ISO 27001 2013 vs. 2022 revision – What has changed?
After nine years, ISO 27001, the world’s leading information security standard, has been updated – on October 25, 2022, the new ISO/IEC 27001:2022 was published. Even though this revision brings only moderate changes, it is important to study them closely – let’s go through all the changes and see how this 2022 revision compares to the old 2013 revision of ISO 27001.
- The main part of ISO 27001, i.e., clauses 4 to 10, has changed only slightly.
- The changes in Annex A security controls are moderate.
- The number of controls has decreased from 114 to 93.
- The controls are placed into 4 sections, instead of the previous 14.
- There are 11 new controls, while none of the controls were deleted, and many controls were merged.
ISO 27001 & ISO 27002 history
The first version of ISO 27001 was published way back in 1999 under the name of BS 7799-2, and it has gone through several changes since then.
You can see the changes between the 2005 and 2013 revisions of ISO 27001 in this article: Infographic: New ISO 27001 2013 revision – What has changed?
ISO 27001 should not be confused with ISO 27002 – the former one is the main standard against which you can certify your company, while the latter one is the supporting standard that provides guidelines on the implementation of security controls. The most important difference is that ISO 27002 is not mandatory for ISO 27001 certification, and a company cannot get certified against ISO 27002.
ISO 27002 was first published in 1995 under the name of BS 7799-1, and in February this year the ISO 27002:2022 revision was published with the new structure of 93 controls – this exact same (Read more...)
*** This is a Security Bloggers Network syndicated blog from ISO 27001 & ISO 22301 Blog – 27001Academy authored by ISO 27001 & ISO 22301 Blog – 27001Academy. Read the original post at: https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/
