ISO/IEC 27001:2013 & ISO/IEC 27001:2022 Comparison

The 2022 version of ISO/IEC 27001, the standard that defines the requirements for an information security management system (ISMS), was published on 25 October 2022. ANAB-accredited certification bodies will have 12 months from the last day of the publication month of ISO/IEC 27001:2022 (i.e., 31 October 2023) to transition to ISO/IEC 27001:2022. Organizations will have 36 months from the last day of the publication month (i.e., 31 October 2025) to transition to the new version of the standard.

Several clauses were reworded or reordered in ISO/IEC 27001:2022. There are minimal new requirements in clauses 4-10. However, the change in clause 4.4 will significantly impact how an organization manages their ISMS.  New requirements include:

  • Clause 3 – added links for ISO and IEC databases
  • Clause 4.2(c) – added new bullet
  • Clause 4.4 – added a requirement to establish, implement, maintain, and continually improve processes and their interactions.  
  • Clause 5.1 – added Note to clarify the term “business”
  • Clause 6.3 – added a new section for “Planning of Changes”

ISO/IEC 27001:2022 now has 93 controls compared to 114 controls in ISO/IEC 27001:2013. There are 11 new controls in 2022 version of the standard.  56 controls in ISO/IEC 27001:2013 have been merged into 24 controls in ISO/IEC 27001:2022. Many of the controls in the 2022 version have undergone some form of text change.  The 93 controls are divided into 4 themes:

  • Organizational
    • 3 new
    • 28 merged
  • People
    • No new controls
    • 2 merged controls
  • Physical
    • 1 new
    • 5 merged
  • Technical
    • 7 new
    • 21 merged

Below is a matrix that outlines the differences between ISO/IEC 27001:2013 and ISO/IEC 27001:2022.

ClauseISO/IEC 27001:2013ClauseISO/IEC 27001:2022Change
1This International Standard specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.1This document specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.The term “International Standard” is replaced with the “document” throughout the standard.  The change occurs 4 times in clause 1.   Clause is reworded.
2The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application.2The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document.Clause is reworded.
3 3ISO and IEC maintain terminology databases for use in standardization at the following addresses:
—ISO Online browsing platform: available at https://www.iso.org/obp — IEC Electropedia: available at https://www.electropedia.org/
Added language and database links.
4.1NOTE Determining these issues refers to establishing the external and internal context of the organization considered in Clause 5.3 of ISO 31000:2009.4.1NOTE Determining these issues refers to establishing the external and internal context of the organization considered in Clause 5.4.1 of ISO 31000:2018.Updated note to include clause 5.4.1 in ISO 31000:2018.
4.2 (b)The organization shall determine:
….
b) the requirements of these interested parties relevant to information security.
4.2 (b)The organization shall determine:
….
b) the relevant requirements of these interested parties.
Clause is reworded.
4.2 4.2 (c)c) which of these requirements will be addressed through the information security management system.New clause
4.2NOTE The requirements of interested parties may include legal and regulatory requirements and contractual obligations.4.2NOTE The requirements of interested parties can include legal and regulatory requirements and contractual obligations.Changed “may” to “can”.
4.4The organization shall establish, implement, maintain and continually improve an information security management system, in accordance with the requirements of this International Standard.4.4The organization shall establish, implement, maintain and continually improve an information security management system, including the processes needed and their interactions, in accordance with the requirements of this document.  Added “including the processes needed and their interactions,” Organizations must now establish, implement, maintain, and continually improve processes and their interactions.
5.1 5.1NOTE Reference to “business” in this document can be interpreted broadly to mean those activities that are core to the purposes of the organization’s existence.  Added note
5.2c) includes a commitment to satisfy applicable requirements related to information security; and”5.2c) includes a commitment to satisfy applicable requirements related to information security;Removed the word “and” from the end of the sentence.
5.3Top management shall ensure that the responsibilities and authorities for roles relevant to information
security are assigned and communicated.
5.3Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated within the organization.Added “within the organization”
5.3a) ensuring that the information security management system conforms to the requirements of this International Standard; and5.3a) ensuring that the information security management system conforms to the requirements of this documentReplaced “international Standard” with “document.” Deleted “and” at the end of the clause.
