Latest Changes Explained - ISO 27001-2022 Controls - Annex A

Latest Changes Explained - ISO 27001-2022 Controls - Annex A

Detailed explanation about the latest changes about ISO-27001-2022 controls : 11 new controls, 4 categories instead of 14 and introduction of 5 attributs


ISO 27001 is an international standard for information security. It was published in 2015 to help organizations establish, implement, maintain and improve their information security management system (ISMS).

Information security has become a major issue for companies, especially with the exponential growth of cyber attacks, so more and more companies are implementing the standard in order to set up an effective information security management system.

Iso 27001 is a standard that frames ISMS, so more and more companies are becoming certified to manage their risks about this topic.

Today there are more than 58,000 certified companies, of which more than 16% are in the information technology sector. (These figures are from 2021 and therefore probably increased significantly since then).

In this article, we will see what the standard is and we will detail more precisely the subject of ISO 27001 controls.

done-meeting (2)

What is iso 27001 ?

According to the International Organization for Standardization :

“ISO/IEC 27001 is the world's best-known standard for information security management systems (ISMS). It defines requirements an ISMS must meet.

The ISO/IEC 27001 standard provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining and continually improving an information security management system.

Conformity with ISO/IEC 27001 means that an organization or business has put in place a system to manage risks related to the security of data owned or handled by the company, and that this system respects all the best practices and principles enshrined in this International Standard”.

ISO-logo (2)

What are the objectives of the standard?

The certification establishes a set of standards to be used in your company to meet six essential objectives:

  • Confidentiality : Preserving the confidentiality of information, i.e. protecting information from unauthorized disclosure.
  • Integrity : Preserving the integrity of information, i.e. protecting it from unauthorized modification.
  • Availability : Paying attention to the availability of information, i.e. protecting it from unauthorized interruption of its availability.
  • Responsibility : Define responsibilities for information protection.
  • Traceability : The ability to track the origin and history of information.
  • Non-repudiation : This is the ability to prove the origin and integrity of information.

What are the advantages of being ISO 27001 certified for a company ?

advantages-of-being-certified-iso-27001 (2)

Improved information security :

Iso 27001 certification enables an organization to implement an information security management system (ISMS) that complies with international standards, ensuring that information is handled securely, and therefore reduce company’s vulnerability of cyber-attacks. According to Afnor, 89% of certified companies estimate that they have fewer security incidents.

Strengthening Stakeholder Confidence :

Stakeholders such as customers, business partners and investors are often reassured by ISO 27001 certification as it demonstrates the organization's commitment to information security.

Having the standard can also prove to be a business argument against a competitor who does not have it, or build up customer loyalty. In fact, 88% of the companies surveyed by Afnor recognize that certification has enabled them to retain some of their customers who would otherwise probably have left them.

Improved security culture :

Having certification in place promotes a culture of information security within the organization. Indeed, the employees will be sensitized during the implementation of the standard but also by the respect of new processes, the employees will be more sensitive to these subjects.

Find a complete SWOT analysis, conducted by the University of East London, to get an overview of the different opportunities, threats, weaknesses and strengths of implementing ISO 27001 in your company.

What does the iso 27001 standard contain?

The standard is separated into two distinct parts.

Part 1 : 11 clauses to oversee the implementation of your ISMS

The first part consists of the 11 clauses below, which provide a framework for establishing the policies, procedures and practices necessary to protect the organization's sensitive information and ensure its confidentiality, integrity and availability.

