Comparison of changes to the requirements of ISO/IEC 27001:2013 (:2017) vs ISO/IEC 27001:2022
ISO/IEC 27001:201 has been replaced by ISO/IEC 27001:2023, according to which all certified organisations must be certified within a transition period.
The transition period is set, according to IAF MD 26, at 36 months from the last day of the month of publication of ISO/IEC 27001:2022 (i.e. 31 October 2025).

The CO will require an increase in audit time as part of the requirements for the transition to the new standard:
1) In the case of a recertification audit, 0.5 audit days.
2) In the case of a surveillance audit, 1 audit day.

Content of the standard:

Basic requirements
Annex A of the standard contains the interpretation and application of the standard.



ISO/IEC 27001:2022 is based on the new  - High-Level Structure - (HLS), which is a unified structure for all new and revised ISO Management System Standards (MSS). This structure facilitates the integration of different standards into common management systems.
  • Context of the organisation
The new version of the standard places greater emphasis on risk assessment. Organizations must conduct a more comprehensive and de-tail risk analysis to better identify and manage information security threats.
  • Consideration of technological developments:
ISO/IEC 27001:2022 reflects new challenges and technology trends that have emerged since the release of the pre-release version. Particular attention is paid to new threats such as cyber-attacks based on artificial intelligence, the Internet of Things (IoT) and other emerging technologies.
Strengthening the focus on leadership and senior management commitment
The standard emphasises the importance of involving the organisations leadership in the information security management process.
Top management must demonstrate a commitment to information security and ensure that they are adequately resourced for it.
  • Involvement of suppliers and partners:
The new version emphasizes the involvement of the organizations suppliers and partners in the information security management system, especially when key services or products are delivered.
Consideration of risk related to human behaviour:
ISO/IEC 27001:2022 emphasises the importance of considering human behaviour as a fundamental aspect of information security. Organisations should improve their ability to identify and manage risks related to the behaviour of their employees and other users.

Significant changes

Chapter 4

- 4.2 - Understanding stakeholder needs and expectations: A new item has been added that requires an analysis of which stakeholder requirements will be addressed through the ISMS.
- 4.4 - Information Security Management System: the standard requires identification of the necessary processes and their interactions within the ISMS. Essentially, the ISMS must therefore include the processes that support the ISMS, not just those specifically listed in the standard.

Chapter 6

- 6.2 - Information security objectives and planning for their achievement: now provides further guidance on the objectives of in-information security. This provides a clearer picture of how the objectives should be periodically  monitored and formally documented.
- 6.3 - Change Planning: This clause has been added to set a standard for change planning. It states that if changes are needed in the ISMS, these changes must be sufficiently planned.

Chapter 8

- 8.1 - Operational Planning and Management: Additional guidance on operational planning and management has been added. The ISMS must now establish criteria for the actions listed in Article 6 and control these actions in accordance with the criteria.
Minor changes

Chapter 5

- 5.3 - Organizational Roles, Responsibilities and Authority: A minor language update clarified that communication of roles relevant to information security is to be communicated within the organization.

Chapter 7

-7.4 - Communication: the subordinate clauses a-c remain the same. But subordinate clauses d (who should communicate) and e (the process by which communication should be affected) have been simplified and combined into the newly renamed subordinate clause d (how to communicate).

Chapter 9

- 9.2 - Internal Audit: This clause has been changed, but not substantially. It basically just combined what already existed between clauses 9.2.1 and 9.2.2 into one section.
- 9.3 Management Review: A new clause has been added to clarify that the management review of the organization must include consideration of any changes in stakeholder needs and expectations. It is important to note any changes as they are instrumental to the scope of the ISMS as identified in Article 4 (and based on those needs and expectations). For example, if an organizations board of directors wants to go public, the organization needs to consider how a change in priorities would affect the ISMS.

Chapter 10

- 10 - Improvement: the structural changes to this article now list continuous improvement first (10.1) and non-compliance and corrective action second (10.2).
Annex A


- 11 new points have been added
- 57 points have been merged
- 23 points were renamed
- 3 points were removed
In ISO 27001:2013, controls have been organized into 14 different areas. In the new update, the points are instead placed in the following four areas:
- Person controls (8 points)
- Organizational controls (37 points)
- Technology controls (34 points)
- Physical controls (14 points)
The change in nomenclature contributes to a better understanding of how Annex A controls help secure information. The previous area names were written for IT professionals - rather than management.
Companies will need to update their applicability statement to reflect this new structure as they look to achieve certification to ISO/IEC 27001:2022.
Additional attribute values have also been added to better describe the Annex A controls and help categorize them, but these are only available in ISO/IEC 27001:2022.

Annex A new clauses

- A.5.23 Information security for use of cloud services: this control highlights the need for better information security in the cloud and requires organisations to set standards
     security standards for cloud services and have processes and procedures specifically for cloud services.
- A.5.30 ICT preparedness for business continuity: This control requires organizations to ensure that ICT can be recovered or used in the event that
- A.7.4 Physical Security Monitoring: This control requires organisations to monitor sensitive physical areas (data centres, production facilities, etc.) to ensure that they can be accessed
     only authorized individuals are allowed access to these facilities - so that the organization is notified in the event of a breach.
- A.8.9 Configuration Management: This control requires the organisation to manage the configuration of its technology to ensure that it remains secure and to prevent unauthorised changes.
- A.8.10 Delete Information: This control requires the deletion of data when no longer needed to prevent the leakage of sensitive information and to comply with privacy requirements.
     data protection.
- A.8.11 Data Masking: This control requires organizations to use data masking in accordance with the organizat. access control policy to protect sensitive information.
- A.8.12 Data Leakage Prevention: This control requires organizations to implement measures to prevent data leakage and disclosure of sensitive information from systems, networks, and other devices.
- A.8.16 Monitoring activities: This control requires organizations to monitor systems for unusual activities and implement appropriate incident response procedures.
- A.8.23 Web filtering: This control requires organisations to manage which websites users access to protect IT systems.
- A.8.28 Secure coding: This control requires that secure coding principles are implemented as part of the organisat. software development process to reduce security vulnerabilities.


Some numbers about us
Number of implemented projects
Number of issued certificates
The number of accredited programs
Number of courses

Quality objectives

1. Permanent to maintain the Certification Body management system in compliance with all requirements of the national accreditation system
2. Continuous to work with all staff and cooperating parties involved in the certification process in order to maintain the high capability to exercise the certification of accredited systems
3 Regularly to inform all certified organizations about changes and state of certification requirements
4 Make the most to use of IT for implementation and management of audits with the objective to minimize written form of audit records and effective communication with customers.
5. Continuously to update the Company website and other information materials
6. Continuously monitor market requirements for certification of management systems
7. Expand the portfolio of activities based on needs and market requirements

Certification body

Quality objectives

Company Vision
MP Auditing arm_cert_reg_logo
Basic contact
Headquarters: TiŇ°novsk√° 384, 664 71 Veversk√° B√≠t√ĹŇ°ka¬† ¬† Phone:¬† +39 081119322936, +39 0354504730
OkruŇĺn√≠ 828/25, 638 00, Brno¬† ¬†
Via Tino di Camaino, 9 - 80128 - Napoli
Viale Papa Giovanni XXIII, 106 - 24121 - Bergamo
VAT Nr.: 26976285 VAT Nr.: 07738831218
E-mail: info@audiso.cz E-mail: info@audiso.it