What Changed Between the 2013 and 2022 Versions? ISO 27001:2022 Annex A 8.3

ISO 27001 Annex A 8.3 - what changed in the 2022 update

When you are updating your Information Security Management System (ISMS), the jump from the 2013 version of ISO 27001 to the 2022 revision can feel like a major undertaking. While many controls have simply been merged or renamed, some have evolved to reflect the complex digital world we now live in. One of the most critical updates is Annex A 8.3: Information Access Restriction.

If you were used to the old Control 9.4.1, you will notice that the 2022 version is no longer just about “keeping people out.” It is about a sophisticated, risk-based approach to how information is shared and protected in real-time. Let’s break down the key differences and what you need to do to stay compliant.

Table of contents

The Evolution from Control 9.4.1 to Annex A 8.3

In the ISO 27001:2013 version, this requirement lived under Control 9.4.1 (Information access restriction). It was tucked away in the “Access Control” domain. In the 2022 update, the standard moved to a more streamlined structure of four themes: Organisational, People, Physical, and Technological.

Annex A 8.3 now falls under the Technological theme. This move signals a shift from purely policy-driven security to a more integrated, technical enforcement model. According to the experts at Hightable.io, the primary goal remains the same, restricting access based on business needs but the 2022 version introduces the concept of dynamic access management, which was missing from its predecessor.

What Exactly is Information Access Restriction?

Annex A 8.3 is designed to ensure that access to information and other associated assets is restricted in accordance with an established topic-specific policy. Essentially, it is the technical “gatekeeper” of your data. It ensures that just because someone is “on the network,” they shouldn’t necessarily have access to every folder, database, or email.

The 2022 standard emphasizes that this isn’t just a manual list of users. It involves:

  • Enforcing the Principle of Least Privilege (PoLP).
  • Restricting specific functions like read, write, delete, and execute.
  • Controlling output capabilities, such as printing or data exporting.

Key Changes and New Requirements in the 2022 Version

While the 2013 version was relatively static, the 2022 update introduces several modern nuances:

  • Dynamic Access Management: This is the biggest addition. The 2022 version suggests that access shouldn’t just be “on or off.” Instead, it can be dynamic, changing based on the user’s location, the device they are using, or the time of day.
  • Granular Control: There is a much heavier emphasis on “file-level” or “row-level” security. Rather than just locking a folder, the standard encourages organisations to look at the specific data within it.
  • Real-Time Monitoring: Annex A 8.3 now integrates more closely with monitoring. If a user tries to access restricted data, the system should be able to alert the security team immediately.
  • Attribute Tagging: Like all 2022 controls, A 8.3 uses “attributes.” It is classified as a Preventative control. As Hightable.io points out, this helps you map the control directly to NIST or CIS frameworks more easily than before.

The Shift to Dynamic Access Management

Why did ISO add “dynamic” access? Because the way we work has changed. In 2013, most people worked in an office on a company-owned PC. Today, employees access sensitive data from coffee shops, home offices, and mobile phones.

Annex A 8.3 suggests that your systems should be smart enough to say: “You can access this HR file while you are in the office on a secure laptop, but you cannot open it while you are on public Wi-Fi using a personal phone.” This layer of context-aware security is a hallmark of the 2022 revision.

Practical Steps for Your Transition

If you are migrating your ISMS, you don’t need to start from scratch. However, you should take the following steps to meet the new A 8.3 criteria:

  1. Update Your Access Control Policy: Ensure your policy mentions how access is restricted (e.g., Role-Based Access Control or Attribute-Based Access Control).
  2. Review Your Permissions: Perform a deep-clean of your current permissions. Remove “ghost” accounts and ensure that no one has “blanket” admin access unless strictly necessary.
  3. Implement Technical Barriers: Move beyond simple passwords. Use Multi-Factor Authentication (MFA) and conditional access rules that reflect the “dynamic” guidance of the new standard.
  4. Document Your Reviews: Auditors love evidence. As highlighted by Hightable.io, you must be able to prove that you regularly review who has access to what and why.
ISO 27001 Document Templates
ISO 27001 Document Templates
Get Auditor Approved ISO 27001 Templates

Why the Change Matters

The move from 9.4.1 to 8.3 isn’t just about changing a number. It is about moving from “compliance on paper” to “operational security.” In the 2013 era, many organisations passed audits by showing a policy. In the 2022 era, auditors will want to see how your technology actually enforces that policy in a world of remote work and cloud services.

By implementing the more granular, dynamic controls suggested in Annex A 8.3, you aren’t just ticking a box. You are significantly reducing the risk of data exfiltration and internal data breaches.

Final Thoughts on the Transition

The transition to ISO 27001:2022 Annex A 8.3 is an opportunity to modernise your security architecture. While the language might seem more technical, the result is a much more resilient organisation. Focus on automating your access reviews and moving toward context-aware security, and you will find that the 2022 requirements are actually much more aligned with how modern businesses operate.