Você está aqui: Página Inicial / Blog / Understand what has changed in ISO 27001:2022 and why

Understand what has changed in ISO 27001:2022 and why

ISO/IEC 27001 is the world's best-known standard for implementing and maintaining information security management systems.

Applicable to companies of any size and in any sector, the standard provides a series of guidelines and procedures for establishing, maintaining and continually improving information security management systems.

The latest version of ISO/IEC 27001 was published in October 2022 and provides organizations with up-to-date security controls in line with the current threat landscape and cybersecurity trends. 

What has changed in the new version of ISO 27001?

Check out the main changes in ISO/IEC 27001:2022 compared to ISO/IEC 27001:2013! 

Grouping of controls into four themes

Replacing the original structure of 14 security control domains, the new version of ISO/IEC 27001:2022 introduces control segmentation into four broad categories: organizational, human, technological and physical. 

Updated controls

One of the most substantial changes is in Annex A, which has been reorganized, updated and extended to align with ISO 27002:2022, a complementary standard that supports ISO 27001 and offers additional details on information security controls.

Instead of 114 security controls, ISO/IEC 27001:2022 now has 93. While some controls have been merged, another 11 completely new controls have been added. Check them out:

  • A.5.7 Threat intelligence

  • A.5.23 Information security for the use of cloud services

  • A.5.30 ICT readiness for business continuity

  • A.7.4 Physical security monitoring

  • A.8.9 Configuration management

  • A.8.10 Information deletion

  • A.8.11 Data masking

  • A.8.12 Data leakage prevention

  • A.8.16 Monitoring activities

  • A.8.23 Web filtering

  • A.8.28 Secure coding

Transition period

Companies that already have ISO 27001:2013 certification, beware! Your current certification remains valid, but you must transition to the new standard within a maximum of three years – that is, by October 2025. If this is the case for your company, keep an eye on the deadline!

What are the advantages of ISO 27001 certification? 

There are many benefits to ISO 27001 certification. Some of the main ones include:

Increased competitive advantage

Obtaining ISO 27001:2022 certification demonstrates that your company is committed to protecting the information of employees, partners and customers, increasing your credibility and competitive edge.

Improved decision-making

ISO 27001:2022 certification helps your company make more informed and, consequently, more assertive decisions by providing a clear overview for identifying and managing risks.

Process improvement

ISO 27001:2022 certification continuously improves company processes related to information systems management, ensuring that procedures are standardized and consistent.

How to obtain ISO 27001:2022 certification

To obtain ISO 27001:2022 certification, the first step is to comply with the guidelines set out in the standard. As such, before applying for certification, it is necessary to draft all the necessary documentation, implement security processes and controls, conduct an internal audit, stage a management review and resolve all non-conformities.

The company must then undergo an external audit process split into two stages. The first stage is a preliminary review of information security management systems, while the second stage is a more detailed and formal compliance audit. 

The process of obtaining ISO 27001 certification can take between 3 and 12 months, depending on the size and complexities of the company. Once approved, the certificate is valid for 3 years.

Article originally written in Portuguese by Perallis Security Content Team: Entenda o que mudou na ISO 27001:2022 e por que — Perallis Security