What Changed Between the 2013 and 2022 Versions? ISO 27001:2022 Annex A 8.19

ISO 27001 Annex A 8.19 - what changed in the 2022 update

If you have been working with information security standards for any length of time, you know that the transition from ISO 27001:2013 to the ISO 27001:2022 update brought about some significant “housekeeping.” While many of the core principles stayed the same, the way they are organised and prioritised shifted to meet the demands of a much more digital, cloud-heavy world. One area that saw a subtle but important evolution is Annex A 8.19, which deals with Information Access Restriction.

In the older 2013 version, this concept was primarily handled under control 9.4.1. As we move into the 2022 era, the focus has sharpened. Let’s look at what actually changed and why it matters for your compliance journey.

Table of contents

The Shift from 9.4.1 to 8.19

In the ISO 27001:2013 standard, the control for restricting access to information was found in the “Access Control” domain under 9.4.1. Its job was simple: ensure that access to information and application system functions is restricted in accordance with the access control policy.

Fast forward to the 2022 update, and this has been rehomed to Annex A 8.19. It is now part of the “People and Technical” controls landscape. This isn’t just a change in numbering; it reflects a broader view of how information is accessed today. According to Hightable.io, the 2022 version is designed to be more “attribute-driven,” allowing organisations to better categorise their controls based on the type of risk they are mitigating. Annex A 8.19 is now firmly positioned as a “Preventive” control, emphasizing the need to stop unauthorised access before it happens.

What Is New in the 2022 Guidance?

The core requirement of Annex A 8.19 remains focused on the “Principle of Least Privilege.” This means users should only have access to the specific data and systems they need to perform their jobs and nothing more. However, the 2022 guidance provides a more comprehensive look at what “restriction” actually means in a modern context.

One of the key updates involves how we handle dynamic access. In 2013, access was often seen as static, you were given a set of permissions, and they stayed that way. The 2022 version acknowledges that access should be much more fluid. As highlighted by Hightable.io, the update encourages looking at “context-aware” access. This means taking into account not just who is accessing the data, but from where, on what device, and at what time.

Key Differences in Implementation

When you are updating your Statement of Applicability (SoA) from the 2013 version to the 2022 version, you will notice a few practical differences in how you approach Annex A 8.19:

  • Granularity of Control: The 2022 version places a higher expectation on granular access. It isn’t enough to just restrict access to a “folder”; the standard encourages restricting access at the application and data level wherever possible.
  • Integration with Other Controls: Annex A 8.19 now works more closely with other new controls, such as those regarding data leakage prevention and masking. It recognises that restricting access is just one part of a wider data protection strategy.
  • Review and Audit: While the 2013 version required access reviews, the 2022 version (via the guidance in 27002) is more explicit about the need for regular, documented reviews to ensure that “access creep” doesn’t occur over time.
ISO 27001 Document Templates
ISO 27001 Document Templates
Get Auditor Approved ISO 27001 Templates

The reason this change is so relevant for modern businesses and why search engines are prioritising it is the rise of complex data environments. Between 2013 and 2022, the world moved almost entirely to the cloud. We are no longer just locking a digital door; we are managing thousands of permissions across various SaaS platforms.

Annex A 8.19 is designed to handle this complexity. It moves away from the old “perimeter” mindset and focuses on the data itself. If you are using AI-driven tools or advanced search functions within your business, Annex A 8.19 ensures that those tools don’t accidentally index or surface sensitive information to people who shouldn’t see it.

Practical Tips for Your Transition

If you are moving your ISMS from the 2013 version to the 2022 version, here are a few steps to make sure your Information Access Restriction is up to scratch:

  1. Map your 9.4.1 to 8.19: Update your documentation to reflect the new numbering, but also check if your current methods are “preventive” enough for the new standard.
  2. Implement Role-Based Access Control (RBAC): If you haven’t already, now is the time to move away from individual permissions and toward role-based sets that are easier to manage and audit.
  3. Check Your Cloud Permissions: Use the 2022 update as an excuse to audit your cloud service providers. Many organisations find they have “over-privileged” accounts that were set up years ago and forgotten.

Ultimately, the change to Annex A 8.19 is about making security more robust and adaptable. By following the updated guidance and referencing expert resources like Hightable.io, you can ensure that your organisation is not just compliant, but genuinely secure against the threats of the mid-2020s.