The 2022 version of ISO/IEC 27001, the standard that defines the requirements for an information security management system (ISMS), was published on 25 October 2022. ANAB-accredited certification bodies will have 12 months from the last day of the publication month of ISO/IEC 27001:2022 (i.e., 31 October 2023) to transition to ISO/IEC 27001:2022. Organizations will have 36 months from the last day of the publication month (i.e., 31 October 2025) to transition to the new version of the standard.
Several clauses were reworded or reordered in ISO/IEC 27001:2022. There are minimal new requirements in clauses 4-10. However, the change in clause 4.4 will significantly impact how an organization manages their ISMS. New requirements include:
- Clause 3 – added links for ISO and IEC databases
- Clause 4.2(c) – added new bullet
- Clause 4.4 – added a requirement to establish, implement, maintain, and continually improve processes and their interactions.
- Clause 5.1 – added Note to clarify the term “business”
- Clause 6.3 – added a new section for “Planning of Changes”
ISO/IEC 27001:2022 now has 93 controls compared to 114 controls in ISO/IEC 27001:2013. There are 11 new controls in 2022 version of the standard. 56 controls in ISO/IEC 27001:2013 have been merged into 24 controls in ISO/IEC 27001:2022. Many of the controls in the 2022 version have undergone some form of text change. The 93 controls are divided into 4 themes:
- Organizational
- 3 new
- 28 merged
- People
- No new controls
- 2 merged controls
- Physical
- 1 new
- 5 merged
- Technical
- 7 new
- 21 merged
Below is a matrix that outlines the differences between ISO/IEC 27001:2013 and ISO/IEC 27001:2022.
| Clause | ISO/IEC 27001:2013 | Clause | ISO/IEC 27001:2022 | Change |
|---|---|---|---|---|
| 1 | This International Standard specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. | 1 | This document specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. | The term “International Standard” is replaced with the “document” throughout the standard. The change occurs 4 times in clause 1. Clause is reworded. |
| 2 | The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. | 2 | The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. | Clause is reworded. |
| 3 | 3 | ISO and IEC maintain terminology databases for use in standardization at the following addresses: —ISO Online browsing platform: available at https://www.iso.org/obp — IEC Electropedia: available at https://www.electropedia.org/ | Added language and database links. | |
| 4.1 | NOTE Determining these issues refers to establishing the external and internal context of the organization considered in Clause 5.3 of ISO 31000:2009. | 4.1 | NOTE Determining these issues refers to establishing the external and internal context of the organization considered in Clause 5.4.1 of ISO 31000:2018. | Updated note to include clause 5.4.1 in ISO 31000:2018. |
| 4.2 (b) | The organization shall determine: …. b) the requirements of these interested parties relevant to information security. | 4.2 (b) | The organization shall determine: …. b) the relevant requirements of these interested parties. | Clause is reworded. |
| 4.2 | 4.2 (c) | c) which of these requirements will be addressed through the information security management system. | New clause | |
| 4.2 | NOTE The requirements of interested parties may include legal and regulatory requirements and contractual obligations. | 4.2 | NOTE The requirements of interested parties can include legal and regulatory requirements and contractual obligations. | Changed “may” to “can”. |
| 4.4 | The organization shall establish, implement, maintain and continually improve an information security management system, in accordance with the requirements of this International Standard. | 4.4 | The organization shall establish, implement, maintain and continually improve an information security management system, including the processes needed and their interactions, in accordance with the requirements of this document. | Added “including the processes needed and their interactions,” Organizations must now establish, implement, maintain, and continually improve processes and their interactions. |
| 5.1 | 5.1 | NOTE Reference to “business” in this document can be interpreted broadly to mean those activities that are core to the purposes of the organization’s existence. | Added note | |
| 5.2 | c) includes a commitment to satisfy applicable requirements related to information security; and” | 5.2 | c) includes a commitment to satisfy applicable requirements related to information security; | Removed the word “and” from the end of the sentence. |
