ISO IEC 27001-2022 "Information Security, Network Security and Privacy Protection Information Security Management System Requirements"

Main changes in ISO/IEC 27001:2022

1. Appendix A references the information security controls described in ISO/IEC 27002:2022, which includes the control title and information of the control

2. Clause 6.1.3 c) has been revised and edited, including Removed control objective and used "information security control" instead of "control"

3. Re-edited the wording in clause 6.1.3 d) to remove potential ambiguity

4. Determined to be processed by ISMS by adding new clause 4.2 c) 5. By adding a new subclause 6.3 - Planning of changes, it is defined that changes to the ISMS should be carried out by

the organization in a planned manner

6. Maintain consistency with the relevant verbs in the written text, for example, in 9.1, Clauses 9.2.2, 9.3.3 and 10.2 use "written information shall be evidence of XXX"

7. Replace "outsourced process" in clause 8.1 with "externally provided processes, products and services" and delete "outsourced 8.

Renamed and reordered the subclauses of Clause 9.2 - Internal Audit and Clause 9.3 - Management Review

9. Swapped the order of the two subclauses to Clause 10 - Improved

10. Versioned relevant documents listed in the Bibliography Updates such as ISO/IEC 27002 and ISO 31000

11. Some deviations from ISO/IEC 27001:2013 clause 6.2 d) high-level structure, same core text, common terms and core definitions

ISO/IEC 27001:2022 Transition time 3-year transitional period starting in October

2022 (to October 2025)

Published in October 2022 ISO/IEC 27001:2022

2022.10-2023.10

New and existingCertification can still be assessed against ISO/IEC 27001:2013

2023.10.24

After October 24, 2023, there will be no initial and re-certification audits for ISO/IEC 27001:2013 2025.10.25

All

ISO/IEC 27001:2013 certifications will be Must expire, or be withdrawn no later than October 25, 2025