6.5 KiB
6.5 KiB
Detailed comparison between 2017 and 2022
According to Mark Bernard , 28 juni 2025, "The changes to ISO/IEC 27001 ISMS are not straightforward. Some believe that the total number of controls was reduced; however, the truth is that new controls were added while existing controls were consolidated and streamlined."
New ISMS Control Objectives - ISO 27001:2022 CLAUSE 4 TO 10
| Line # | Clause | Title |
|---|---|---|
| 1 | 4.2(c) | Which of these requirements will be addressed through the information security management system |
| 2 | 6.1.2(e)2 | Prioritize analysed risks for risk treatment |
| 3 | 6.2(d) | Be monitored |
| 4 | 6.2(g) | Be available as documented information |
| 5 | 6.3 | When the organization determines the need for changes to the information security management system, the changes shall be carried out in a planned manner |
| 6 | 9.3.2(c) | Changes in needs and expectations of interested parties that are relevant to the information security management system |
Deleted ISMS Control Objectives - ISO 27001:2022 CLAUSE 4 TO 10
| Line # | Clause | Title |
|---|---|---|
| 1 | 7.4(c) | The processes by which communication shall be affected |
New Annex A Control Objectives - ISO 27001:2022
| Line # | Clause | Title |
|---|---|---|
| 1 | 5.7 | Threat intelligence |
| 2 | 5.23 | Information security for use of cloud services |
| 3 | 5.30 | ICT readiness for business continuity |
| 4 | 7.4 | Physical security monitoring |
| 5 | 8.9 | Configuration management |
| 6 | 8.10 | Information deletion |
| 7 | 8.11 | Data masking |
| 8 | 8.12 | Data leakage prevention |
| 9 | 8.16 | Monitoring activities |
| 10 | 8.23 | Web filtering |
| 11 | 8.28 | Secure coding |
Consolidated Annex A Control Objectives - ISO 27001:2022
| Line # | New Clause | Old | Redundant | Title |
|---|---|---|---|---|
| 1 | 5.1 | 5.1.1 | 5.1.2 | Policies for information security |
| 2 | 5.8 | 6.1.5 | 14.1.1 | Information security in project management |
| 3 | 5.9 | 8.1.1 | 8.1.2 | Inventory of information and other associated assets |
| 4 | 5.10 | 8.1.3 | 8.2.3 | Acceptable use of information and other associated assets |
| 5 | 5.14 | 13.2.1 | 13.2.2, 13.2.3 | Information transfer |
| 6 | 5.15 | 9.1.1 | 9.1.2 | Access control |
| 7 | 5.17 | 9.2.4 | 9.3.1, 9.4.3 | Authentication information |
| 8 | 5.18 | 9.2.2 | 9.2.5, 9.2.6 | Access rights |
| 9 | 5.22 | 15.2.1 | 15.2.2 | Monitoring, review and change management of supplier services |
| 10 | 5.29 | 17.1.1 | 17.121, 17.1.3 | Information security during disruption |
| 11 | 5.31 | 18.1.1 | 18.1.5 | Legal, statutory, regulatory and contractual requirements |
| 12 | 5.36 | 18.2.2 | 18.2.3 | Compliance with policies, rules and standards for information security |
| 13 | 6.8 | 16.1.2 | 16.1.3 | Information security event reporting |
| 14 | 7.2 | 11.1.2 | 11.1.6 | Physical entry |
| 15 | 7.10 | 8.3.1 | 8.3.2, 8.3.3, 11.2.5 | Storage media |
| 16 | 8.1 | 6.2.1 | 11.2.8 | User endpoint devices |
| 17 | 8.8 | 12.6.1 | 18.2.3 | Management of technical vulnerabilities |
| 18 | 8.15 | 12.4.1 | 12.4.2, 12.4.3 | Logging |
| 19 | 8.19 | 12.5.1 | 12.6.2 | Installation of software on operational systems |
| 20 | 8.24 | 10.1.1 | 10.1.2 | Use of cryptography |
| 21 | 8.25 | 14.1.2 | 14.1.3 | Application security requirements |
| 22 | 8.29 | 14.2.8 | 14.2.9 | Security testing in development and acceptance |
| 23 | 8.31 | 12.1.4 | 14.2.6 | Seporation of development, test and production environments |
| 24 | 8.32 | 12.1.2 | 14.2.2, 14.2.3, 14.2.4 | Change management |