  • Introduction : A global introduction to the standard
  • Scope: Definition of the scope of the ISMS (Information Security Management System) that an organization intends to implement.
  • Normative references: Lists of the standards and documents that an organization must comply with, while implementing the ISMS.
  • Terms and definitions: Definition of the terms and definitions that are used in the standard.
  • Context of the organization: This clause requires the organization to understand the context of its ISMS, including the internal and external issues that may impact it.
  • Leadership: Importance of the role of senior management in establishing and maintaining the ISMS.
  • Planning: Description of the requirements for risk assessment and treatment, and the development of the Statement of Applicability (SoA).
  • Support: This clause outlines the requirements for resources, competence, awareness, communication, and documentation necessary for the ISMS.
  • Operation: Description of the requirements for implementing risk treatment plans, monitoring and reviewing the ISMS..
  • Performance evaluation: This clause requires the organization to monitor, measure, analyze, and evaluate the performance of its ISMS.
  • Improvement: Requirement from the organization to continually improve its ISMS based on the results of performance evaluations, audits, and reviews.

Part 2 : Appendix A This appendix provides a list of information security controls that organizations can use as a basis for implementing their information security management system.

It is designed to help organizations identify the appropriate security controls to implement to achieve their ISMS objectives.

This list has been recently updated.

ISO 27001-2013 Annex A controls and recent changes

ISO 27001-2013 - Annex A

The standard was updated in October 2022, with the main change being in Appendix A.

Previously, in the version of iso 27001-2013, Annex A was composed of 114 controls distributed around 14 different categories, listed below.

  • Information security policy
  • Organization of information security
  • Human resource security
  • Asset management
  • Access control
  • Cryptography
  • Physical and environmental security
  • Operations security
  • Communications security
  • System acquisition, development, and maintenance
  • Supplier relationships
  • Information security incident management
  • Information security aspects of business continuity management
  • Compliance

ISO 27001-2022 - Annex A

Before 2022, the standard had been updated for the last time in 2013, in 9 years, the world of information has drastically evolved, the standard had to evolve its repository to match the current field reality.

The first major change is the iso 27001 controls list, previously 114, they are now 93 in the 2022 standard. Of the 114 controls, 35 remain unchanged, 23 have been renamed, 57 are grouped into 24 (for clarity), 11 new security controls have been created.

The 11 new controls created correspond to these different items: Threat Information, Information Security for Cloud Services, ICT Readiness for Business Continuity, Physical Security Monitoring, Configuration Management, Information Deletion, Data Masking, Data Leakage Prevention, Monitoring Activities, Web Filtering, Secure Encryption.

Secondly, these controls are now categorized into 4 different categories:

1 - Organizational controls (37 controls)

2 - People controls (8 controls)

3 - Physical controls (14 controls)

4 - Technological controls (34 controls)

Finally, the update implements five attribute categories for security controls :

  • Control types: Preventive, Detective and Corrective
  • Cybersecurity concepts: Identify, Protect, Detect, etc.
  • Security domains: Governance and Ecosystem, Protection, Defense, etc.
  • Properties of information security: Privacy, Integrity and Availability
  • Operational capabilities: Governance, Asset Management, Information Protection, etc.

The five attributes assign one or more values of each attribute to one of the security controls.

The effect of this change is to make it easier to group and sort, and thus help you find the relevant controls to implement based on your needs. For example, if you want to implement controls related to governance, you can simply filter on this topic and you will have a list of relevant controls at your disposal.

iso 27001-2022 Annex A (1)

How to Decide Which ISO 27001 Controls to Implement ?

All of the controls listed in Appendix A are not mandatory to implement in your company. Appendix A is like a list, which allows you to select the controls you need according to your company. The controls you decide to implement will depend on the risk assessment and risk treatment plans you have made in the previous phases of implementing the standard.

Who is responsible for implementing ISO 27001 controls ?

In an organization, the responsibility for implementing ISO 27001 controls typically falls on the information security management team. This team is responsible for implementing and maintaining an information security management system (ISMS) that conforms to the requirements of ISO 27001.

However, as we saw earlier, Appendix A is composed of four different categories of controls and 34 of the 94 controls are related to information technology. Thus, in order to optimally implement the controls in Appendix A, it is necessary to have other people involved in the implementation of controls who have a field and global vision of the company on the other three different subjects.