| 5.3 | Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated. | 5.3 | Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated within the organization. | Added “within the organization” |
| 5.3 | a) ensuring that the information security management system conforms to the requirements of this International Standard; and | 5.3 | a) ensuring that the information security management system conforms to the requirements of this document | Replaced “international Standard” with “document.” Deleted “and” at the end of the clause. |
| 6.1.1 | b) prevent, or reduce, undesired effects; and | 6.1.1 | b) prevent, or reduce, undesired effects | The word “and” was removed from the end of the clause |
| 6.1.3(b) | NOTE Organizations can design controls as required, or identify them from any source. | 6.1.3(b) | NOTE 1 Organizations can design controls as required, or identify them from any source. | “Note” is now “Note 1” |
| 6.1.3(c) | Note 1 Annex A contains a comprehensive list of control objectives and controls. Users of this International Standard are directed to Annex A to ensure that no necessary controls are overlooked. | 6.1.3(c) | NOTE 2 Annex A contains a list of possible information security controls. Users of this document are directed to Annex A to ensure that no necessary information security controls are overlooked. | Note 1 is now Note 2 The description of Annex A is changed from “a comprehensive list of control objectives and controls” to “a list of possible information security controls.” “International Standard” is replaced with the word “document.” Replaced “controls” in last sentence to “information security controls” |
| 6.1.3(c) | NOTE 2 Control objectives are implicitly included in the controls chosen. The control objectives and controls listed in Annex A are not exhaustive and additional control objectives and controls may be needed. | 6.1.3(c) | NOTE 3 The information security controls listed in Annex A are not exhaustive and additional information security controls can be included if needed. | Note 2 is now Note 3 “Control objectives are implicitly included in the controls chosen” is deleted. “control objectives” in 2nd sentence is deleted. Additional control objectives and controls may be needed” is changed to “additional information security controls can be included if needed. “Controls” changed to “information security controls.” |
| 6.1.3(d) | whether they are implemented or not | 6.1.3(d) | whether the necessary controls are implemented or not | Changed “they” to “the necessary controls” |
| 6.1.3d | the justification for exclusions of controls from Annex A; | 6.1.3(d) | d) produce a Statement of Applicability that contains: the necessary controls (see 6.1.3 b) and c); justification for their inclusion; whether the necessary controls are implemented or not; and the justification for excluding any of the Annex A controls | Clause is reworded. |
| 6.1.3 | NOTE The information security risk assessment and treatment process in this International Standard aligns with the principles and generic guidelines provided in ISO 31000. | 6.1.3 | NOTE 4 The information security risk assessment and treatment process in this document aligns with the principles and generic guidelines provided in ISO 31000. | Note is now Note 4 “International Standard” is replaced with “document.” |
| 6.2(d) | d) be communicated; and | 6.2(d) | d) be monitored | Changed from “be communicated” to “be monitored.” Deleted “and” at end of sentence |
| 6.2(e) | e) be updated as appropriate | 6.2(e) | e) be communicated; | Changed from “be updated as appropriate” to “be communicated.” |
| 6.2 | 6.2(f) | f) be updated as appropriate; | New requirement | |
| 6.2 | 6.2(g) | g) be available as documented information. | New requirement | |
| 6.2 | When planning how to achieve its information security objectives, the organization shall determine: f) what will be done; g) what resources will be required; h) who will be responsible; i) when it will be completed; and j) how the results will be evaluated. | 6.2 | “When planning how to achieve its information security objectives, the organization shall determine: h) what will be done; i) what resources will be required; j) who will be responsible; k) when it will be completed; and l) how the results will be evaluated. | The 2022 version changes / re‐orders the information security objective list by identifying: item f) as item h); item g) as item i); item h) as item j); item i) as item k); item j) as item l). Note: Although re‐ordered due to added bullet points in clause above, the language was not changed. |
