ISO 27001 – 2022 Changes

When you’re preparing for an ISO 27001 audit, the last thing you want is for the audit itself to cause a security incident. This is the “audit paradox”: the very process meant to ensure your safety can, if poorly managed, lead to system downtime or data exposure. In the transition from the 2013 version to […]

If you are navigating the transition from the old ISO 27001:2013 standard to the shiny new ISO 27001:2022 version, you’ve probably noticed that things have been moved around quite a bit. The Annex A controls have been consolidated, renamed, and in many cases, sharpened to deal with modern digital risks. One specific area that has

If you have been keeping up with the world of information security, you’ve likely noticed that the ISO 27001 standard recently underwent its first major refresh in nearly a decade. For those managing compliance, the transition from the 2013 version to the ISO 27001:2022 update felt like a significant shift, particularly regarding how the Annex

If you have been working with information security standards for a while, you will know that the transition from ISO 27001:2013 to the ISO 27001:2022 update brought about some significant “housekeeping.” While the core requirements of the management system stayed largely the same, the Annex A controls underwent a massive facelift. One of the most

When it comes to building software, many organisations choose to look outside their own walls for talent. Whether it is a specialist agency, a freelance developer, or an offshore team, outsourcing can speed up delivery and lower costs. However, from a security perspective, it often feels like handing over the keys to your house and

If you are navigating the transition from the old ISO 27001:2013 standard to the updated 2022 version, you have likely noticed that things look quite different. The Annex A controls have been streamlined, reordered, and in many cases, strengthened. One area that has seen a significant shift in focus is how we validate our security

If you have been working within the framework of information security for a while, you’ve likely noticed that the ISO 27001 standard recently had a major makeover. One of the most significant shifts occurred in how we handle software development. Specifically, we are looking at the transition from the 2013 controls to the 2022 version’s

If you have been working with information security standards for a while, you know that the transition from ISO 27001:2013 to the 2022 update brought about some significant structural changes. One of the most talked-about additions is Control 8.27, which focuses on Secure System Architecture and Engineering. But if you are looking for this specific

If you have been working with ISO 27001 for a few years, you’ll know that the 2022 update was more than just a fresh coat of paint. It was a complete structural reimagining designed to reflect how we actually build and buy technology today. One of the most important shifts for anyone involved in software

Transitioning from ISO 27001:2013 to the 2022 update is a significant milestone for any security-conscious organisation. It isn’t just about moving numbers around; it’s about modernising how we protect data in a world of rapid DevOps and cloud-native building. One of the most impactful changes for development teams is found in Annex A 8.25: Secure

If you have been managing an Information Security Management System (ISMS) for a few years, you likely know that the jump from the 2013 version of ISO 27001 to the 2022 update was quite a journey. It wasn’t just a simple renumbering exercise; it was a total rethink of how controls should be grouped to

If you have been familiar with ISO 27001 for a while, you probably remember the 2013 version as a solid, if slightly aging, framework. However, the release of the 2022 update brought some major shifts to the table. One of the most talked-about additions is Annex A 8.23: Web Filtering. While it might sound like

If you have been following the evolution of cybersecurity standards, you know that the leap from ISO 27001:2013 to the 2022 version was more than a simple rebrand. It was a tactical shift designed to address the complexities of modern infrastructure, think cloud-native environments, hybrid work, and zero-trust architectures. One of the most vital technical

If you have been managing information security for a while, you know that the leap from ISO 27001:2013 to the 2022 update was more than just a bit of light editing. It was a major structural overhaul designed to bring the standard into the modern, cloud-first world. One of the key areas that saw a

If you have been keeping an eye on the world of cybersecurity compliance, you know that the transition from the 2013 version of ISO 27001 to the 2022 update was more than just a quick edit. It was a fundamental rethink of how we categorise and manage security in a world dominated by cloud computing

If you have been working with information security standards for any length of time, you know that the transition from ISO 27001:2013 to the ISO 27001:2022 update brought about some significant “housekeeping.” While many of the core principles stayed the same, the way they are organised and prioritised shifted to meet the demands of a