6.1.1b) prevent, or reduce, undesired effects; and6.1.1b) prevent, or reduce, undesired effectsThe word “and” was removed from the end of the clause
6.1.3(b)NOTE Organizations can design controls as required, or identify them from any source.6.1.3(b)NOTE 1 Organizations can design controls as required, or identify them from any source.“Note” is now “Note 1”
6.1.3(c)Note 1 Annex A contains a comprehensive list of control objectives and controls. Users of this International Standard are directed to Annex A to ensure that no necessary controls are overlooked.  6.1.3(c)NOTE 2 Annex A contains a list of possible information security controls. Users of this document are directed to Annex A to ensure that no necessary information security controls are overlooked.Note 1 is now Note 2 The description of Annex A is changed from “a comprehensive list of control objectives and controls” to “a list of possible information security controls.” “International Standard” is replaced with the word “document.” Replaced “controls” in last sentence to “information security controls”  
6.1.3(c)NOTE 2 Control objectives are implicitly included in the controls chosen. The control objectives and controls listed in Annex A are not exhaustive and additional control objectives and controls may be needed.6.1.3(c)NOTE 3 The information security controls listed in Annex A are not exhaustive and additional information security controls can be included if needed.Note 2 is now Note 3 “Control objectives are implicitly included in the controls chosen” is deleted. “control objectives” in 2nd sentence is deleted. Additional control objectives and controls may be needed” is changed to “additional information security controls can be included if needed. “Controls” changed to “information security controls.”
6.1.3(d)whether they are implemented or not6.1.3(d)whether the necessary controls are implemented or notChanged “they” to “the necessary controls”
6.1.3dthe justification for exclusions of controls from Annex A;6.1.3(d)d) produce a Statement of Applicability that contains: the necessary controls (see 6.1.3 b) and c); justification for their inclusion; whether the necessary controls are implemented or not; and the justification for excluding any of the Annex A controlsClause is reworded.
6.1.3NOTE The information security risk assessment and treatment process in this International Standard aligns with the principles and generic guidelines provided in ISO 31000.6.1.3NOTE 4 The information security risk assessment and treatment process in this document aligns with the principles and generic guidelines provided in ISO 31000.Note is now Note 4   “International Standard” is replaced with “document.”
6.2(d)d) be communicated; and6.2(d)d) be monitoredChanged from “be communicated” to “be monitored.” Deleted “and” at end of sentence
6.2(e)e) be updated as appropriate6.2(e)e) be communicated;Changed from “be updated as appropriate” to “be communicated.”
6.2 6.2(f)f) be updated as appropriate;New requirement
6.2 6.2(g)g) be available as documented information.New requirement
6.2When planning how to achieve its information security objectives, the organization shall determine:
f) what will be done; g) what resources will be required; h) who will be responsible;
i) when it will be completed; and
j) how the results will be evaluated.
6.2“When planning how to achieve its information security objectives, the organization shall determine:
h) what will be done; i) what resources will be required;
j) who will be responsible;
k) when it will be completed; and
l) how the results will be evaluated.
The 2022 version changes / re‐orders the information security objective list by identifying:
item f) as item h);
item g) as item i); item h) as item j); item i) as item k); item j) as item l).   Note: Although re‐ordered due to added bullet points in clause above, the language was not changed.
6.3 6.3Planning of ChangesA new section 6.3 is added to the 2022 version. The new section is entitled “Planning of changes.  
6.3 6.3When the organization determines the need for changes to the information security management system, the changes shall be carried out in a planned manner.  A new section 6.3 is added to the 2022 version. The text of the new section is provided in quotes.
7.2NOTE Applicable actions may include, for example: the provision of training to, the mentoring of, or the reassignment of current employees; or the hiring or contracting of competent persons.7.2NOTE Applicable actions can include, for example: the provision of training to, the mentoring of, or the reassignment of current employees; or the hiring or contracting of competent persons.  The word “may” changed to “can”.
7.4The organization shall determine the need for internal and external communications relevant to the information security management system including: on what to communicate;
b) when to communicate;
c) with whom to communicate;
d) who shall communicate; and
e) the processes by which communication shall be effected. 
7.4The organization shall determine the need for internal and external communications relevant to the information security management system including: a) on what to communicate;
b) when to communicate;
c) with whom to communicate; d) how to communicate.
The 2022 version rewords / re‐orders the communication list by:   d) is reworded from “who shall communicate” to “with whom to communicate,” and e) “the processes by which communication shall be effected” is removed  
7.5.1The organization’s information security management system shall include:
a) documented information required by this International Standard; and.  
7.5.1The organization’s information security management system shall include:
a) documented information required by this document; and.
The term “International Standard” is replaced with the word “document.”  
7.5.3Documented information required by the information security management system and by this
International Standard shall be controlled to ensure:  
7.5.3Documented information required by the information security management system and by this document shall be controlled to ensure:The term “International Standard” is replaced with the word “document.”