| 6.3 | 6.3 | Planning of Changes | A new section 6.3 is added to the 2022 version. The new section is entitled “Planning of changes. | |
| 6.3 | 6.3 | When the organization determines the need for changes to the information security management system, the changes shall be carried out in a planned manner. | A new section 6.3 is added to the 2022 version. The text of the new section is provided in quotes. | |
| 7.2 | NOTE Applicable actions may include, for example: the provision of training to, the mentoring of, or the reassignment of current employees; or the hiring or contracting of competent persons. | 7.2 | NOTE Applicable actions can include, for example: the provision of training to, the mentoring of, or the reassignment of current employees; or the hiring or contracting of competent persons. | The word “may” changed to “can”. |
| 7.4 | The organization shall determine the need for internal and external communications relevant to the information security management system including: on what to communicate; b) when to communicate; c) with whom to communicate; d) who shall communicate; and e) the processes by which communication shall be effected. | 7.4 | The organization shall determine the need for internal and external communications relevant to the information security management system including: a) on what to communicate; b) when to communicate; c) with whom to communicate; d) how to communicate. | The 2022 version rewords / re‐orders the communication list by: d) is reworded from “who shall communicate” to “with whom to communicate,” and e) “the processes by which communication shall be effected” is removed |
| 7.5.1 | The organization’s information security management system shall include: a) documented information required by this International Standard; and. | 7.5.1 | The organization’s information security management system shall include: a) documented information required by this document; and. | The term “International Standard” is replaced with the word “document.” |
| 7.5.3 | Documented information required by the information security management system and by this International Standard shall be controlled to ensure: | 7.5.3 | Documented information required by the information security management system and by this document shall be controlled to ensure: | The term “International Standard” is replaced with the word “document.” |
| 7.5.3 | NOTE Access implies a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information, etc. | 7.5.3 | NOTE Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information, etc. | “Access implies a decision . . . .” was reworded to “Access can imply a decision . . . |
| 8.1 | The organization shall plan, implement and control the processes needed to meet information security requirements, and to implement the actions determined in 6.1. The organization shall also implement plans to achieve information security objectives determined in 6.2. | 8.1 | The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in Clause 6, by: establishing criteria for the processes; implementing control of the processes in accordance with the criteria. | The phrase “needed to meet information security requirements . . . .” was reworded to “needed to meet requirements . . . .” The phrase “to implement the actions determined in 6.1” was reworded to “to implement the actions determined in Clause 6 . . . .” The sentence “The organization shall also implement plans to achieve information security objectives determined in 6.2” was removed. The 2022 version clarifies implementation of actions by adding the following language: establishing criteria for the processes; implementing control of the processes in accordance with the criteria. |
| 8.1 | The organization shall keep documented information to the extent necessary to have confidence that the processes have been carried out as planned. | 8.1 | Documented information shall be available to the extent necessary to have confidence that the processes have been carried out as planned. | In this sentence, the phrase “the organization shall keep documented information . . . .” was reworded to “documented information shall be available . . . |
| 8.1 | The organization shall ensure that outsourced processes are determined and controlled. | 8.1 | The organization shall ensure that externally provided processes, products or services that are relevant to the information security management system are controlled. | Added …”include externally provided products or services relevant to the information security management system”… |
