assessments (ISAs) for risk assessment.

ISO 27001:2022 Controls: What measures are included in Annex A?

The controls outlined in ISO 27001 Annex A are the measures the standard provides to empower businesses in significantly reducing risks. The selection of measures by an organisation is determined based on previously identified risks. Using this foundation, the focus is established, and relevant categories are chosen.

As of 2022, there are a total of 93 controls divided into four categories. Eleven of these controls were newly added to ISO 27001 in 2022. The four categories each describe the focus area of the controls' application.

ISO 27001:2022: Eleven new controls

Since 2022, ISO 27001 has incorporated eleven new controls, each assigned to distinct categories:

A.5.7 Threat intelligence

The "Threat intelligence" measure obligates companies to collect data on potential threats to information security and subject it to in-depth analysis.

A.5.23 Information security for the use of cloud services

Following the "Information security for the use of cloud services" measure, companies are urged to establish and manage information security for the utilisation of cloud services.

A.5.30 ICT readiness for business continuity

Companies must create an ICT continuity plan to maintain operational resilience, fulfilling the "ICT-readiness for business continuity" measure.

A.7.4 Physical security monitoring

Companies need to employ suitable monitoring tools for the "Physical security monitoring" measure to detect and prevent external and internal intrusions.

A.8.9 Configuration management

During "Configuration management," companies must establish guidelines for the documentation, implementation, monitoring, and review of configurations across their entire network.

A.8.10 Information deletion

The document "Information deletion" contains instructions for managing data deletion to comply with laws and regulations.

A.8.11 Data masking

"Data masking" provides techniques for masking personal identifiable information (PII) to comply with laws and regulations.

A.8.12 Data leakage prevention

Following the "Data leakage prevention," companies must take technical measures to detect and prevent the disclosure and/or extraction of information.

A.8.16 Monitoring activities

The "Monitoring activities" measure provides guidelines to enhance network monitoring activities to detect anomalous behaviour and respond to security events and incidents.

A.8.23 Web filtering

Companies must enforce access controls and measures for "Web filtering" to restrict and control access to external websites.

A.8.28 Secure coding

Companies are mandated to implement best practices of secure coding to prevent vulnerabilities caused by inadequate coding methods.

Controls according to ISO 27001: The four categories

The ISO 27001:2022 standard contains 93 controls, which are assigned to four categories: organisational, people, physical, and technological. The grouping of controls into four thematic areas helps organisations to decide who is responsible for implementing the measures and which measures are relevant to the context of the organisation. Each category can be assigned to a specific focus area within your organisation. This makes it easier to apply the relevant controls selectively to your organisation.

Organisational controls (37 measures)

These controls are applicable when the risks do not fall under the topics of people, technology, or physical security. They include, for example, identity management, responsibilities, and evidence collection.

New organisational controls include:

• 5.7: Threat intelligence
  
  
• 5.23: Information security for the use of cloud services
  
  
• 5.30: ICT readiness for business continuity

Threat intelligence is a significant innovation in this area. This measure goes beyond the detection of malicious domain names. Threat analysis helps organisations better understand how they can be attacked and take appropriate precautions.

People controls (8 measures)

Remote work is a hot topic in the people area. However, the restructuring of the working world also comes with risks. This is where the people measures of ISO 27001 come in. The area related to personnel only includes eight controls. These focus on how employees handle sensitive information during their daily work. This includes topics such as remote work, non-disclosure agreements, and screenings. In addition, onboarding and offboarding processes and responsibilities for reporting incidents are relevant.

Physical controls (14 measures)

Physical controls include security monitoring, maintenance, facility security, and storage media. This category is about how you protect yourself against physical and environmental threats such as natural disasters, theft, and intentional destruction.

New physical controls include:

• 7.4: Physical security monitoring

Technological controls (34 measures)

Technology must also be properly secured to protect information. Technological controls, therefore, deal with authentication, encryption, and data leakage prevention. This can be achieved through various approaches, such as access rights, network security, and data masking.

