Information security

Updates to ISO 27001

The International Organisation for Standardisation periodically updates ISO 27001 and related standards to keep pace with technological developments. The revised drafts of ISO 27001 and ISO 27002 are under review, pending an official release later this year.


ISO 27001 is a vital standard for businesses to get certified for if they are serious about information security and want to demonstrate that to their clients. The requirements in the ISO 27001 standard will protect businesses from most cyber-attacks looking to steal data. ISO 27001 goes further than the Cyber Essentials certification and covers information in all forms, whether it is digital or physical.


The proposed changes to the standards are moderate and their purpose is mainly to simplify the implementation of ISO 27002. The number of controls has decreased from 114 to 93 and they are arranged in 4 sections instead of 14 as in ISO 27002:2013.


There are 11 new controls for businesses to consider. No controls have been removed, although many have been merged to bring the overall total down.


Some of the key updates to ISO 27001:


·        The main part of ISO 27001 (clauses 4 to 10) is not changing. These clauses include scope, interested parties, Information security policy, risk management, training and awareness, corrective actions, etc.

·        ISO is only updating the security controls listed in ISO 27001 Annex A

·        The overall number of controls has decreased from 114 to 93

·        Controls are now arranged in 4 sections instead of the previous 14

·        There are 11 new controls:

§  5.7 Threat intelligence

§  5.23 Information security for use of cloud services

§  5.30 ICT readiness for business continuity

§  7.4 Physical security monitoring

§  8.9 Configuration management

§  8.10 Information deletion

§  8.11 Data masking

§  8.12 Data leakage prevention

§  8.16 Monitoring activities

§  8.23 Web filtering

§  8.28 Secure coding


The transition period for companies to implement these changes has not been officially published yet, but it will be around two years starting from the official release date of the ISO 27001:2022 update.


To get your organisation ready for the change to ISO 27001:2022, OmniCyber recommends:

·        Gap assessment against the new controls

·        Implement the new controls

·        Conduct an internal audit

·        Get ready for a certification audit.


OmniCyber Security will support you through the entire process of becoming compliant with ISO 27001. Contact our expert team today to find out what the ISO 27001 changes mean for you. 

Contact us

Related Articles