7.5.3NOTE Access implies a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information, etc.        7.5.3NOTE Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information, etc.“Access implies a decision . . . .” was reworded to “Access can imply a decision . . .
8.1The organization shall plan, implement and control the processes needed to meet information security requirements, and to implement the actions determined in 6.1. The organization shall also implement plans to achieve information security objectives determined in 6.2.8.1The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in Clause 6, by: establishing criteria for the processes; implementing control of the processes in accordance with the criteria.The phrase “needed to meet information security requirements . . . .” was reworded to “needed to meet requirements . . . .” The phrase “to implement the actions determined in 6.1” was reworded to “to implement the actions determined in Clause 6 . . . .” The sentence “The organization shall also implement plans to achieve information security objectives determined in 6.2” was removed. The 2022 version clarifies implementation of actions by adding the following language: establishing criteria for the processes; implementing control of the processes in accordance with the criteria.
8.1The organization shall keep documented information to the extent necessary to have confidence that the processes have been carried out as planned.8.1Documented information shall be available to the extent necessary to have confidence that the processes have been carried out as planned.In this sentence, the phrase “the organization shall keep documented information . . . .” was reworded to “documented information shall be available . . .
8.1The organization shall ensure that outsourced processes are determined and controlled.8.1The organization shall ensure that externally provided processes, products or services that are relevant to the information security management system are controlled.Added …”include externally provided products or services relevant to the information security management system”…
9.1The organization shall evaluate the information security performance and the effectiveness of the information security management system.9.1The organization shall evaluate the information security performance and the effectiveness of the information security management system.This sentence was moved. It was the first sentence under section 9.1 in the 2013 version. It is now the last sentence under section 9.1 in the 2022 version.
9.1(b)The organization shall determine:
….
“b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results; NOTE The methods selected should produce comparable and reproducible results to be considered valid.
9.1(b)The organization shall determine:
….
“b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results. The methods selected should produce comparable and reproducible results to be considered valid;
The Note in the 2013 version is removed and the language is part of item (b) in the 2022 version.
9.1(e)when the results from monitoring and measurement shall be analyzed and evaluated; and.9.1(e)when the results from monitoring and measurement shall be analyzed and evaluated;  The word “and” was removed.
9.1The organization shall retain appropriate documented information as evidence of the monitoring and measurement results.9.1Documented information shall be available as evidence of the results.”The sentence was reworded.
9.2No sub-sections9.2Subsections include:
9.2.1 General
9.2.2 Internal Audit Program
Added sub-sections
9.2.1(a)(2)2) the requirements of this International Standard.9.2.1(a)(2)a) conforms to      2) the requirements of this          document.“International Standard” is replaced with the word “document.”
9.2The organization shall:
c) plan, establish, implement and maintain an audit program(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit program(s) shall take into consideration the importance of the processes concerned and the results of previous audits;
d) define the audit criteria and scope for each audit;
e) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;
f) ensure that the results of the audits are reported to relevant management; and
g) retain documented information as evidence of the audit program(s) and the audit results.
9.2.2The organization shall plan, establish, implement and maintain an audit program(s), including the frequency, methods, responsibilities, planning requirements and reporting. When establishing the internal audit program(s), the organization shall consider the importance of the processes concerned and the results of previous audits. The organization shall:
a) define the audit criteria and scope for each audit;
b) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;
c) ensure that the results of the audits are reported to relevant management; Documented information shall be available as evidence of the implementation of the audit program(s) and the audit results.
The 2022 version places this requirement under a new subsection heading (“Internal audit program”). “The audit program(s) shall take into consideration the importance of the processes concerned and the results of previous audits” was reworded as follows: “When establishing the internal audit program(s), the organization shall consider the importance of the processes concerned and the results of previous audits.” The 2022 version added the phrase “The organization shall . . . .” This is necessary based upon the new subsection. The 2022 version changes / re‐orders the internal audit requirement list by identifying:
item d) as item a);
item e) as item b); item f) as item c);
item g) is no longer a listed item, but is a separate / stand‐alone sentence.
9.3No sub-sections9.3.1 9.3.2 9.3.3Subsections include:
9.3.1 General
9.3.2 Management review inputs 9.3.3 Management review results
Added sub-sections
9.3(c)(3)“audit results; and”9.3.2(d)(3)audit results;Removed the word “and”
9.3(e)results of risk assessment and status of risk treatment plan; and9.3.2(f)results of risk assessment and status of risk treatment plan;”  Remove the word “and”.
9.3The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. The organization shall retain documented information as evidence of the results of management reviews.9.3.3The results of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. Documented information shall be available as evidence of the results of management reviews.Clause is reworded.
