The new and improved ISO 27001 Information Security Standard; what's changed?

Ben Gibbins


November 2022

key fact

For any organisation already using ISO 27001, there is a need to remap existing procedures, and decide how the new controls apply to your business.

The widely anticipated updates to ISO 27001 and ISO27002 this October were about more than revising Information Security standards and controls. They also set the conditions for businesses to accelerate best practice and continuous improvement across systems, processes, capabilities, and governance.

Wherever your company is on its Information Security journey, and whether the focus is on transforming system architecture to ensuring business continuity, customer assurance and due diligence, this is an opportunity to embrace. Weak or no Information Security within an organisation leads to critical or sensitive data being lost, stolen, or used in a way that causes severe consequences for the business, their customers and stakeholders, and the industry they work in.

This updated version of ISO 27001:2022 offers welcome consolidation of existing standards, but also introduces a new controls structure that will require a thorough review of current practices to ensure your organisation is aligned. The threat environment has changed dramatically in the eight years since the last release and the new updates provide an ideal chance to revisit your Information Security strategy with fresh eyes. This applies whether you’re already certified, moving towards certification, or simply using the framework as a guide.

What’s changed with ISO 27001:2022 and 27002:2022?

Changes to both the standard (ISO 27001) and the code of practice (ISO 27002) are extensive. The good news is that they have been simplified. Structure and language have been streamlined, so that users can implement, adapt, and appoint responsibility with more clarity. Fully executing the updates will involve, at the very least, a detailed audit of the changes and how your organisation will realistically implement them. Broadly speaking, the headlines are:

  • controls have been restructured from 14 sections to 4, making it easier to understand their applicability, and the designation of responsibility
  • five Control Attributes have been introduced, enabling different audiences to sort, interpret and apply the controls in meaningful ways
  • standards and language are now aligned with complementary frameworks – not leastrisk management, to ease integration and reduce complexity
  • overall, controls have been reduced from 114 to 93. However, within that overall framework:

For any organisation already using ISO 27001, there is a need to remap existing procedures, and to decide how the new controls apply to your business. Here is where Mason Advisory can add significant delivery value, drawing on our knowledge and established blueprints in this area.

Harnessing ISO 27001:2022 to drive Information Security maturity

For any organisation (certified or not), there is also scope to move beyond a purely responsive “audit and adjust” approach. The guidelines can also be used to design and deliver an Information Security maturity roadmap. Overall, both ISO 27001:2022 and 27002:2022 reflect advances and improvements that describe how to apply security controls in the context of rapidly evolving technology. The key word here is ‘describe’. The standard offers an assured framework and guidelines – but how you apply these in the context of your organisational structure, capabilities, processes, and marketplace is very much a matter of assessment and strategy.

Given that the new controls cover the entire Information Security landscape – organisational, people, physical and technological – making the decisions to define that strategy will be no small task, but for any security conscious organisation this area usually tops the priorities list. For already certified organisations, there’s a two-year window to ensure you’re fully up to date and compliant. For organisations seeking certification, there is some work to be done to define exactly how you’re going to get there. For every organisation, there is scope to use the updated standards as a springboard to benchmark your current status and design a roadmap that will help continuous improvements and evolve your Information Security management strategy, capabilities, and systems.

Our independent perspective, informed by real-world, cross sector ability, can add significant value to businesses applying ISO27001. Crucially, our approach is to collaborate with your team; we work in partnership with you to assess, design and navigate your Information Security roadmap. And we support you to develop the strategy, systems, and capabilities your organisation needs to ensure that you are geared up to meet future challenges.

If you would like to find out how we can help you, click the enquire box or click contact us to discuss further.

Explore Mason Advisory’s cyber service offerings

Read more insights from our industry experts

Our services

View all