| 9.1 | The organization shall evaluate the information security performance and the effectiveness of the information security management system. | 9.1 | The organization shall evaluate the information security performance and the effectiveness of the information security management system. | This sentence was moved. It was the first sentence under section 9.1 in the 2013 version. It is now the last sentence under section 9.1 in the 2022 version. |
| 9.1(b) | The organization shall determine: …. “b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results; NOTE The methods selected should produce comparable and reproducible results to be considered valid. | 9.1(b) | The organization shall determine: …. “b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results. The methods selected should produce comparable and reproducible results to be considered valid; | The Note in the 2013 version is removed and the language is part of item (b) in the 2022 version. |
| 9.1(e) | when the results from monitoring and measurement shall be analyzed and evaluated; and. | 9.1(e) | when the results from monitoring and measurement shall be analyzed and evaluated; | The word “and” was removed. |
| 9.1 | The organization shall retain appropriate documented information as evidence of the monitoring and measurement results. | 9.1 | Documented information shall be available as evidence of the results.” | The sentence was reworded. |
| 9.2 | No sub-sections | 9.2 | Subsections include: 9.2.1 General 9.2.2 Internal Audit Program | Added sub-sections |
| 9.2.1(a)(2) | 2) the requirements of this International Standard. | 9.2.1(a)(2) | a) conforms to 2) the requirements of this document. | “International Standard” is replaced with the word “document.” |
| 9.2 | The organization shall: c) plan, establish, implement and maintain an audit program(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit program(s) shall take into consideration the importance of the processes concerned and the results of previous audits; d) define the audit criteria and scope for each audit; e) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process; f) ensure that the results of the audits are reported to relevant management; and g) retain documented information as evidence of the audit program(s) and the audit results. | 9.2.2 | The organization shall plan, establish, implement and maintain an audit program(s), including the frequency, methods, responsibilities, planning requirements and reporting. When establishing the internal audit program(s), the organization shall consider the importance of the processes concerned and the results of previous audits. The organization shall: a) define the audit criteria and scope for each audit; b) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process; c) ensure that the results of the audits are reported to relevant management; Documented information shall be available as evidence of the implementation of the audit program(s) and the audit results. | The 2022 version places this requirement under a new subsection heading (“Internal audit program”). “The audit program(s) shall take into consideration the importance of the processes concerned and the results of previous audits” was reworded as follows: “When establishing the internal audit program(s), the organization shall consider the importance of the processes concerned and the results of previous audits.” The 2022 version added the phrase “The organization shall . . . .” This is necessary based upon the new subsection. The 2022 version changes / re‐orders the internal audit requirement list by identifying: item d) as item a); item e) as item b); item f) as item c); item g) is no longer a listed item, but is a separate / stand‐alone sentence. |
| 9.3 | No sub-sections | 9.3.1 9.3.2 9.3.3 | Subsections include: 9.3.1 General 9.3.2 Management review inputs 9.3.3 Management review results | Added sub-sections |
| 9.3(c)(3) | “audit results; and” | 9.3.2(d)(3) | audit results; | Removed the word “and” |
| 9.3(e) | results of risk assessment and status of risk treatment plan; and | 9.3.2(f) | results of risk assessment and status of risk treatment plan;” | Remove the word “and”. |
| 9.3 | The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. The organization shall retain documented information as evidence of the results of management reviews. | 9.3.3 | The results of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. Documented information shall be available as evidence of the results of management reviews. | Clause is reworded. |