New technological controls include:

• 8.1: Data masking
  
  
• 8.9: Configuration management
  
  
• 8.10: Information deletion
  
  
• 8.12: Data leakage prevention
  
  
• 8.16: Activity monitoring
  
  
• 8.23: Web filtering
  
  
• 8.28: Secure coding

One innovation in this area is particularly important: data leakage prevention. Web filtering is also helpful: This control describes how organisations should filter online traffic to prevent users from visiting potentially harmful websites.

Controls with the greatest potential for error

Information security is no longer a niche topic - it is the foundation for resilience, success, and growth for any business. Many businesses require their business partners and suppliers to be certified to an information security standard such as ISO/IEC 27001, which specifies the requirements for an information security management system (ISMS).

However, implementing ISO 27001 without a structured plan can be a major challenge. Based on our work with customers in a variety of industries, we have compiled the four most common mistakes that occur when implementing controls according to ISO 27001 - as well as tips on how your organisation can avoid these common mistakes.

Before we dive in, let's take a quick look at the controls that ISO 27001 requires.

ISO 27001 has a total of ten main chapters, as well as four control catalogues in Annex A, which together cover 93 detailed objectives for controls. These controls cover areas such as cryptography, compliance, and operational security.

In summary, Annex A can be understood as a catalogue of individual security requirements. How you respond to these requirements when building your ISMS depends on the type of your organisation.

So, let's take a look at some of the most challenging controls that an organisation must implement - supplier security, operational security, communications security, and asset management.

Is ISO 27001 mandatory for businesses?

The ISO 27001 standard recognises the diversity of information security needs and requirements in each organisation. It suggests that security measures should be tailored to the individual organisation. While ISO 27001 compliance is not mandatory everywhere, some countries require compliance for certain industries.

Both public and private organisations have the option to require ISO 27001 compliance from partners and suppliers as a contractual condition in their contracts and agreements. Similarly, countries can require and ensure the protection of citizen data by organisations operating in their country through ISO 27001 compliance. This can vary by country and industry.

How to achieve ISO 27001 compliance? - Our checklist

Even if they are not pursuing formal certification, organisations always have the option to pursue compliance with the ISO 27001 standard requirements. The following list shows which best practices you should best implement to do this, and can be used very well as a checklist:

• Identify the expectations of your stakeholders regarding information security through conversations with them.
  
  
• Define the scope of your ISMS and the information security measures.
  
  
• Define a clear security policy.
  
  
• Conduct a risk assessment to identify any existing and potential risks to your information security.
  
  
• Implement measures and risk management methods that set clear objectives.
  
  
• Continuously evaluate the effectiveness of your information security practices and conduct regular risk assessments.

Checklist: ISO 27001 Compliance

Breaking down the path to ISO 27001 compliance into individual steps, the journey looks as follows:

1. Prepare thoroughly
   
   While reading the standard, you gain valuable insights into ISO 27001 and its requirements. Additionally, there are numerous opportunities to further educate yourself on ISO 27001.
   
   You can download a detailed implementation roadmap from us for free, discussing the norm extensively.
   
   
2. Define your context, scope, and objectives
   
   As a central criterion for success, it has proven effective to first establish project and ISMS objectives, along with the associated budget and timeframe. At this point, a decision is needed on whether to internally possess the necessary expertise and resources for implementation or to engage a consultant.
   
   
3. Involve management properly and early
   
   An organisation's management framework defines all the procedures to achieve its ISO 27001 implementation goals. Accountability, specifying who in management is responsible for the ISMS, a schedule of all activities, and regular ISMS reviews for effectiveness are mechanisms cyclically ensuring ISMS improvement.
   
   
4. Conduct a risk assessment
   
   While ISO 27001 requires a formal risk assessment, it does not prescribe a methodology. "Formal" implies that the risk assessment approach is planned in advance, and the associated data, analyses, and results are documented.
   
