With cyber threats advancing at a rapid pace, organisations must adopt robust frameworks to safeguard their information assets. ISO/IEC 27001 is a globally recognised standard for managing information security risks systematically. Its origins trace back to the British Standard BS 7799-2, first published in 1999, which laid the groundwork for formal information security management systems (ISMS). The first international version, ISO/IEC 27001:2005, was published in 2005, replacing BS 7799-2. A major revision came with ISO/IEC 27001:2013, followed by the latest update in 2022, which addresses modern challenges such as cloud computing, remote working, and sophisticated cyberattacks, aligning its structure and Annex A controls with ISO/IEC 27002:2022.
At Overt Software Solutions, we are proud to announce our successful upgrade from ISO 27001:2013 to ISO 27001:2022, reinforcing our commitment to delivering secure, cutting-edge IT services to our customers.
Background of ISO 27001:2013 vs 2022 Versions
ISO 27001:2013 provided a solid foundation for establishing, implementing, maintaining, and improving an Information Security Management System (ISMS). Its purpose was to help organisations identify risks, implement controls, and ensure continual improvement in security practices. However, by the late 2010s, the cybersecurity landscape had shifted dramatically. The rise of cloud services, Internet of Things (IoT) devices, remote workforces, and advanced threats like ransomware exposed limitations in the 2013 version. These gaps necessitated an update to keep the standard relevant.
Published in October 2022, ISO 27001:2022 builds on its predecessor while introducing refinements and new controls. The update reflects the evolution of technology and organisational needs, ensuring that the standard remains a practical tool for managing modern risks. For instance, the 2013 version offered little guidance on cloud security or threat intelligence, areas now critical to most businesses. The 2022 revision addresses these shortcomings, making it a forward-looking framework suited to today’s digital environment.
Want to learn more about ISO 27001? We have the content you need. Click below to read.
Learn what ISO 27001 certification means and how it strengthens your security.
Discover how ISO 27001 certification helps build trust with your customers.
Structural Changes
The structure of ISO 27001 comprises two main parts: the clauses (4 to 10), which form the core requirements of the ISMS, and Annex A, which lists specific security controls. While the main clauses remain broadly consistent between 2013 and 2022, subtle refinements enhance clarity and flexibility.
In 2013, clauses 4 to 10 were detailed but somewhat rigid, requiring organisations to interpret and adapt them to their contexts. The 2022 version retains the same intent—covering context, leadership, planning, support, operation, evaluation, and improvement—but rewords sections for usability. For example, requirements are now more concise, reducing ambiguity for implementers.
The most substantial overhaul occurs in Annex A. In 2013, Annex A contained 114 controls organised into 14 domains, such as “A.11 Physical and Environmental Security” and “A.13 Communications Security.” These domains were comprehensive but often overlapped, creating complexity. In contrast, ISO 27001:2022 reduces this to 93 controls, grouped into four intuitive themes: Organisational (37 controls), People (8 controls), Physical (14 controls), and Technological (34 controls). This thematic approach simplifies navigation and aligns controls with specific organisational functions.
Key Differences in Detail: ISO 27001:2013 vs ISO 27001:2022
Aspect | ISO 27001:2013 | ISO 27001:2022 |
Publication Date | October 2013 | October 2022 |
Purpose | Establishes an ISMS to manage information security risks systematically. | Updates the ISMS to address modern threats (e.g., cloud, remote work, cyberattacks). |
Main Clauses (4-10) | Detailed but less streamlined; focuses on context, leadership, planning, etc. | Refined for clarity and flexibility; intent unchanged but wording improved. |
Annex A Controls | 114 controls across 14 domains (A.5 to A.18). | 93 controls grouped into 4 themes: Organisational (37), People (8), Physical (14), Technological (34). |
Control Organisation | Broad domains (e.g., “A.12 Operations Security”) with some overlap. | Thematic grouping reduces redundancy and improves usability (e.g., merging access controls). |
Example Control Change | “A.9.2.5 Review of user access rights” and “A.9.2.6 Removal or adjustment” separate. | Consolidated into “5.18 Access rights” for streamlined implementation. |
New Controls | None specific to emerging tech like cloud or threat intelligence. | 11 new controls (e.g., 5.7 Threat intelligence, 5.23 Cloud security, 8.28 Secure coding). |
Control Attributes | No tagging system; controls lack metadata for alignment with other frameworks. | Attributes added: Control type, Security properties, Cybersecurity concepts, etc. |
Clause 4.2 (Interested Parties) | Less prescriptive; no explicit documentation requirement. | Requires documenting interested parties and their requirements. |
Clause 6.1.3 (Risk Treatment) | General guidance; less focus on justifying control selections. | Clarifies link to Annex A; requires justification for control choices/exclusions. |
Clause 9.1 (Monitoring) | Less specific on implementation details (e.g., “when” and “who”). | Mandates defining “when” and “who” for monitoring activities. |
Planning Emphasis | Focuses on controls rather than process integration. | Emphasises planning (Clause 6.3) and integrates “processes” with activities. |
Transition Deadline | Not applicable (original standard). | 31 October 2025 (IAF deadline for 2013-certified organisations). |
Benefits | Solid foundation for basic security management. | More relevant to modern tech, easier alignment with frameworks like NIST/GDPR. |
Challenges | Gaps in addressing cloud, IoT, or advanced threats. | Requires training, reassessment, and potentially new tools for updated controls. |
1. Number and Organisation of Annex A Controls
The reduction from 114 to 93 controls in 2022 does not signify a weakening of the standard. Instead, it results from merging redundant controls and eliminating outdated ones. For example, in 2013, “A.9.2.5 Review of user access rights” and “A.9.2.6 Removal or adjustment of access rights” were distinct controls. In 2022, these combine into “5.18 Access rights,” streamlining implementation without losing rigour.