| 10 | Subsections were: 10.1 Nonconformity and corrective action 10.2 Continual Improvement | 10 | Subsections are now: 10.1 Continual Improvement 10.2 Nonconformity and corrective action | Sub-sections reversed |
| 10.1(a)(1) | Related to a nonconformance, an organization must “take action to control and correct it; and.” | 10.2(a)(1) | Related to a nonconformance, an organization must “take action to control and correct it;” | Removed the word “and” at the end of the clause. |
| 10.1 | The organization shall retain documented information as evidence of: f) the nature of the nonconformities and any subsequent actions taken, and g) the results of any corrective action. | 10.2 | Documented information shall be available as evidence of: f) the nature of the nonconformities and any subsequent actions taken, g) the results of any corrective action. | Clause is reworded. |
| Annex A Controls | ||||
| Control | Title | Control | Title | Theme |
| Access Control | ||||
| A.5.1.1 | Policies for information security | A.5.1 | Policies for information security | Organizational |
| A.5.1.2 | Review of the policies for information security | A.5.1 | Merged into A.5.1 | |
| Organization of Information | ||||
| A.6.1.1 | Information security roles and responsibilities | A.5.2 | Information security roles and responsibilities | Organizational |
| A.6.1.2 | Segregation of duties | A.5.3 | Segregation of duties | Organizational |
| A.6.1.3 | Contact with authorities | A.5.5 | Contact with authorities | Organizational |
| A.6.1.4 | Contact with special interest groups | A.5.6 | Contact with special interest groups | Organizational |
| A.5.7 | Threat intelligence | Organizational | ||
| A.6.1.5 | Information security in project management | A.5.8 | Information security in project management | Organizational |
| A.6.2.1 | Mobile device policy | A.8.1 | User end point devices | Technical |
| A.6.2.2 | Teleworking | A.6.7 | Remote working | People |
| Human Resource Security | ||||
| A.7.1.1 | Screening | A.6.1 | Screening | People |
| A.7.1.2 | Terms and conditions of employment | A.6.2 | Terms and conditions of employment | People |
| A.7.2.1 | Management responsibilities | A.5.4 | Management responsibilities | Organizational |
| A.7.2.2 | Information security awareness, education, and training | A.6.3 | Information security awareness, education, and training | People |
| A.7.2.3 | Disciplinary process | A.6.4 | Disciplinary process | People |
| A.7.3.1 | Termination or change of employment responsibilities | A.6.5 | Termination or change of employment responsibilities | People |
| Asset Management | ||||
| A.8.1.1 | Inventory of assets | A.5.9 | Inventory of information and other associated assets | Organizational |
| A.8.1.2 | Ownership of assets | Merged into A.5.9 | ||
| A.8.1.3 | Acceptable use of assets | A.5.10 | Acceptable use of information and other associated assets | Organizational |
| A.8.1.4 | Return of assets | A.5.11 | Return of assets | Organizational |
| A.8.2.1 | Classification of information | A.5.12 | Classification of information | Organizational |
| A.8.2.2 | Labeling of information | A.5.13 | Labeling of information | Organizational |
| A.8.2.3 | Handling of assets | Merged into A.5.10 | ||
| A.8.3.1 | Management of removable media | A.7.10 | Storage media | Physical |
| A.8.3.2 | Disposal of media | Merged into A.7.10 | ||
| A.8.3.3 | Physical media transfer | Merged into A.7.10 | ||
| Access Control | ||||
| A.9.1.1 | Access control policy | A.5.15 | Access control | Organizational |
| A.9.1.2 | Access to networks and network services | Merged into A.5.15 | ||
| A.9.2.1 | User registration and de-registration | A.5.16 | Identity management | Organizational |
| A.9.2.2 | User access provisioning | A.5.18 | Access rights | Organizational |
| A.9.2.3 | Management of privileged access rights | A.8.2 | Privileged access rights | Technical |
| A.9.2.4 | Management of secret authentication information of users | A.5.17 | Authentication information | Organizational |
| A.9.2.5 | Review of user access rights | Merged into A.5.18 | ||
| A.9.2.6 | Removal of adjustment of access rights | Merged into A.5.18 | ||
| A.9.3.1 | Use of secret authentication information | Merged into A.5.17 | ||
| A.9.4.1 | Information access restriction | A.8.3 | Information access restriction | Technical |
| A.9.4.2 | Secure log-in procedures | A.8.5 | Secure authentication | Technical |