10Subsections were:
10.1 Nonconformity and corrective action
10.2 Continual Improvement
10Subsections are now:
10.1 Continual Improvement
10.2 Nonconformity and corrective action
Sub-sections reversed
10.1(a)(1)Related to a nonconformance, an organization must “take action to control and correct it; and.”10.2(a)(1)Related to a nonconformance, an organization must “take action to control and correct it;”Removed the word “and” at the end of the clause.
10.1The organization shall retain documented information as evidence of: f) the nature of the nonconformities and any subsequent actions taken, and
g) the results of any corrective action.
10.2Documented information shall be available as evidence of:
f) the nature of the nonconformities and any subsequent actions taken,
g) the results of any corrective action.
Clause is reworded.
Annex A Controls
ControlTitleControlTitleTheme
Access Control
A.5.1.1Policies for information securityA.5.1Policies for information securityOrganizational
A.5.1.2Review of the policies for information securityA.5.1Merged into A.5.1
Organization of Information
A.6.1.1Information security roles and responsibilitiesA.5.2Information security roles and responsibilitiesOrganizational
A.6.1.2Segregation of dutiesA.5.3Segregation of dutiesOrganizational
A.6.1.3Contact with authoritiesA.5.5Contact with authoritiesOrganizational
A.6.1.4Contact with special interest groupsA.5.6Contact with special interest groupsOrganizational
A.5.7Threat intelligenceOrganizational
A.6.1.5Information security in project managementA.5.8Information security in project managementOrganizational
A.6.2.1Mobile device policyA.8.1User end point devicesTechnical
A.6.2.2TeleworkingA.6.7Remote workingPeople
Human Resource Security
A.7.1.1ScreeningA.6.1ScreeningPeople
A.7.1.2Terms and conditions of employmentA.6.2Terms and conditions of employmentPeople
A.7.2.1Management responsibilitiesA.5.4Management responsibilitiesOrganizational
A.7.2.2Information security awareness, education, and trainingA.6.3Information security awareness, education, and trainingPeople
A.7.2.3Disciplinary processA.6.4Disciplinary processPeople
A.7.3.1Termination or change of employment responsibilitiesA.6.5Termination or change of employment responsibilitiesPeople
Asset Management
A.8.1.1Inventory of assetsA.5.9Inventory of information and other associated assetsOrganizational
A.8.1.2Ownership of assetsMerged into A.5.9
A.8.1.3Acceptable use of assetsA.5.10Acceptable use of information and other associated assetsOrganizational
A.8.1.4Return of assetsA.5.11Return of assetsOrganizational
A.8.2.1Classification of informationA.5.12Classification of informationOrganizational
A.8.2.2Labeling of informationA.5.13Labeling of informationOrganizational
A.8.2.3Handling of assetsMerged into A.5.10
A.8.3.1Management of removable mediaA.7.10Storage mediaPhysical
A.8.3.2Disposal of mediaMerged into A.7.10
A.8.3.3Physical media transferMerged into A.7.10
Access Control
A.9.1.1Access control policyA.5.15Access controlOrganizational
A.9.1.2Access to networks and network servicesMerged into A.5.15
A.9.2.1User registration and de-registrationA.5.16Identity managementOrganizational
A.9.2.2User access provisioningA.5.18Access rightsOrganizational
A.9.2.3Management of privileged access rightsA.8.2Privileged access rightsTechnical
A.9.2.4Management of secret authentication information of usersA.5.17Authentication informationOrganizational
A.9.2.5Review of user access rightsMerged into A.5.18
A.9.2.6Removal of adjustment of access rightsMerged into A.5.18
A.9.3.1Use of secret authentication informationMerged into A.5.17
A.9.4.1Information access restrictionA.8.3Information access restrictionTechnical
A.9.4.2Secure log-in proceduresA.8.5Secure authenticationTechnical
A.9.4.3Password management systemMerged into A.5.17
A.9.4.4Use of privileged utility programsA.8.18Use of privileged utility programsTechnical
A.9.4.5Access control to program source codeA.8.4Access to source codeTechnical
Cryptography
A.10.1.1Policy of the use of cryptographic controlsA.8.24Use of cryptographyTechnical
A.10.1.2Key managementMerged into A.8.24 with A.10.1.1
Physical and Environmental Controls
A.11.1.1Physical security perimeterA.7.1Physical security perimetersPhysical
A.11.1.2Physical entry controlsA.7.2Physical entryPhysical
