top of page
Search

Reminder on ISO27001:2013

  • ccoldsmoke
  • Jun 16
  • 3 min read

The deadline for the deprecation of ISO27001:2013 is quickly approaching. As of the end of October 2025, your ISO27001:2013 certification will expire. If you haven’t already started on your transition to 2022, you’re likely feeling a bit behind.


What are the differences between your existing ISO27001:2013 framework and the new ISO27001:2022?


Here are the key differences between ISO 27001:2013 and ISO 27001:2022 that will help you identify where your existing policies need updates:


Structural and Terminology Changes


Annex A Controls Reorganization -The most significant change is the restructuring of security controls from 14 categories (133 controls) in 2013 to 4 themes (93 controls) in 2022. The new structure organizes controls under: Organizational, People, Physical, and Technological themes. Many controls from 2013 were merged, simplified, or relocated rather than removed entirely.


Updated Terminology - Several terms have been modernized throughout the standard. References to “information security management system” remain consistent, but supporting language has been refined for clarity and contemporary usage.


New and Enhanced Controls


Cloud Security (A.5.23) - A completely new control addressing cloud services security, requiring organizations to establish procedures for secure use, management, and monitoring of cloud services.


ICT Readiness for Business Continuity (A.5.30) - New control focusing on information and communication technology readiness planning, expanding beyond traditional business continuity.


Enhanced Threat Intelligence (A.5.7) - Significantly expanded from the 2013 version, now requiring more comprehensive threat intelligence gathering and analysis processes.


Web Application Security - Previously covered under secure development, this now receives more explicit treatment with enhanced requirements for web application security testing and secure coding practices.


Modified Existing Controls


Access Control Management - Controls have been streamlined and consolidated, with clearer separation between privileged access management and regular user access controls.


Cryptography Controls - Updated to reflect current cryptographic standards and practices, with more specific guidance on key management and cryptographic implementation.


Incident Management - Enhanced requirements for incident response procedures, including more detailed reporting and communication requirements.


Supplier Relationship Security - Expanded coverage of third-party security management, including more comprehensive supply chain security requirements.


Areas Requiring Policy Updates


Cloud Services Governance - You’ll need entirely new policies and procedures covering cloud service assessment, approval, monitoring, and data protection in cloud environments.


Threat Intelligence Program - Existing threat monitoring policies will need expansion to include systematic threat intelligence collection, analysis, and sharing processes.


Business Continuity Technology Planning - Current business continuity plans should be reviewed to ensure adequate coverage of ICT-specific readiness and recovery procedures.


Access Control Procedures - Review and potentially restructure access control policies to align with the new categorization and enhanced privileged access requirements.


Vendor Security Assessment - Strengthen supplier security evaluation processes to meet the enhanced third-party risk management requirements.


Cryptographic Implementation - Update cryptography policies to ensure alignment with current standards and more detailed key management procedures.


Incident Response Communications - Enhance incident management procedures to include the expanded reporting and stakeholder communication requirements.


The transition allowed three years for compliance (until October 2025), but time is running out to systematically update policies. Focus first on the completely new controls like cloud security, then enhance existing policies to meet the updated requirements. Consider conducting a gap analysis mapping your current 2013 controls to the 2022 structure to prioritize your update efforts.​​​​​​​​​​​​​​​​


If you’re just starting your ISO27001:2022 journey or just want to refresh to the 2022 standard in one simple policy adoption stop, check out the store for our full ISO27001:2022 policy bundle, which includes plenty of templates and checklists to make your journey much easier - all at a fraction of the cost of compliance tools or consulting groups.





 
 
 

Recent Posts

See All

Comments

bottom of page