| A.9.4.3 | Password management system | Merged into A.5.17 | ||
| A.9.4.4 | Use of privileged utility programs | A.8.18 | Use of privileged utility programs | Technical |
| A.9.4.5 | Access control to program source code | A.8.4 | Access to source code | Technical |
| Cryptography | ||||
| A.10.1.1 | Policy of the use of cryptographic controls | A.8.24 | Use of cryptography | Technical |
| A.10.1.2 | Key management | Merged into A.8.24 with A.10.1.1 | ||
| Physical and Environmental Controls | ||||
| A.11.1.1 | Physical security perimeter | A.7.1 | Physical security perimeters | Physical |
| A.11.1.2 | Physical entry controls | A.7.2 | Physical entry | Physical |
| A.11.1.3 | Securing offices, rooms, and facilities | A.7.3 | Securing offices, rooms, and facilities | Physical |
| New | A.7.4 | Physical security monitoring | Physical | |
| A.11.1.4 | Protecting against external and environmental threats | A.7.5 | Protecting against external and environmental threats | Physical |
| A.11.1.5 | Working in secure areas | A.7.6 | Working in secure areas | Physical |
| A.11.1.6 | Delivery and loading areas | Merged into A.7.2 with A.11.1.2 | ||
| A.11.2.1 | Equipment siting and protection | A.7.8 | Equipment siting and protection | Physical |
| A.11.2.2 | Supporting utilities | A.7.11 | Supporting utilities | Physical |
| A.11.2.3 | Cabling security | A.7.12 | Cabling security | Physical |
| A.11.2.4 | Equipment maintenance | A.7.13 | Equipment maintenance | Physical |
| A.11.2.5 | Removal of assets | Merged into A.7.10 | ||
| A.11.2.6 | Security of equipment and assets off-premises | A.7.9 | Security of assets off-premises | Physical |
| A.11.2.7 | Secure disposal or reuse of equipment | A.7.14 | Secure disposal or reuse of equipment | Physical |
| A.11.2.8 | Unattended user equipment | Merged into A.8.1 with A 6.2.1 | ||
| A.11.2.9 | Clear desk and clear screen policy | A.7.7 | Clear desk and clear screen | Physical |
| Operations Security | ||||
| A.12.1.1 | Documented operating procedures | A.5.37 | Documented operating procedures | Organizational |
| A.12.1.2 | Change management | A.8.32 | Change management | Technical |
| A.12.1.3 | Capacity management | A.8.6 | Capacity management | Technical |
| A.12.1.4 | Separation of development, testing, and operational environments | A.8.31 | Separation of development, test, and operational environments | Technical |
| A.12.2.1 | Controls against malware | A.8.7 | Protection against malware | Technical |
| A.12.3.1 | Information backup | A.8.13 | Information backup | Technical |
| A.12.4.1 | Event logging | A.8.15 | Logging | Technical |
| A.12.4.2 | Protection of log information | Merged into A.8.15 | ||
| A.12.4.3 | Administrator and operator logs | Merged into A.8.15 | ||
| New | A.8.16 | Monitoring activities | Technical | |
| A.12.4.4 | Clock Synchronization | A.8.17 | Clock Synchronization | Technical |
| A.12.5.1 | Installation of software on operational systems | A.8.19 | Installation of software on operational systems | Technical |
| A.12.6.1 | Management of technical vulnerabilities | A.8.8 | Management of technical vulnerabilities | Technical |
| New | A.8.9 | Configuration management | Technical | |
| New | A.8.10 | Information detection | Technical | |
| New | A.8.11 | Data masking | Technical | |
| New | A.8.12 | Data leakage prevention | Technical | |
| A.12.6.2 | Restrictions on software installation | Merged into A.8.19 with A.12.5.1 | ||
| A.12.7.1 | Information systems audit controls | A.8.34 | Protection of information systems during audit testing | Technical |
| Communications Security | ||||
| A.13.1.1 | Network controls | A.8.20 | Networks security | Technical |
| A.13.1.2 | Security of network services | A.8.21 | Security of network services | Technical |
| A.13.1.3 | Segregation in networks | A.8.22 | Segregation of networks | Technical |
| New | A.8.23 | Web filtering | Technical | |
| A.13.2.1 | Information transfer policies and procedures | A.5.14 | Information transfer | Organizational |
| A.13.2.2 | Agreements on information transfer | Merged into A.5.14 | ||
| A.13.2.3 | Electronic messaging | Merged into A.5.14 | ||
| A.13.2.4 | Confidentiality or nondisclosure agreements | A.6.6 | Confidentiality or nondisclosure agreements | People |
| System Acquisition, Development, and Maintenance | ||||
| A.14.1.1 | Information security requirements analysis and specification | Merged into A.5.8 with A.6.1.5 | ||
| A.14.1.2 | Securing application services on public networks | A.8.26 | Application security requirements | Technical |