If you have been navigating the transition from the old ISO 27001:2013 standard to the new ISO 27001:2022 version, you’ve likely noticed that the Annex A controls have had a significant makeover. One of the most critical shifts involves how we handle the “keys to the kingdom”, specifically, privileged access rights. In the new 2022

If you have been working within the world of information security for a while, you probably know that ISO 27001 underwent a significant facelift recently. Moving from the 2013 version to the 2022 version felt a bit like reorganising a massive library; the books are mostly the same, but the shelves have been moved, and

When comparing the ISO 27001:2013 standard to the 2022 update, you might be searching for the old control that corresponds to Annex A 8.16: Monitoring Activities. The truth is, while the spirit of monitoring was present in the 2013 version (often tucked into incident management or logging), the 2022 update elevates it to a dedicated,

In the transition from ISO 27001:2013 to the 2022 update, the way we handle system audit trails has become much more streamlined. If you are reviewing your old Statement of Applicability (SoA) and looking for the specific requirements for logs, you will find they have been unified under Annex A 8.15: Logging. While the fundamental

In the transition from ISO 27001:2013 to the 2022 update, the way we talk about keeping the lights on has become much more sophisticated. If you are looking at your old Statement of Applicability (SoA) and trying to find where your redundancy requirements moved, they are now under Annex A 8.14: Redundancy of Information Processing

If you have been working with the 2013 version of ISO 27001, you likely know the drill when it comes to backups. It was one of those “set it and forget it” areas for many, as long as the tapes or disks were spinning, you felt safe. However, the update to ISO 27001:2022 has introduced

When you sit down to compare the 2013 and 2022 versions of ISO 27001, you might go looking for the direct ancestor of Annex A 8.12. The reality? You won’t find one. Annex A 8.12: Data Leakage Prevention (DLP) is a brand-new, explicit control introduced in the 2022 update. While the 2013 standard certainly cared

If you are comparing the ISO 27001:2013 standard to the 2022 update, you might be looking for the predecessor to Annex A 8.11. The short answer? It didn’t exist. Annex A 8.11: Data Masking is a brand-new control introduced in the 2022 revision to address the growing global focus on data privacy and the protection

When you transition from the 2013 version of ISO 27001 to the 2022 update, you’ll notice that some things have simply been moved around. But for Annex A 8.10: Information Deletion, the change is much more significant: it is a brand-new control that didn’t exist in the 2013 version. While the old standard touched on

One of the most significant shifts in the transition from ISO 27001:2013 to the 2022 update is the introduction of dedicated controls for modern technical challenges. While many older controls were simply merged or renamed, Annex A 8.9: Configuration Management is a standout addition. It marks a transition from “informal” setup practices to a mandatory,

If you’ve been managing your information security using the 2013 version of ISO 27001, you’ll know that staying on top of software bugs and system weaknesses has always been a core requirement. However, in the 2022 update, the landscape of “Management of Technical Vulnerabilities” has shifted significantly. What used to be Control 12.6.1 is now

Malware has evolved rapidly since the 2013 version of ISO 27001 was released. Back then, “antivirus” was often seen as a set-it-and-forget-it tool. Today, we face ransomware, fileless malware, and sophisticated phishing campaigns that can bypass traditional signatures. To address this, the 2022 update transformed the old Control 12.2.1 into Annex A 8.7: Protection Against

In the world of information security, availability is just as important as confidentiality. If your website crashes because it can’t handle a spike in traffic, or your database runs out of disk space, you have a security failure on your hands. This is where Capacity Management comes in. In the transition from the 2013 version

If you have been managing an Information Security Management System (ISMS) based on the 2013 standard, you likely remember Control 9.4.2, which focused heavily on “Secure log-on procedures.” As we transition into the ISO 27001:2022 era, this has been refined and renamed to Annex A 8.5: Secure Authentication. The update reflects a major shift in

