{"id":2887,"date":"2025-04-29T07:44:46","date_gmt":"2025-04-29T07:44:46","guid":{"rendered":"https:\/\/www.overtsoftware.id\/?p=2887"},"modified":"2025-04-29T07:44:49","modified_gmt":"2025-04-29T07:44:49","slug":"iso-270012022-vs-2013-whats-new-and-why-it-matters","status":"publish","type":"post","link":"https:\/\/www.overtsoftware.id\/index.php\/iso-270012022-vs-2013-whats-new-and-why-it-matters\/","title":{"rendered":"ISO 27001:2022 VS 2013 \u2013 WHAT\u2019S NEW AND WHY IT MATTERS\u00a0"},"content":{"rendered":"

With cyber threats advancing at a rapid pace, organisations must adopt robust frameworks to safeguard their information assets. ISO\/IEC 27001 is a globally recognised standard for managing information security risks systematically. Its origins trace back to the British Standard BS 7799-2, first published in 1999, which laid the groundwork for formal information security management systems (ISMS). The first international version, ISO\/IEC 27001:2005, was published in 2005, replacing BS 7799-2. A major revision came with ISO\/IEC 27001:2013, followed by the latest update in 2022, which addresses modern challenges such as cloud computing, remote working, and sophisticated cyberattacks, aligning its structure and Annex A controls with ISO\/IEC 27002:2022.<\/span> <\/span><\/p>\n

 <\/span> <\/span>At Overt Software Solutions, we are proud to announce our successful upgrade from ISO 27001:2013 to ISO 27001:2022, reinforcing our commitment to delivering secure, cutting-edge IT services to our customers.<\/span> <\/span><\/p>\n

\"\"<\/span><\/p>\n

Background of ISO 27001:2013 vs 2022 Versions<\/span><\/span> <\/span><\/h3>\n

ISO 27001:2013 provided a solid foundation for establishing, implementing, maintaining, and improving an Information Security Management System (ISMS). Its purpose was to help organisations identify risks, implement controls, and ensure continual improvement in security practices. However, by the late 2010s, the cybersecurity landscape had shifted dramatically. The rise of cloud services, Internet of Things (IoT) devices, remote workforces, and advanced threats like ransomware exposed limitations in the 2013 version. These gaps necessitated an update to keep the standard relevant.<\/span> <\/span><\/p>\n

Published in October 2022, ISO 27001:2022 builds on its predecessor while introducing refinements and new controls. The update reflects the evolution of technology and organisational needs, ensuring that the standard remains a practical tool for managing modern risks. For instance, the 2013 version offered little guidance on cloud security or threat intelligence, areas now critical to most businesses. The 2022 revision addresses these shortcomings, making it a forward-looking framework suited to today\u2019s digital environment.<\/span> <\/span><\/p>\n

Want to learn more about ISO 27001? We have the content you need. Click below to read.<\/strong><\/p>\n

\"Iso27001<\/span><\/p>\n

Learn what ISO 27001 certification means and how it strengthens your security.<\/p>\n

\"How<\/span><\/p>\n

Discover how ISO 27001 certification helps build trust with your customers.<\/p>\n

Structural Changes<\/span><\/span> <\/span><\/h3>\n

The structure of ISO 27001 comprises two main parts: the clauses (4 to 10), which form the core requirements of the ISMS, and Annex A, which lists specific security controls. While the main clauses remain broadly consistent between 2013 and 2022, subtle refinements enhance clarity and flexibility.<\/span> <\/span><\/p>\n

In 2013, clauses 4 to 10 were detailed but somewhat rigid, requiring organisations to interpret and adapt them to their contexts. The 2022 version retains the same intent\u2014covering context, leadership, planning, support, operation, evaluation, and improvement\u2014but rewords sections for usability. For example, requirements are now more concise, reducing ambiguity for implementers.<\/span> <\/span><\/p>\n

\"\"<\/span><\/p>\n

The most substantial overhaul occurs in Annex A. In 2013, Annex A contained 114 controls organised into 14 domains, such as \u201cA.11 Physical and Environmental Security\u201d and \u201cA.13 Communications Security.\u201d These domains were comprehensive but often overlapped, creating complexity. In contrast, ISO 27001:2022 reduces this to 93 controls, grouped into four intuitive themes: Organisational (37 controls), People (8 controls), Physical (14 controls), and Technological (34 controls). This thematic approach simplifies navigation and aligns controls with specific organisational functions.<\/span> <\/span><\/p>\n

Key Differences in Detail<\/span>: <\/span>ISO 27001:2013 vs ISO 27001:2022<\/span><\/span> <\/span><\/h3>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
\n

Aspect<\/span><\/b>\u00a0<\/span><\/p>\n<\/td>\n

\n

ISO 27001:2013<\/span><\/b>\u00a0<\/span><\/p>\n<\/td>\n

\n

ISO 27001:2022<\/span><\/b>\u00a0<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Publication Date<\/span><\/b>\u00a0<\/span><\/p>\n<\/td>\n

\n

October 2013<\/span>\u00a0<\/span><\/p>\n<\/td>\n

\n

October 2022<\/span>\u00a0<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Purpose<\/span><\/b>\u00a0<\/span><\/p>\n<\/td>\n

\n

Establishes an ISMS to manage information security risks systematically.<\/span>\u00a0<\/span><\/p>\n<\/td>\n

\n

Updates the ISMS to address modern threats (e.g., cloud, remote work, cyberattacks).<\/span>\u00a0<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Main Clauses (4-10)<\/span><\/b>\u00a0<\/span><\/p>\n<\/td>\n

