ISO 27001 is an international standard on how to manage information security and helps organisations to monitor, review and continually improve their Information Security Management System. The standard was jointly published in 2005 and then later revised in 2013 by the International Organisation for Standardisation and the International Electrotechnical Commission.

ISO 27001 is the standard against which organisations can certify and ISO 27002 provides the supporting details for the selection, implementation, and management of information security controls.

During our research, it was established from one source that; “5 years / 10 meetings globally, 3 working drafts & 2 Committee drafts, and the resolving of over 10,000 comments from 200 experts (© BSI Standards)”

The new standard should reflect the technological changes and the effect the pandemic has had on most organisations working practices. It’s only right that Information Management Systems reflect this.

It is expected that ISO 27002 will be released first in February 2022 to reflect the changes and then ISO 27001 to be released in April 2022.

Many presume that by 2024/2025 all organisations will be using the new standard.


What are the changes you can expect to the ISO 27001 standard?

ISO 27001 Changes

The first notable change is Title & Scope. The second edition refers to the “Code of Practice for Information Security Controls” in the third edition its succinct and demonstrates a direct term of reference, changing it to “a reference set of generic information security controls/used by organisations”. The rewording of these terms demonstrates more of a choice, making it less about guidance and more about referral material.

The second notable change of the standard is the controls. In the second Edition (ISO 27001:2013) there were 114 controls within 14 clauses. The revised standard has thoroughly reviewed the existing controls, reducing, yet simplifying the existing framework of Information Security.  In the third edition (ISO 27001: 2022) it is now proposed that there will be 93 controls, which includes 11 new ones that have now been grouped into the following four themes:

  • Organisational Controls (37)
  • People Controls (8)
  • Physical Controls (14)
  • Technological Controls (34)

The changes are that 24 controls have been merged, 58 have been updated and 11 have been added.

The new controls are:

  • Threat intelligence
  • Information security for use of cloud services
  • ICT readiness for business continuity
  • Physical security monitoring
  • Configuration management
  • Information deletion
  • Data masking
  • Data leakage prevention
  • Monitoring activities
  • Web filtering
  • Secure coding

The third notable change is Attributes. In the third edition, each ‘Control’ in the new version now has ‘Attributes’, which are used to assist in making the control easier to categorise relevant to the organisation (and/or Industry sector – this is yet to be evidenced from the research).

The five new attributes are as follows:

  • Control type (Preventive, Detective, Corrective)
  • Information Security Properties (Confidentiality, Integrity, Availability)
  • Cyber-Security Concepts (Identify, Protect, Detect, Respond, Recover)
  • Operational Capabilities (Governance, Asset Management, etc.)
  • Security Domains (Governance and Ecosystem, Protection, Defence, Resilience)

The evidence seen is that these are recorded as ‘hashtags #’ for each of the individual attributes.

The third edition also introduces “NEW” attributes used for controlling, for example, GDPR where controls would be relative to the activities.

Other notable changes of the third edition of the standard are that terms and definitions across the documentation have been brought up to date and the Introduction of ‘Subheadings’ in some controls, where guidance text can be long, becomes more structured. The Annexes have also become more informative as there are now two.

Annex A is the revised version of ISO 27002:2022, using Attributes, etc.

Annex B is corresponding with ISO 27002:2013.


How does it affect your organisation with certification?

ISO 27001 Guidance

Currently, there is no impact on organisations that are already undertaking the certification for their ISMS until the ISO 27002 draft has been finalised and the new ISO 27001 Annex A has been released.

If you are already certified with ISO 27001, there is no need to panic, you will be given a grace period before it is required for the necessary changes to have been adopted. Most organisations will be aware of the three-year recertification period which means implementing the new controls can be planned around your organisation’s recertification date.

We recommend that you obtain a copy of ISO 27002 when it is released so that you can make headway with what the changes look like and how much work you’ll need to do to account for the new controls. We advise starting again with a Gap Analysis to identify these areas of work, and not to leave it to the last minute, you may find yourself struggling with implementation if you leave it too late before your next certification date.

For those organisations that are thinking of getting their Information Management System certified, the updates to the standards shouldn’t put you off, the best thing to do is to familiarise yourself with the draft control set, and with the help of the established 2013 version, it will put you in a good place for when it’s officially published.


Thinking about certifying or needing additional support with the updates to the controls?

Here at iSTORM, we believe that if applied properly, effective security controls shouldn’t have a detrimental effect on the day-to-day running of your organisation. We pride ourselves in achieving the right balance between your corporate balance for your organisation. iSTORM ensures that the solutions we deliver work for the good of your organisation, not against it.

For more information about our, Information Security Services click here.

To contact us call 01789 608708 or email

Thank you to our consultant Rod Powers for reviewing the ISO 27001 standard and putting together a summary of these changes.

To keep an eye on when the updates are to be released click here.