ISO-27001 2013 vs ISO-27001 2022: What’s changed?

Updated: 23 May, 2024

17 November, 2023

CyberSec ISO-27001

What is ISO-27001?

ISO-27001 is the international standard that specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) within the context of the organization. The standard was first published in 1999 and has gone through several revisions since then. The latest revision, ISO-27001:2022, was published on October 25, 2022, and it brings some changes compared to the previous version, ISO-27001:2013. In this blog post, we will highlight the key differences between the two versions and explain which one might be preferrable and why.


Key Takeaways:

  • The primary sections (clauses 4 to 10) of ISO-27001:2022 have seen subtle changes, aligning more with other ISO management standards. Notably, new requirements focus on understanding the needs of interested parties, planning for ISMS processes, clarifying the term “business” in leadership, and emphasizing controlled planning for ISMS changes.
  • The most impactful alterations are found in Annex A, where security controls are outlined. The controls have decreased from 114 to 93, organized into four themes: Organizational, People, Physical, and Technical.
  • ISO-27001:2022 introduces 11 new controls, emphasizing areas such as information security roles and responsibilities, secure system engineering principles, and restrictions on software installation. The addition of controls enhances the standard’s coverage and adaptability to evolving security challenges.


What has changed?

The main part of ISO-27001, i.e., clauses 4 to 10, has changed only slightly, mainly to align with other ISO management standards. Includes ISO 9001 and ISO 14001, and with Annex SL, the common structure and terminology for all ISO management system standards. Some of the changes in this part of the standard are:

  • In clause 4.2 (Understanding the needs and expectations of interested parties), a new bullet point was added requiring an analysis of which of the interested party requirements must be addressed through the ISMS.
  • In clause 4.4 (Information security management system), a phrase was added requiring planning for processes and their interactions as part of the ISMS.
  • In clause 5.1 (Leadership and commitment), a note was added to clarify the term “business” as any activity that is conducted by the organization, whether for profit or not.
  • In clause 6.3 (Planning of changes), a new section was added to specify the requirements for planning and implementing changes to the ISMS in a controlled manner.
  • In clause 8.3 (Information security risk treatment), a note was added to emphasize that risk treatment options are not limited to the controls in Annex A, and that other sources of guidance can be used.


The most significant changes

The most significant changes in ISO-27001:2022 are in Annex A, which contains the security controls that can be implemented to address the information security risks identified by the organization. The number of controls has decreased from 114 to 93, and they are organized into four themes, instead of the previous 14 sections. The four themes are:

  • Organizational: These controls relate to the governance, policies, roles, responsibilities, and processes of the ISMS.
  • People: These controls relate to the awareness, training, competence, and behavior of the people involved in the ISMS.
  • Physical: These controls relate to the protection of physical assets, such as buildings, equipment, and media, from unauthorized access, damage, or theft.
  • Technical: These controls relate to the protection of information systems, networks, and applications from cyberattacks, malware, and other threats.


New controls

There are 11 new controls in ISO-27001:2022, while none of the controls were deleted, and many controls were merged. Some of the new controls are:

  • A.5.1.2: Information security roles and responsibilities: This control requires the assignment of information security roles and responsibilities at all levels of the organization, and the communication of these roles and responsibilities to the relevant parties.
  • A.6.1.5: Information security in project management: This control requires the integration of information security requirements and controls into the project management processes, and the consideration of information security risks and opportunities throughout the project lifecycle.
  • A.8.2.3: Disposal of media: This control requires the secure disposal of media containing information, and the verification of the effectiveness of the disposal methods.
  • A.9.4.2: Secure system engineering principles: This control requires the application of secure system engineering principles and techniques to the design, development, testing, and maintenance of information systems.
  • A.12.6.2: Restrictions on software installation: This control requires the restriction of software installation on organizational information systems, and the verification of the authenticity and integrity of software before installation.

The 2022 version of ISO-27001 also includes some changes in the terminology, definitions, and references, to align with the latest versions of other standards, such as ISO 31000 (risk management), ISO 27000 (information security fundamentals and vocabulary), and ISO 27002 (code of practice for information security controls).


So, which version of ISO-27001 is better and why?

The answer depends on the context and needs of each organization. However, some general advantages and disadvantages of each version can be summarized as follows:

  • ISO-27001 2013: This version is more familiar and widely used by organizations around the world. It has more detailed and specific controls, which can provide more guidance and assurance for information security. However, it is also more complex and rigid, which can make it harder to adapt to the changing business and technological environment. It is also less aligned with other ISO management standards, which can create challenges for integration and consistency.
  • ISO-27001 2022: This version is more modern and flexible, which can make it easier to customize and implement for different organizations and scenarios. It has fewer and simpler controls, which can reduce the burden and cost of information security. However, it is also less mature and tested, which can create uncertainty and confusion for information security. It is also more aligned with other ISO management standards, which can facilitate integration and consistency.


Using OWASP SAMM with SAMMY Implementation Over ISO-27001

When it comes to ensuring robust information security practices, organizations often face the decision of choosing between different frameworks. While ISO-27001, a well-established international standard, has been widely adopted, there is an alternative that offers a fresh perspective and a more targeted approach. OWASP SAMM (Software Assurance Maturity Model) with SAMMY implementation. In this section, we will explore the advantages of using OWASP SAMM with SAMMY over ISO-27001, highlighting its adaptability, focus on software security, and its ability to address emerging threats. 

One of the key advantages of implementing OWASP SAMM with SAMMY is its strong emphasis on software security. Unlike ISO-27001, which provides a broader overview of information security management systems, OWASP SAMM specifically targets software security. This model recognizes the critical role that software plays in modern organizations and equips them with the necessary tools to effectively mitigate software-specific risks.

You could also use SAMMY to manage ISO27001-2022. The utilization of SAMMY for managing ISO27001:2022 offers the ability to concurrently manage OWASP SAMM. It is noteworthy that ISO and OWASP SAMM demonstrate a T-shaped convergence, which provides an in-depth assessment of Application Security (AppSec).


Finally, the dynamic nature of cybersecurity threats demands a proactive and adaptable approach. OWASP SAMM with SAMMY excels in this aspect by providing a flexible and evolving framework. While ISO-27001 has periodic revisions, OWASP SAMM is designed to address emerging threats continuously. With SAMMY, organizations can stay ahead of the rapidly evolving cybersecurity landscape, ensuring that their software security practices remain up to date.


Want to learn more about ISO-27001? Have a read on “Is ISO-27001 Worth It?”:


Leo is a Market Analyst at Codific. He is currently doing his Bachelor's degree in International Business Management at the Geneva Business School where he is consistently top of class. Leo writes about topics ranging from patient centered care to data protection strategies. If you have questions, reach out to me hereContact