Imminent changes to ISO 27001: 2013 | Resources
Xcina Blog

Imminent changes to ISO 27001: 2013


ISO 27001 – The situation explained

ISO 27001 is a widely recognised Standard for establishing, implementing, maintaining, and continually improving Information Security Management Systems (ISMS). The Standard includes requirements for the assessment and treatment of information security risks and is supplemented by Annex A, Control Objectives and Controls.

The current version of the ISO 27001 Standard was released in 2013, since when the world has experienced significant developments and acceleration in both technology and methodology for information security risk management. The update to ISO27001:2013, scheduled for late 2022, seeks to address these developments.

Additional guidelines for information security controls can also be found in ISO 27002 (Information Security Controls). ISO 27002 (Information Security Controls) was updated in February 2022, and it is widely expected that the planned updates to ISO 27001 Annex A will align and reflect the changes seen in ISO 27002: 2022.



ISO 27002: 2022

Key takeaways from the revised ISO 27002: 2022 (Information Security Controls) include:

  • Recognition of changes in the threat landscape, specifically with regards to cloud infrastructure
  • Merging of 24 separate controls where measures complemented each other
  • Implementation of 58 new or updated controls to reflect modern information systems
  • An annex to map controls recommended in 2013 version to present state

What next?

Proactive organisations should update their existing ISMS’s to align with the revised ISO 27002 Standard. This will stand them in good stead in meeting the requirements of and maintaining compliance with the revised ISO27001.

Whilst there will be a transition period for implementation (possibly to late 2024), Information Security Managers and their organisations will benefit from starting their implementations early, identifying gaps to the new requirements and undertaking any necessary remedial actions. Starting their programmes earlier will also allow for a wider choice when selecting implementation partners where this may be required. Customers, partners, and suppliers will value the assurance derived from dealing with an organisation that takes its information security obligations seriously.

We’d love to hear from you

To discuss how the areas highlighted in this post, or any other aspect of risk management, information governance or compliance impact your business, speak with our team, tell us what matters to you and find out how we can help you navigate complex issues to help you deliver long term value.

If you have any questions or comments, or if there’s anything you would like to see covered, please get in touch by emailing Xcina Consulting at We’d love to hear from you.

Peter Lane

Information Security Consultant

Speak to me directly by Email, or
Telephone: +44 (020) 3745 7820

Subscribe to Updates

Receive regular updates from our expert consultants as they provide clarification and guidance on issues impacting your organisation.

Subscribe >>