In addition, at least one member of a company's management must be involved in the implementation of this project. This member must be responsible for providing the resources, support and commitment necessary to ensure the success of the ISMS and the effective implementation of ISO 27001 security controls.

How Trout Software Can Help with ISO 27001 Controls ?

Leverage Compliance Automation

The set of controls to be put in place to meet ISO 27001 standards can represent a significant amount of work. Imagine therefore, the workload that would be to exercise these controls at given periods, can not forget a date of a control, make the control by hand, note the result of the control in a document and then analyze all the results 🤯 This is just too time consuming for the teams that would spend most of their time doing these tasks.

With Trout Software, leverage compliance automation, for a compliance without sweat 🎣

Compliance automation refers to the use of technology to streamline and simplify compliance-related processes. The tool created by Trout Software: Security hub, allows the automation of security controls within an organization. Thus, the implementation of the control, the repetition of the control, the result of the control and the synthesis of all the controls is automated and centralized in Security Hub.

Deploy Pre-built Playbooks 

Trout Software has created dozens of ready-to-use playbooks that allow you to easily implement ISO 27001 controls. So just choose the control you want to set up, configure the access to the data required to run the playbook.

To do this, simply use the connectors pre-built by Trout Software, as you can see, below.

connect your data to Trout Software (1)

You will then have to select your choice and set it up with our scheduler.

Perform Continuous Control Monitoring

Our tool allows you to automate the playbook created, thanks to our scheduler.

As you can see below, it allows you to choose the notebook you have just created, and then to create parameters according to the desired frequency of the controls.

You can set its parameters according to the frequency of checks, the date and time of the first check you want to perform and finally indicate how often you want the check to be performed.

Once you have set the parameters, you can click on "Schedule".

As you can see on our examples, for each check a red or green bar will appear depending on whether the check returns an error or not.

Trout Software Scheduler (3)

This allows you to exercise controls in a regular way, to have a global view on the control through time and thus to set up an ISO 27001 approach, based on continuous improvement.

Start Your Journey to ISO 27001 Compliance with Trout Software ! 🎣

Frenquently Asked Questions :

What are the differences between iso 27002 and iso 27001 ?

ISO 27001 provides a framework for establishing, implementing, maintaining and continually improving an ISMS, while ISO 27002 provides guidelines for implementing the controls specified in ISO 27001. The ISO27002 standard completes the ISO 27001 standard, but is not certifying.

What are the differences between iso 27001 and SOC2 ?

ISO 27001 provides a framework for managing information security risks, while SOC 2 provides assurance that an organization has controls in place to protect the data it stores, processes, or transmits on behalf of its customers.

What is the cost of being certified iso 27001 ?

The cost of being certified to ISO 27001 can vary depending on a number of factors, such as the size and complexity of your organization, the scope of your ISMS, and the certification body you choose to work with.

How often do I need to review and update the ISO 27001 controls ?

Regular review and updating of the ISMS and its controls is necessary to ensure their effectiveness and relevance in addressing the organization's security risks. The frequency of these reviews depends on various factors such as organization size, complexity, scope of the ISMS, and risk profile. It is generally recommended to conduct a formal review of the ISMS and its controls at least once a year, and also when there are significant changes to the organization, its systems or processes, or the threat landscape. This will help ensure that the ISMS remains current and aligned with the organization's business objectives and security needs.

How much time do I have to meet the new requirements of the Iso 27001 - 2022 standard?

According to ISO : “New or recertification audits after October 2023, must be under the 2022 version.”

What is the latest standard for iso 27001 ?

ISO 27001 was last updated in October 2022, representing the latest version. 

How long does iso 27001 certification take ?

The duration of ISO 27001 certification can vary depending on several factors, including the size and complexity of the organization, its existing information security practices, and the level of readiness for certification. 

On average, the certification process typically takes between 6 to 12 months, but it can take longer in certain cases.

Get notified about Trout articles

Receive an email when our team releases new content.