# Detailed comparison between 2017 and 2022 According to [Mark Bernard](https://www.linkedin.com/posts/markesbernard_the-changes-to-isoiec-27001-isms-are-not-activity-7344467878198329344-nZN7) , 28 juni 2025, "The changes to ISO/IEC 27001 ISMS are not straightforward. Some believe that the total number of controls was reduced; however, the truth is that new controls were added while existing controls were consolidated and streamlined." ![](iso27001_changes_table.jpeg) ## New ISMS Control Objectives - ISO 27001:2022 CLAUSE 4 TO 10 | Line # | Clause | Title | | ------ | --------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- | | 1 | 4.2(c) | Which of these requirements will be addressed through the information security management system | | 2 | 6.1.2(e)2 | Prioritize analysed risks for risk treatment | | 3 | 6.2(d) | Be monitored | | 4 | 6.2(g) | Be available as documented information | | 5 | 6.3 | When the organization determines the need for changes to the information security management system, the changes shall be carried out in a planned manner | | 6 | 9.3.2(c) | Changes in needs and expectations of interested parties that are relevant to the information security management system | ## Deleted ISMS Control Objectives - ISO 27001:2022 CLAUSE 4 TO 10 | Line # | Clause | Title | | ------ | ------ | ------------------------------------------------------ | | 1 | 7.4(c) | The processes by which communication shall be affected | ## New Annex A Control Objectives - ISO 27001:2022 | Line # | Clause | Title | | ------ | ------ | ---------------------------------------------- | | 1 | 5.7 | Threat intelligence | | 2 | 5.23 | Information security for use of cloud services | | 3 | 5.30 | ICT readiness for business continuity | | 4 | 7.4 | Physical security monitoring | | 5 | 8.9 | Configuration management | | 6 | 8.10 | Information deletion | | 7 | 8.11 | Data masking | | 8 | 8.12 | Data leakage prevention | | 9 | 8.16 | Monitoring activities | | 10 | 8.23 | Web filtering | | 11 | 8.28 | Secure coding | ## Consolidated Annex A Control Objectives - ISO 27001:2022 | Line # | New Clause | Old | Redundant | Title | | ------ | ---------- | ------ | ---------------------- | ---------------------------------------------------------------------- | | 1 | 5.1 | 5.1.1 | 5.1.2 | Policies for information security | | 2 | 5.8 | 6.1.5 | 14.1.1 | Information security in project management | | 3 | 5.9 | 8.1.1 | 8.1.2 | Inventory of information and other associated assets | | 4 | 5.10 | 8.1.3 | 8.2.3 | Acceptable use of information and other associated assets | | 5 | 5.14 | 13.2.1 | 13.2.2, 13.2.3 | Information transfer | | 6 | 5.15 | 9.1.1 | 9.1.2 | Access control | | 7 | 5.17 | 9.2.4 | 9.3.1, 9.4.3 | Authentication information | | 8 | 5.18 | 9.2.2 | 9.2.5, 9.2.6 | Access rights | | 9 | 5.22 | 15.2.1 | 15.2.2 | Monitoring, review and change management of supplier services | | 10 | 5.29 | 17.1.1 | 17.121, 17.1.3 | Information security during disruption | | 11 | 5.31 | 18.1.1 | 18.1.5 | Legal, statutory, regulatory and contractual requirements | | 12 | 5.36 | 18.2.2 | 18.2.3 | Compliance with policies, rules and standards for information security | | 13 | 6.8 | 16.1.2 | 16.1.3 | Information security event reporting | | 14 | 7.2 | 11.1.2 | 11.1.6 | Physical entry | | 15 | 7.10 | 8.3.1 | 8.3.2, 8.3.3, 11.2.5 | Storage media | | 16 | 8.1 | 6.2.1 | 11.2.8 | User endpoint devices | | 17 | 8.8 | 12.6.1 | 18.2.3 | Management of technical vulnerabilities | | 18 | 8.15 | 12.4.1 | 12.4.2, 12.4.3 | Logging | | 19 | 8.19 | 12.5.1 | 12.6.2 | Installation of software on operational systems | | 20 | 8.24 | 10.1.1 | 10.1.2 | Use of cryptography | | 21 | 8.25 | 14.1.2 | 14.1.3 | Application security requirements | | 22 | 8.29 | 14.2.8 | 14.2.9 | Security testing in development and acceptance | | 23 | 8.31 | 12.1.4 | 14.2.6 | Seporation of development, test and production environments | | 24 | 8.32 | 12.1.2 | 14.2.2, 14.2.3, 14.2.4 | Change management |