ISO 27001:2022 vs 2013: What Changed?

Complete Comparison Guide for Organizations Transitioning to the New Standard

Home Blog Implementation Guide

📋 Overview of Changes

ISO/IEC 27001:2022 was published in October 2022, replacing the 2013 version. Organizations certified to ISO 27001:2013 have until October 2025 to transition to the new standard. Understanding the changes is critical for planning your transition strategy.

Key Changes Summary

  • 93 controls (down from 114): Consolidated for clarity and reduced duplication
  • 4 themes (vs 14 domains): Organizational, People, Physical, Technological
  • 10 new controls: Covering threat intelligence, cloud security, ICT readiness
  • 24 controls merged: Combined overlapping requirements
  • 58 controls updated: Clarified language and requirements

🏗️ New Control Structure

From 14 Domains to 4 Themes

ISO 27001:2013 organized controls into 14 domains. The 2022 version simplifies this to 4 themes:

2022 Structure (4 Themes)

  • Organizational Controls (37): Policies, roles, asset management, HR security, supplier management
  • People Controls (8): Screening, terms of employment, awareness and training
  • Physical Controls (14): Secure areas, equipment security, utilities, disposal
  • Technological Controls (34): Authentication, cryptography, network security, logging

Attribute-Based Categorization

The 2022 version adds attributes to each control:

  • Control Type: Preventive, Detective, or Corrective
  • Information Security Properties: Confidentiality, Integrity, Availability
  • Cybersecurity Concepts: Identify, Protect, Detect, Respond, Recover
  • Operational Capabilities: Governance, Asset Management, Protection, etc.
  • Security Domains: Governance & Ecosystem, Protection, Defense, Resilience

✨ 10 New Controls in 2022

5.7 Threat Intelligence

Organizations must now collect and analyze threat intelligence relevant to their information security. This formalizes what mature organizations already do informally.

Implementation: Subscribe to threat feeds, monitor security advisories, track vulnerabilities affecting your technology stack.

5.23 Information Security for Cloud Services

Explicit requirements for using, acquiring, and managing cloud services securely. Addresses cloud-specific risks.

Implementation: Cloud provider security assessments, shared responsibility model documentation, cloud configuration reviews.

5.30 ICT Readiness for Business Continuity

Ensures ICT systems are ready to support business continuity requirements. Strengthens resilience focus.

Implementation: Test disaster recovery procedures, verify backup restoration, ensure redundancy.

8.9 Configuration Management

Requires documented configuration management for security-relevant systems. Prevents configuration drift.

Implementation: Infrastructure as Code, configuration baselines, change tracking.

8.10 Information Deletion

Ensures information is deleted securely when no longer required. Supports data minimization.

Implementation: Data retention policies, secure deletion procedures, verification processes.

8.11 Data Masking

Requires masking of sensitive data where appropriate. Supports privacy and testing needs.

Implementation: Anonymization for test data, redaction in logs, tokenization where appropriate.

8.12 Data Leakage Prevention

Addresses preventing data exfiltration and unauthorized disclosure.

Implementation: DLP tools, egress filtering, USB restrictions, email controls.

8.16 Monitoring Activities

Formalizes requirements for monitoring user and system activities.

Implementation: SIEM, log aggregation, user behavior analytics.

8.23 Web Filtering

Requires web filtering to prevent access to malicious content.

Implementation: DNS filtering, proxy servers, URL categorization.

8.28 Secure Coding

Explicit requirements for secure coding principles in software development.

Implementation: OWASP guidelines, code reviews, SAST/DAST, security training.

🔄 Transition Guide for Certified Organizations

Transition Timeline

Deadline: October 2025

  • October 2022: ISO 27001:2022 published
  • October 2023: 1-year grace period ends (new audits use 2022 version)
  • October 2025: 3-year transition period ends (all certificates must be 2022-compliant)

Transition Steps

  1. Gap Analysis: Compare current controls against 2022 Annex A
  2. Update Statement of Applicability: Map 2013 controls to 2022 equivalents
  3. Implement New Controls: Address the 10 new requirements
  4. Update Documentation: Revise policies to reference 2022 standard
  5. Internal Audit: Verify compliance with new requirements
  6. Transition Audit: Certification body assesses 2022 compliance

Common Transition Challenges

  • Cloud security controls may require new vendor assessments
  • Threat intelligence requires ongoing subscriptions/processes
  • Configuration management needs automation
  • Data leakage prevention may need new tools

💡 Practical Advice for Swedish Organizations

What Most Organizations Already Have

Good news: Many of the "new" controls formalize existing best practices:

  • Threat intelligence → Already monitoring CVEs and security news
  • Cloud security → Already using AWS/Azure with some security
  • Configuration management → Infrastructure as Code already in place
  • Monitoring → SIEM or log aggregation already deployed

What Needs Work

Controls that typically require new implementation:

  • Formal threat intelligence process (not just ad-hoc monitoring)
  • Documented cloud security assessments (not just using cloud services)
  • Data leakage prevention (may need DLP tools)
  • Secure coding standards (formalized SDLC security)

Cost Impact

For Swedish SMEs already certified to 2013:

  • Internal effort: 40-80 hours for gap analysis, documentation updates, implementation
  • Transition audit: €2,000-€5,000 (often combined with surveillance audit)
  • New tooling: €1,000-€3,000 if DLP or monitoring gaps exist

Need transition support? Contact Hack23 for gap assessment and transition planning tailored to Swedish organizations.

📚 Resources