The shift to four themes also improves practicality. Organisational controls address governance and policies, People controls focus on human factors, Physical controls cover premises security, and Technological controls target IT systems. This structure helps organisations assign responsibilities more effectively. For instance, a facilities manager can focus on the 14 Physical controls, while IT teams tackle the 34 Technological ones.
2. New Controls Introduced in 2022
To address emerging risks, ISO 27001:2022 introduces 11 new controls:
- 5.7 Threat intelligence: Organisations must now gather and analyse data on potential threats, such as monitoring dark web forums for leaked credentials. This proactive approach contrasts with the reactive stance of 2013.
- 5.23 Information security for use of cloud services: With cloud adoption soaring, this control ensures secure configuration and vendor management. For example, a company using Microsoft Azure must assess its provider’s security practices.
- 5.30 ICT readiness for business continuity: This ensures IT systems support operations during disruptions, such as maintaining backups for ransomware recovery.
- 7.4 Physical security monitoring: Organisations must monitor premises, perhaps with CCTV, to detect unauthorised access.
- 8.1 Data masking: Sensitive data, like customer details, must be obscured to prevent exposure during testing or breaches.
- 8.9 Configuration management: Systems must be securely configured to reduce vulnerabilities, such as disabling unused ports.
- 8.10 Information deletion: Secure disposal of data, like shredding old drives, prevents recovery by attackers.
- 8.11 Data leakage prevention: Tools like firewalls or encryption stop unauthorised data leaks, vital in remote work settings.
- 8.12 Web filtering: Blocking access to malicious sites protects against phishing or malware.
- 8.16 Monitoring activities: Enhanced system monitoring detects anomalies, such as unusual login attempts.
- 8.28 Secure coding: Developers must follow practices to minimise software vulnerabilities, critical for in-house applications.
3. Updated Control Attributes in 2022
A novel feature in 2022 is the tagging of controls with attributes, including:
- Control type: Preventive (stopping incidents), Detective (identifying them), or Corrective (fixing them).
- Security properties: Confidentiality, Integrity, Availability.
- Cybersecurity concepts: Aligned with NIST CSF categories (Identify, Protect, Detect, Respond, Recover).
- Operational capabilities: Areas like Governance or Asset Management.
- Security domains: Such as Application Security or Physical Security.
This metadata enables organisations to map controls to other frameworks, like GDPR or NIST, and tailor them to specific risks. In 2013, controls lacked this flexibility, limiting interoperability.
4. Clause Updates (Main Body)
Several clauses see refinements:
- Clause 4.2 (Understanding the needs and expectations of interested parties): The 2022 version mandates documenting interested parties (e.g., customers, regulators) and their requirements, unlike the less prescriptive 2013 approach.
- Clause 6.1.3 (Information security risk treatment): This now requires justifying control selections and exclusions, linking them explicitly to Annex A, whereas 2013 was vaguer.
- Clause 9.1 (Monitoring, measurement, analysis, and evaluation): Organisations must specify “when” and “who” for monitoring, adding precision absent in 2013.
These changes promote accountability and ensure the ISMS is actionable and measurable.
5. Emphasis on Planning and Processes
Clause 6.3 in 2022 emphasises planning changes to the ISMS, while “processes” are explicitly mentioned alongside activities. This shift integrates security into organisational workflows, moving beyond the 2013 focus on standalone controls. For example, a company might embed threat intelligence into its IT operations rather than treating it as an isolated task.
Overt Software Solutions and Our ISO 27001:2022 Journey
Here at Overt Software Solutions, we are a UK-based team passionate about supporting education and business with top-notch IT services. For years, we have been a reliable partner, helping with everything from managed IT support to software development and cybersecurity. We have always taken information security seriously—it is at the heart of what we do. That is why we were so proud to hold ISO 27001:2013 certification, a clear sign of how much we care about keeping our clients’ data safe. Now, we are thrilled to share some exciting news: we have upgraded to ISO 27001:2022, a big step forward that brings us right up to date with the latest global standards.
This upgrade is not just a tick in a box for us—it shows how we are always looking ahead, ready to tackle today’s cybersecurity challenges. By moving to the 2022 standard, we have beefed up our Information Security Management System (ISMS) with some brilliant new controls, like “5.23 Information security for use of cloud services” and “8.11 Data leakage prevention.” What does that mean for our customers? Well, if you are an educational institution using our federated identity management tools—like Shibboleth or SAML—you can rest easy knowing sensitive student and staff data in the cloud is even better protected. And for businesses relying on our custom IT support or software solutions, it means stronger defences against nasty threats like ransomware, keeping your operations safe and your reputation intact.
For us, this upgrade is all about giving our customers peace of mind. We are not just meeting industry standards—we are going beyond them. It is about making sure you feel confident in our services, knowing we have got your back with secure, dependable solutions. That way, you can focus on what matters most to you, whether that is shaping young minds or growing your business. We are proud to be part of your journey, and this step forward with ISO 27001:2022 only deepens our commitment to you.
Key Takeaways
ISO 27001:2022 refines its 2013 predecessor with clearer clauses, a restructured Annex A, and new controls addressing today’s threats. From threat intelligence to secure coding, these updates ensure organisations remain resilient. At Overt Software Solutions, our successful upgrade to ISO 27001:2022 underscores our dedication to providing top-tier security and IT services. This milestone strengthens our ability to protect our customers’ data in an increasingly perilous digital world. Whether you are an educational institution or a business seeking robust cybersecurity, Overt Software Solutions can assist you better than ever. Contact us today for more information on how we can enhance your security and support your success.