| A.14.1.3 | Protecting application services transactions | Merged into A.8.26 | ||
| A.14.2.1 | Secure development policy | A.8.25 | Secure development policy | Technical |
| A.14.2.2 | System change control procedures | Merged into A.8.32 with A.12.1.2, A.14.2.3, and A.14.2.4 | ||
| A.14.2.3 | Technical review of applications after operating platform changes | Merged into A.8.32 with A.12.1.2, A.14.2.2, and A.14.2.4 | ||
| A.14.2.4 | Restriction on changes to software packages | Merged into A. 8.32 with A.12.1.2, A.14.2.2, and A.14.2.3 | ||
| A.14.2.5 | Secure system engineering packages | A.8.27 | Secure system architecture and engineering principles | Technical |
| A.14.2.6 | Secure development environment | Merged into A.8.31 with A.12.1.4 | ||
| New | A.8.28 | Secure coding | Technical | |
| A.14.2.7 | Outsourced development | A.8.30 | Outsourced development | Technical |
| A.14.2.8 | System security testing | A.8.29 | Security testing in development and acceptance | Technical |
| A.14.2.9 | System acceptance testing | Merged into A.8.29 with A.14.2.8 | ||
| A.14.3.1 | Protection of test data | A.8.33 | Test information | Technical |
| Supplier Relationships | ||||
| A.15.1.1 | Information security policy for supplier relationships | A.5.19 | Information security in supplier relationships | Organizational |
| A.15.1.2 | Addressing security within supplier agreements | A.5.20 | Addressing information security within supplier agreements | Organizational |
| A.15.1.3 | Information and communication technology supply chain | A.5.21 | Managing information security in the information and communication technology (ICT) supply chain | Organizational |
| A.15.2.1 | Monitoring and review of supplier services | A.5.22 | Monitoring, review, and change management of supplier services | Organizational |
| A.15.2.2 | Managing changes to supplier services | Merged into A.5.22 with A.15.2.1 | ||
| New | A.5.23 | Information security for use of cloud services | Organizational | |
| Information Security Incident Management | ||||
| A.16.1.1 | Responsibilities and procedures | A.5.24 | Information security incident management planning and preparation | Organizational |
| A.16.1.2 | Reporting information security events | A.6.8 | Information security event reporting | People |
| A.16.1.3 | Reporting information security weaknesses | Merged into A.6.8 with A.16.1.2 | ||
| A.16.1.4 | Assessment and decision on information security events | A.5.25 | Assessment and decision on information security events | Organizational |
| A.16.1.5 | Response to information security incidents | A.5.26 | Response to information security incidents | Organizational |
| A.16.1.6 | Learning from information security incidents | A.5.27 | Learning from information security incidents | Organizational |
| A.16.1.7 | Collection of evidence | A.5.28 | Collection of evidence | Organizational |
| Information Security Aspects of Business Continuity Management | ||||
| A.17.1.1 | Planning information security continuity | A.5.29 | Information security during disruption | Organizational |
| A.17.1.2 | Implementing information security continuity | Merged into A.5.29 with A.17.1.1 and A.17.1.3 | ||
| A.17.1.3 | Verify, review, and evaluate information security continuity | Merged into A.5.29 with A.17.1.1 and A.17.1.2 | ||
| New | A.5.30 | ICT readiness for business continuity | Organizational | |
| A.17.2.1 | Availability of information processing facilities | A.8.14 | Redundancy of information processing facilities | Technical |
| Compliance | ||||
| A.18.1.1 | Identification of applicable legislation and contractual requirements | A.5.31 | Legal, statutory, regulatory, and contractual requirements | Organizational |
| A.18.1.2 | Intellectual property rights | A.5.32 | Intellectual property rights | Organizational |
| A.18.1.3 | Protection of records | A.5.33 | Protection of records | Organizational |
| A.18.1.4 | Privacy and protection of personally identifiable information | A.5.34 | Privacy and protection of personally identifiable information | Organizational |
| A.18.1.5 | Regulation of cryptographic controls | Merged into A.5.31 with A.18.1.1 | ||
| Information Security Reviews | ||||
| A.18.2.1 | Independent review of information security | A.5.35 | Independent review of information security | Organizational |
| A.18.2.2 | Compliance with security policies and standards | A.5.36 | Compliance with policies, rules, and standards for information security | Organizational |
| A.18.2.3 | Technical compliance review | Merged into A.5.36 with A.18.2.2 | ||
