QMS Certification Blog
What are the changed requirements in ISO 270012022

What are the changed requirements in ISO 27001:2022?

Discover the changed requirements in ISO 27001:2022 and make the transition to the standard in a much simpler and result-focused way!

We know that the update to ISO IEC 27001:2022 Information Security Management Systems (ISMS) is an important step for many companies. Along with the need for an update, there is also a sensitive process of change and improvement that will better secure information, people, and companies.

A few days ago, we posted an article talking a bit about the reasons for the update and giving tips on how to do the process the right way. However, to make a smoother and more result-focused transition, it is important to know what the changed requirements are in ISO 27001:2022.

In today’s content, we will discuss the main changes to the requirements of the new version. This way, you will know in advance what has changed and will be able to better direct the actions of your ISO/IEC 27001:2022 update project.


What are the changed requirements in ISO 27001:2022?

Generally, the main changes occurred in requirements 4.2, 6.1.3, 6.3, and 9.3. There were also other changes, but in this article, we will focus more on the normative items and what has been altered. Let’s look at each one of them:


4.2 Understanding the needs and expectations of interested parties

One of the most important items, 4.2 is the basis for the creation of products and services and for aligning between interested parties and companies.

A new clause was added to it. The new clause “c)” stipulates that organizations, when determining the relevant requirements for their stakeholders, must also determine which of these requirements should be addressed by the ISMS.

This change, although seemingly small, is quite significant. It emphasizes the importance of prioritizing the needs and expectations of the relevant stakeholders for the information security management system. This enables the organization to concentrate its efforts and resources in areas that have the greatest impact on information security and, thus, achieve the objectives of the ISMS.


6.1.3 Treatment of information security risks

The changes in item 6.1.3 aim to make the standard less prescriptive, showing companies that they need to evaluate their contexts. This clarifies that it is up to organizations to assess applicability according to their scope and mapped risks. Let’s look at the change:

6.1.3 Treatment of information security risks
d) develop a Statement of Applicability that contains:
— the necessary controls (see 6.1.3 b) and c));
— the justification for inclusions;
— whether the necessary controls are implemented or not; and
— the justification for the exclusion of any controls from Annex A.[…]

Furthermore, other changes signal the same intention to make the standard more illustrative. The first sentence of Note 3 (“The control objectives are implicitly included in the chosen controls”) was removed. In the second part of the note, the term “control objectives” was also removed.


6.3 Planning of changes

This change was expected and occurs to keep ISO 27001 aligned with other ISO management standards, that is, it is an adaptation of the standard to the infamous Annex SL. Thus, being a completely new clause for 27001, this requirement essentially dictates that all “changes in the ISMS must be conducted in a planned manner.”

This item highlights the importance of a structured and proactive approach to dealing with changes concerning information security, something vital in an environment that is constantly changing, bringing new threats and challenges that can arise at any moment.

Not paying attention to the planning of changes is a serious risk to the security of our information, potentially bringing major problems and risks to our companies. Therefore, the addition of this item is more than just a simple inclusion of Annex SL, but a true contribution to continuous improvement and the maintenance of the ISMS as a whole.


9.3 Management review

The item 9.3 received significant updates aimed at making the management review process clearer and more structured. This facilitates understanding and implementation by organizations while contributing to more effective information security management for companies.

Practically, the text was reorganized into 3 sub-clauses (9.3.1 Generalities; 9.3.2 Inputs for the review; 9.3.3 Outputs from the review). This change creates a more logical order, clearly requesting inputs and outputs, and clarifying the management review process and its expected outcomes.

Additionally – reinforcing the change in requirement 4.2 – a new clause c) was included in 9.3.1. This new text determines the need to consider changes in the needs and expectations of interested parties as one of the inputs for the management review by senior management.


Restructuring and modification of controls (main changes in ANNEX A)

Another significant change was the complete restructuring of Annex A. The document previously included 14 groups, now reorganized into just 4, as follows:

  • Organizational controls (37 controls – group A.5);
  • People controls (8 controls – group A.6);
  • Physical controls (14 controls – group A.7);
  • Technological controls (34 controls – group A.8).

Furthermore, the standard, which previously had 114 controls, now contains only 96. However, it is important to note that there was no actual elimination of controls! On the contrary, while new controls emerged and others were retained, many were simply grouped together or renamed. Hence the apparent “reduction.”


Changed requirements in ISO 27001:2022 – for a stronger ISMS!

Overall, the changed requirements in ISO 27001:2022 have been very well received by the market and represent a significant evolution for the practices of information security management.

Through these (and the standard as a whole), we can enhance the effectiveness of our Information Security Management Systems (ISMS) and adapt them to the increasingly rapid needs and changes in our companies and context.

The changes bring everything a good management system needs to have, promoting a more focused, flexible, and adaptable approach, without compromising what matters most: keeping information secure! By transitioning to the new version of the standard, therefore, companies can take an important step towards achieving their goals and reaching incredible results!


QMS Certification

QMS Certification

QMS is an accredited third party certification body, it is currently present in 33 countries and focuses on the certification of management systems. QMS America is managed by the US office and has consistently grown in market recognition by technical level, customer satisfaction and competitive pricing.

Join the newsletter!

Subscribe to get latest content by email.

Compliance in the Third Sector Understand Its Importance

Compliance in the Third Sector Understand Its Importance

The third sector is a sphere of economic activity that encompasses non-governmental organizations (NGOs), associations, foundations, and other entities that operate for social, environmental, cultural, or community development purposes, but which are often used for fraudulent activities, hence the relevance of compliance in the third sector.

Become an ISO Certification Auditor

Become an ISO Certification Auditor

Everything you need to know about becoming an ISO certification auditor (ISO 9001, 14001, 45001, and other standards) and achieving professional success!

Scroll to Top