What Changed Between the 2013 and 2022 Versions? ISO 27001:2022 Annex A 8.4 If your organisation develops its own software, your source code is likely your most valuable intellectual property. In the old ISO 27001:2013 standard, protecting this was handled by Control 9.4.5. However, the 2022 update has modernised this requirement, transforming it into Annex

When you are updating your Information Security Management System (ISMS), the jump from the 2013 version of ISO 27001 to the 2022 revision can feel like a major undertaking. While many controls have simply been merged or renamed, some have evolved to reflect the complex digital world we now live in. One of the most

When it comes to the “keys to the kingdom,” ISO 27001 has always been strict. In the 2013 version of the standard, the management of privileged access rights was a critical part of the Access Control domain. As we move into the ISO 27001:2022 era, this control has been refined, renamed, and relocated to Annex

The transition from ISO 27001:2013 to the 2022 version has brought about several significant shifts in how we think about information security. One of the most important updates is found in the transition from the old Control 6.2.1 (Mobile Device Policy) to the much more expansive Annex A 8.1: User Endpoint Device Security. If you

When an organisation upgrades its IT hardware, the old equipment doesn’t just disappear. Whether you are donating old laptops to charity, returning leased servers, or sending decommissioned hard drives to a recycler, you are handling a potential “data goldmine” for attackers. This is where ISO 27001 comes in to ensure that your “trash” doesn’t become

If you are navigating the transition from the old ISO 27001:2013 standard to the updated 2022 version, you have likely noticed that the Annex A controls have undergone a significant facelift. One of the specific areas that has moved is the control regarding equipment maintenance. In the 2013 version, this sat under the somewhat clunky

If you have spent any time looking at the transition from ISO 27001:2013 to the ISO 27001:2022 update, you have probably noticed that things have been moved around quite a bit. The old structure of 114 controls has been condensed into 93, and they are now organised into four neat themes. One control that remains

If you have been working with information security for a while, you know that the ISO 27001 standard is the “gold standard” for keeping data safe. However, the world has changed quite a bit since 2013. We have more cloud services, more remote work, and more sophisticated physical threats. That is why the update to

When the ISO 27001 standard was updated in 2022, one of the primary goals was to simplify the complex web of 114 controls and make them more intuitive for modern businesses. One area that benefited significantly from this “clean-up” is the management of physical storage media. In the 2022 version, several older controls were consolidated

Transitioning from ISO 27001:2013 to the 2022 update involves more than just renumbering controls. It represents a fundamental shift in how we view the “perimeter” of our businesses. In the 2013 era, assets usually stayed within the four walls of an office. Today, your assets are in coffee shops, home offices, and transit hubs. This

When you are navigating the transition from ISO 27001:2013 to the 2022 update, it is easy to focus all your energy on the digital side of things, cloud security, encryption, and coding. However, the physical environment where your hardware “lives” is just as critical. In the 2022 revision, the requirements for where and how you

If you have ever walked through a quiet office and spotted a password on a sticky note or a sensitive document sitting on a printer, you have seen exactly why “Clear Desk and Clear Screen” policies exist. In the transition from ISO 27001:2013 to the 2022 update, this fundamental control moved from the technical back-end

When you are upgrading your Information Security Management System (ISMS) from the 2013 version to the 2022 update, you will notice that the “Physical” theme has been streamlined to reflect modern working environments. One of the most critical controls for any organization handling sensitive hardware or physical records is the management of secure areas. In

When transitioning from the 2013 version of ISO 27001 to the 2022 update, many organisations focus heavily on the new digital controls. However, the physical environment remains a massive risk factor. In the 2022 version, the protection against external and environmental threats has been refined and moved to Annex A 7.5: Protecting against physical and

If you are in the middle of transitioning your Information Security Management System (ISMS) from the 2013 version to the 2022 update, you have probably noticed that the physical security section has been given a significant upgrade. While the older version focused heavily on perimeters and entry points, the new standard introduces a more proactive