\n

Detailed but less streamlined; focuses on context, leadership, planning, etc.<\/span>\u00a0<\/span><\/p>\n<\/td>\n

\n

Refined for clarity and flexibility; intent unchanged but wording improved.<\/span>\u00a0<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Annex A Controls<\/span><\/b>\u00a0<\/span><\/p>\n<\/td>\n

\n

114 controls across 14 domains (A.5 to A.18).<\/span>\u00a0<\/span><\/p>\n<\/td>\n

\n

93 controls grouped into 4 themes: Organisational (37), People (8), Physical (14), Technological (34).<\/span>\u00a0<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Control Organisation<\/span><\/b>\u00a0<\/span><\/p>\n<\/td>\n

\n

Broad domains (e.g., “A.12 Operations Security”) with some overlap.<\/span>\u00a0<\/span><\/p>\n<\/td>\n

\n

Thematic grouping reduces redundancy and improves usability (e.g., merging access controls).<\/span>\u00a0<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Example Control Change<\/span><\/b>\u00a0<\/span><\/p>\n<\/td>\n

\n

“A.9.2.5 Review of user access rights” and “A.9.2.6 Removal or adjustment” separate.<\/span>\u00a0<\/span><\/p>\n<\/td>\n

\n

Consolidated into “5.18 Access rights” for streamlined implementation.<\/span>\u00a0<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

New Controls<\/span><\/b>\u00a0<\/span><\/p>\n<\/td>\n

\n

None specific to emerging tech like cloud or threat intelligence.<\/span>\u00a0<\/span><\/p>\n<\/td>\n

\n

11 new controls (e.g., 5.7 Threat intelligence, 5.23 Cloud security, 8.28 Secure coding).<\/span>\u00a0<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Control Attributes<\/span><\/b>\u00a0<\/span><\/p>\n<\/td>\n

\n

No tagging system; controls lack metadata for alignment with other frameworks.<\/span>\u00a0<\/span><\/p>\n<\/td>\n

\n

Attributes added: Control type, Security properties, Cybersecurity concepts, etc.<\/span>\u00a0<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Clause 4.2 (Interested Parties)<\/span><\/b>\u00a0<\/span><\/p>\n<\/td>\n

\n

Less prescriptive; no explicit documentation requirement.<\/span>\u00a0<\/span><\/p>\n<\/td>\n

\n

Requires documenting interested parties and their requirements.<\/span>\u00a0<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Clause 6.1.3 (Risk Treatment)<\/span><\/b>\u00a0<\/span><\/p>\n<\/td>\n

\n

General guidance; less focus on justifying control selections.<\/span>\u00a0<\/span><\/p>\n<\/td>\n

\n

Clarifies link to Annex A; requires justification for control choices\/exclusions.<\/span>\u00a0<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Clause 9.1 (Monitoring)<\/span><\/b>\u00a0<\/span><\/p>\n<\/td>\n

\n

Less specific on implementation details (e.g., “when” and “who”).<\/span>\u00a0<\/span><\/p>\n<\/td>\n

\n

Mandates defining “when” and “who” for monitoring activities.<\/span>\u00a0<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Planning Emphasis<\/span><\/b>\u00a0<\/span><\/p>\n<\/td>\n

\n

Focuses on controls rather than process integration.<\/span>\u00a0<\/span><\/p>\n<\/td>\n

\n

Emphasises planning (Clause 6.3) and integrates “processes” with activities.<\/span>\u00a0<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Transition Deadline<\/span><\/b>\u00a0<\/span><\/p>\n<\/td>\n

\n

Not applicable (original standard).<\/span>\u00a0<\/span><\/p>\n<\/td>\n

\n

31 October 2025 (IAF deadline for 2013-certified organisations).<\/span>\u00a0<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Benefits<\/span><\/b>\u00a0<\/span><\/p>\n<\/td>\n

\n

Solid foundation for basic security management.<\/span>\u00a0<\/span><\/p>\n<\/td>\n

\n

More relevant to modern tech, easier alignment with frameworks like NIST\/GDPR.<\/span>\u00a0<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Challenges<\/span><\/b>\u00a0<\/span><\/p>\n<\/td>\n

\n

Gaps in addressing cloud, IoT, or advanced threats.<\/span>\u00a0<\/span><\/p>\n<\/td>\n

\n

Requires training, reassessment, and potentially new tools for updated controls.<\/span>\u00a0<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

1. Number and <\/span>Organisation<\/span> of Annex A Controls<\/span><\/span> <\/span><\/h4>\n

The reduction from 114 to 93 controls in 2022 does not signify a weakening of the standard. Instead, it results from merging redundant controls and eliminating outdated ones. For example, in 2013, \u201cA.9.2.5 Review of user access rights\u201d and \u201cA.9.2.6 Removal or adjustment of access rights\u201d were distinct controls. In 2022, these combine into \u201c5.18 Access rights,\u201d streamlining implementation without losing rigour.<\/span> <\/span><\/p>\n

The shift to four themes also improves practicality. Organisational controls address governance and policies, People controls focus on human factors, Physical controls cover premises security, and Technological controls target IT systems. This structure helps organisations assign responsibilities more effectively. For instance, a facilities manager can focus on the 14 Physical controls, while IT teams tackle the 34 Technological ones.<\/span> <\/span><\/p>\n

2. New Controls Introduced in 2022<\/span><\/span> <\/span><\/h4>\n

To address emerging risks, ISO 27001:2022 introduces 11 new controls:<\/span> <\/span><\/p>\n