   
5. Implement risk treatment measures
   
   The organisation's task is to determine how to proceed with the identified risks. Should they be avoided, transferred, accepted, or mitigated? All decisions made for risk treatment must be documented. During a registration or certification audit, an auditor will want to see this documentation. If you choose to mitigate risks, it is crucial to implement the measures, based on ISO 27002 controls, for example.
   
   
6. Review and update the related documentation
   
   Documentation is one of the requirements you cannot bypass with ISO 27001. You must document all processes, rules, and procedures related to your ISMS to ensure their appropriate implementation. The norm requires documentation of the following aspects:
   
   
   • Understanding the organisation and its context (e.g., through an environmental analysis)
     
     
   • Identification of interested parties
     
     
   • ISMS scope
     
     
   • Communicated management commitment
     
     
   • Roles and responsibilities within the ISMS
     
     
   • Risk and opportunity management
     
     
   • Change management planning
     
     
   • Resource planning
     
     
   • Decision logs related to risk management
     
     
   • Training
     
     
   • Communication matrix
     
     
   • Documentation management planning/policy
     
     
   • Framework with information security policies and information security guidelines
     
     
   • Procedure for information security risk management
     
     
   • Statement of Applicability (SoA)
     
     
   • Information security objectives
     
     
   • Evidence of competence
     
     
   • Information necessary for the organization's ISMS effectiveness
     
     
   • Control and planning of activities
     
     
   • Evidence of monitoring and measurement results and evaluation
     
     
   • Procedure for internal audits
     
     
   • Procedure for management review
     
     
   • Evidence of the audit program and its results
     
     
   • Evidence of the results of management reviews
     
     
   • Evidence of the type of identified non-conformities and all subsequent actions
     
     
   • Evidence of the results of all corrective and improvement actions taken
     
     
7. Evaluate yourself – Measure, track, and assess
   
   Continuous improvement is one of the cornerstones of ISO 27001. To achieve this, you must understand how effective your ISMS measures are and how ISMS-compliant your organisation operates. Ongoing monitoring and analyses reveal which of the existing processes and measures require changes.
   
   
   
   
8. Conduct an internal audit
   
   Internal audits of your ISMS are to be regularly conducted according to ISO 27001. The internal auditor conducting the audit of ISO 27001 compliance needs practical knowledge of the approach as a Lead Auditor, ensuring objectivity and impartiality.
   
   At this point, ISO 27001 certification is also a viable option if your organisation has already achieved full compliance—especially if you have adhered to best practices and your organisation's information security procedures already align with the norm's requirements.

Watch how DataGuard's expertise and guidance helped FRÄNKISCHE navigate the complex path to achieving robust data security and compliance.

How much does ISO 27001 certification cost?

The cost question regarding ISO 27001 certification cannot be answered universally. It holds true: the more complex the requirements, the more elaborate the preparation. Costs vary based on needs and the level of implementation. Project duration, the use of internal resources, the scope of existing infrastructure, and the size of your company all influence cost estimates.

Factors influencing cost estimation include:

• Organisation size and complexity of information processes
  
  
• Application areas of the ISO 27001 certificate
  
  
• Maturity level of the existing ISMS
  
  
• Discrepancy size between the current status and the target status for the control system

• Internal resources for ISO 27001 implementation
  
  
• Timeframe available for certification
  
  
• External consultation
  
  
• Costs for external audits by a certification body

For a detailed breakdown of costs, refer to our guide on the costs of ISO 27001 certification.

ISO 27001: Enhancing security with the framework

Getting ISO 27001 certification shows that your company takes security seriously and is compliant with important rules and regulations. This makes you a more trustworthy partner to businesses and customers, and it can help you attract new customers and partners. It also makes your company more valuable, so it's a win-win situation. Explore our ISO 27001 checklist to understand the measures you need to implement for ISO 27001 compliance.

If you need assistance with information security or preparing for a certification audit, we can help. Call one of our experts today for personalised support.