When you are navigating the transition from ISO 27001:2013 to the 2022 update, it is easy to get caught up in the digital jargon of cloud security and threat intelligence. However, the physical environment remains a critical pillar of any robust Information Security Management System (ISMS). One of the most important shifts in the physical

When an organisation shifts from ISO 27001:2013 to the 2022 update, the physical security of their premises often gets a second look. While we spend a lot of time worrying about hackers in digital spaces, the “front door” remains a primary risk vector. In the 2022 revision, the requirements for managing who walks into your

When most people think of ISO 27001, they immediately think of digital threats, hackers, firewalls, and encryption. But a significant portion of the standard has always been dedicated to the “real world.” In the transition from the 2013 version to the 2022 update, the rules for protecting your physical space were given a modern makeover.

In the world of information security, the faster you know about a problem, the faster you can stop it from becoming a disaster. When ISO 27001 moved from the 2013 version to the 2022 update, the way we report these “problems” or events, received a much-needed overhaul. Annex A 6.8: Information Security Event Reporting is

If there is one thing that has fundamentally changed the way we work since the last major ISO update, it is the shift to working from anywhere. When ISO 27001:2013 was released, “teleworking” was often a perk for a small group of employees. Today, remote work is a standard operational model. To reflect this reality,

In the transition from ISO 27001:2013 to the 2022 update, the standard underwent a significant structural “clean up.” While many people focus on the brand-new technical controls, some of the most practical changes happened to the way we manage legal and people-centric risks. Annex A 6.6: Confidentiality or Non-Disclosure Agreements (NDAs) is a prime example.

When an employee or contractor leaves your company, they don’t just leave behind their desk and their favourite coffee mug; they leave with a head full of company secrets, processes, and potentially, active access to your most sensitive data. In the shift from ISO 27001:2013 to the 2022 update, the way we handle these departures

When an organisation undergoes the transition from ISO 27001:2013 to the 2022 update, much of the attention naturally goes to technical upgrades like cloud security or threat intelligence. However, some of the most critical changes involve how we manage our people. One such area is the disciplinary process, now found under Annex A 6.4. While

If you have ever been involved in an information security audit, you know that technology is only half the battle. The other half involves the people using that technology. When ISO 27001 shifted from its 2013 version to the 2022 update, the way we handle education and awareness saw a significant shift in perspective. This

If you have been managing information security for any length of time, you know that the “human element” is often the most complex part of the puzzle. When ISO 27001 updated from the 2013 version to the 2022 release, several controls related to people were reshuffled and refined. One of the most essential transitions is

When it comes to information security, we often think about firewalls, encryption, and complex passwords. But as any seasoned security professional will tell you, the biggest risk, and the biggest asset is people. In the transition from ISO 27001:2013 to the 2022 update, the way we “vet” the people we trust with our data has

If you have spent any time with the ISO 27001 standard, you know that documentation is the backbone of a successful Information Security Management System (ISMS). When the standard moved from the 2013 version to the 2022 update, many controls were shifted, merged, or expanded. One of the most essential “day-to-day” controls, Documented Operating Procedures,

When ISO 27001 transitioned from the 2013 version to the 2022 update, many organisations felt a bit like they were learning a new language. While the “grammar” of the management system stayed the same, the “vocabulary” of the Annex A controls was completely rewritten. One of the most important consolidations in this new dictionary is

When ISO 27001 was updated from the 2013 version to the 2022 iteration, many people focused on the shiny new controls like threat intelligence or cloud security. However, some of the most critical changes happened to the “governance” controls, the ones that ensure your security actually works. Annex A 5.35, which covers the Independent Review

If you have been navigating the world of data protection recently, you know that privacy is no longer just a “bonus” feature of information security, it is a central requirement. When ISO 27001 transitioned from the 2013 version to the 2022 update, one of the most significant shifts occurred in how we handle Personally Identifiable

If you have been managing an Information Security Management System (ISMS) for a few years, you are likely aware that the ISO 27001 standard recently had a major refresh. While the management system itself stayed mostly the same, the Annex A controls, the specific actions we take to secure data, were rearranged and modernised. One

If you have been working with information security standards for a while, you’ll know that the transition from ISO 27001:2013 to the 2022 update brought about some significant housekeeping. One of the areas that saw a shift in placement, though its core mission remains vital is the protection of Intellectual Property Rights (IPR). In the

If you have been working within the world of information security for a while, you probably know that ISO 27001 underwent a significant facelift recently. We moved from the familiar 2013 version to the more modern 2022 iteration. While the core management system requirements stayed relatively stable, the Annex A controls, the “bread and butter”

If you have been keeping up with the world of information security, you know that the transition from ISO 27001:2013 to the 2022 version brought some significant shifts. One of the most notable additions to the framework is Annex A 5.30, titled “ICT Readiness for Business Continuity.” If you are searching for where this lived

If you have been working with information security frameworks for a while, you know that the only constant is change. When the ISO 27001 standard was updated from the 2013 version to the 2022 version, it brought about a significant reorganization of the Annex A controls. One of the most talked-about shifts is how the

If you have ever been involved in a security breach or a legal dispute involving digital data, you know that having “some information” is not the same as having “admissible evidence.” In the shift from ISO 27001:2013 to the 2022 update, the standard has placed a much clearer spotlight on how we handle the trail

In the world of information security, experience is the best teacher but only if you actually take the time to listen. The transition from ISO 27001:2013 to the 2022 update brought a significant refinement to how organizations should process their failures. This is found in Annex A 5.27: Learning from information security incidents. If you

When a security incident hits, the difference between a minor hiccup and a business-ending catastrophe often comes down to one thing: the quality of your response. ISO 27001 has always mandated that organizations react to incidents, but the transition from the 2013 version to the 2022 update has refined how we handle the “heat of

In the world of information security, not every digital “ping” or system anomaly is a catastrophe. However, the ability to quickly distinguish a routine event from a full-blown crisis is what separates resilient organisations from those that end up in the headlines. This is exactly what Annex A 5.25: Assessment and Decision on Information Security

In the world of cybersecurity, it is no longer a matter of “if” an incident will occur, but “when.” ISO 27001 has always prioritised being ready for that moment, but the way it asks us to prepare has evolved significantly. If you are shifting from the 2013 version of the standard to the 2022 update,

For nearly a decade, the ISO 27001:2013 standard served as the gold standard for information security. However, back in 2013, the “cloud” was often treated as just another type of outsourcing. Fast forward to the 2022 update, and the reality has shifted. Most businesses now live in the cloud. Recognising this, the updated standard introduced

Managing information security within your own four walls is challenging enough, but ensuring your suppliers are keeping up their end of the bargain is a whole different ball game. In the jump from ISO 27001:2013 to the 2022 version, the standard sharpened its focus on how we oversee these external partners. This brings us to

In the world of information security, your protection is only as strong as the weakest link in your chain. Increasingly, that link isn’t inside your office—it is somewhere deep within your Information and Communications Technology (ICT) supply chain. With the release of ISO 27001:2022, the standard has taken a much more aggressive stance on how

In the transition from the 2013 version of ISO 27001 to the 2022 update, many organisations have found that the “Supplier Management” domain has received a significant level of attention. While the previous article in this series touched on the overarching relationship management (Annex A 5.19), Annex A 5.20 specifically zooms in on the legal

In the modern business landscape, very few companies operate in a vacuum. We rely on cloud providers, software vendors, and specialized consultants to keep the wheels turning. This interconnectedness is a superpower, but from a security perspective, it is also a significant vulnerability. ISO 27001 has always recognized this, but the 2022 update brings a

When it comes to information security, knowing “who can do what” is just as important as knowing “who is on the system.” While identity management tells us who a user is, access rights define their powers. In the jump from ISO 27001:2013 to the 2022 version, this critical area was reshaped into Annex A 5.18,

When you think about information security, “Authentication Information” is often the first line of defence that comes to mind. It is the secret handshake, the passwords, tokens, and biometrics, that proves you are who you say you are. In the transition from ISO 27001:2013 to the 2022 version, this area saw a significant structural facelift.

If you have been working with the ISO 27001 standard for a few years, you likely remember the 2013 version as a fairly rigid framework. It served us well, but as we moved further into the era of cloud computing and remote working, it became clear that the way we manage who people are in

If you have been navigating the world of information security for a while, you know that keeping up with ISO standards can feel like chasing a moving target. With the release of ISO 27001:2022, many professionals are scratching their heads wondering exactly how their existing controls have shifted. One of the most significant areas of

If you have been working within the world of information security for a while, you know that ISO 27001 isn’t a “set it and forget it” kind of standard. It breathes and evolves just like the technology it protects. One of the most talked-about shifts in the 2022 update involves how we handle the movement

If you have already worked through your information classification scheme in Annex A 5.12, you have essentially decided how valuable your data is. But classification is only half the battle; the next step is making those decisions visible to the people and systems that handle the data. This is where Annex A 5.13, “Labelling of

If you have ever felt that information security is mostly about gatekeeping, Annex A 5.12 is here to remind us that it is actually about value. You cannot protect every piece of data with the same level of intensity, it’s simply not practical or cost-effective. This is why we classify information. As we move from

Offboarding an employee used to be relatively simple: you’d collect their building pass, take back their laptop, and wish them well. But in today’s world of remote work, cloud accounts, and personal devices, “getting your stuff back” has become significantly more complex. This is where ISO 27001:2022 Annex A 5.11, “Return of Assets,” comes into

One of the most practical controls in the ISO 27001 framework is the “Acceptable Use Policy” (AUP). It’s the set of rules that tells everyone, from the CEO to the newest intern, what they can and cannot do with the company’s laptops, data, and systems. In the 2022 update of the standard, this control was

When it comes to fraud prevention and error reduction, one of the most effective tools in your security toolkit is the concept of “never letting one person hold all the keys.” In the world of ISO 27001, this is formally known as Segregation of Duties (SoD). If you are moving from the 2013 version of

When it comes to information security, one of the most dangerous phrases an organisation can hear is “I thought the other person was doing that.” Ambiguity is the enemy of security, and that is exactly what Annex A 5.2 aims to eliminate. If you are currently transitioning from the 2013 version of ISO 27001 to

If you are transitioning your Information Security Management System (ISMS) from the 2013 version of ISO 27001 to the 2022 update, one of the first things you will notice is a change in how policies are structured. In the older version, policies were split across multiple controls. Now, they have been brought together under a

Asset management has always been the bedrock of a solid Information Security Management System (ISMS). After all, you cannot protect what you don’t know you have. However, as our work environments have shifted from physical filing cabinets to complex cloud infrastructures and virtual machines, the standard had to evolve. This evolution is most evident in

If you have been managing information security for a while, you know that security is often treated as an afterthought in project management. The ISO 27001 standard has always tried to fix this, but with the release of the 2022 update, the requirements have become much clearer and more structured. One of the most significant

If you have been keeping an eye on the world of information security, you likely know that ISO 27001 underwent a significant facelift recently. One of the most talked-about additions is Annex A 5.7, which focuses on Threat Intelligence. But if you are coming from the 2013 version of the standard, you might be wondering:

If you have been working with information security standards for a while, you know that ISO 27001 isn’t a static document. It evolves to keep pace with an increasingly complex digital landscape. One of the specific areas that often sparks questions during a transition is Annex A 5.6, which deals with “Contact with special interest

If you are preparing for an internal audit or transitioning your Information Security Management System (ISMS) to the latest standards, you have likely noticed that the landscape has shifted. One specific area that requires a closer look is how your organisation interacts with the outside world—specifically, government bodies and regulators. This brings us to the

If you have been working with ISO 27001 for a while, you know that the 2022 update brought some significant shuffling to the Annex A controls. One of the most critical areas for any Information Security Management System (ISMS) is how leadership stays involved. In the 2022 version, this is covered under Control 5.4: Management