A.11.1.3Securing offices, rooms, and facilitiesA.7.3Securing offices, rooms, and facilitiesPhysical
NewA.7.4Physical security monitoringPhysical
A.11.1.4Protecting against external and environmental threatsA.7.5Protecting against external and environmental threatsPhysical
A.11.1.5Working in secure areasA.7.6Working in secure areasPhysical
A.11.1.6Delivery and loading areasMerged into A.7.2 with A.11.1.2
A.11.2.1Equipment siting and protectionA.7.8Equipment siting and protectionPhysical
A.11.2.2Supporting utilitiesA.7.11Supporting utilitiesPhysical
A.11.2.3Cabling securityA.7.12Cabling securityPhysical
A.11.2.4Equipment maintenanceA.7.13Equipment maintenancePhysical
A.11.2.5Removal of assetsMerged into A.7.10
A.11.2.6Security of equipment and assets off-premisesA.7.9Security of assets off-premisesPhysical
A.11.2.7Secure disposal or reuse of equipmentA.7.14Secure disposal or reuse of equipmentPhysical
A.11.2.8Unattended user equipmentMerged into A.8.1 with A 6.2.1
A.11.2.9Clear desk and clear screen policyA.7.7Clear desk and clear screenPhysical
Operations Security
A.12.1.1Documented operating proceduresA.5.37Documented operating proceduresOrganizational
A.12.1.2Change managementA.8.32Change managementTechnical
A.12.1.3Capacity managementA.8.6Capacity managementTechnical
A.12.1.4Separation of development, testing, and operational environmentsA.8.31Separation of development, test, and operational environmentsTechnical
A.12.2.1Controls against malwareA.8.7Protection against malwareTechnical
A.12.3.1Information backupA.8.13Information backupTechnical
A.12.4.1Event loggingA.8.15LoggingTechnical
A.12.4.2Protection of log informationMerged into A.8.15
A.12.4.3Administrator and operator logsMerged into A.8.15
NewA.8.16Monitoring activitiesTechnical
A.12.4.4Clock SynchronizationA.8.17Clock SynchronizationTechnical
A.12.5.1Installation of software on operational systemsA.8.19Installation of software on operational systemsTechnical
A.12.6.1Management of technical vulnerabilitiesA.8.8Management of technical vulnerabilitiesTechnical
NewA.8.9Configuration managementTechnical
NewA.8.10Information detectionTechnical
NewA.8.11Data maskingTechnical
NewA.8.12Data leakage preventionTechnical
A.12.6.2Restrictions on software installationMerged into A.8.19 with A.12.5.1
A.12.7.1Information systems audit controlsA.8.34Protection of information systems during audit testingTechnical
Communications Security
A.13.1.1Network controlsA.8.20Networks securityTechnical
A.13.1.2Security of network servicesA.8.21Security of network servicesTechnical
A.13.1.3Segregation in networksA.8.22Segregation of networksTechnical
NewA.8.23Web filteringTechnical
A.13.2.1Information transfer policies and proceduresA.5.14Information transferOrganizational
A.13.2.2Agreements on information transferMerged into A.5.14
A.13.2.3Electronic messagingMerged into A.5.14
A.13.2.4Confidentiality or nondisclosure agreementsA.6.6Confidentiality or nondisclosure agreementsPeople
System Acquisition, Development, and Maintenance
A.14.1.1Information security requirements analysis and specificationMerged into A.5.8 with A.6.1.5
A.14.1.2Securing application services on public networksA.8.26Application security requirementsTechnical
A.14.1.3Protecting application services transactionsMerged into A.8.26
A.14.2.1Secure development policyA.8.25Secure development policyTechnical
A.14.2.2System change control proceduresMerged into A.8.32 with A.12.1.2, A.14.2.3, and A.14.2.4
A.14.2.3Technical review of applications after operating platform changesMerged into A.8.32 with A.12.1.2, A.14.2.2, and A.14.2.4
A.14.2.4Restriction on changes to software packagesMerged into A. 8.32 with A.12.1.2, A.14.2.2, and A.14.2.3
A.14.2.5Secure system engineering packagesA.8.27Secure system architecture and engineering principlesTechnical
A.14.2.6Secure development environmentMerged into A.8.31 with A.12.1.4
NewA.8.28Secure codingTechnical
A.14.2.7Outsourced developmentA.8.30Outsourced developmentTechnical
A.14.2.8System security testingA.8.29Security testing in development and acceptanceTechnical
A.14.2.9System acceptance testingMerged into A.8.29 with A.14.2.8
A.14.3.1Protection of test dataA.8.33Test informationTechnical
Supplier Relationships
A.15.1.1Information security policy for supplier relationshipsA.5.19Information security in supplier relationshipsOrganizational
A.15.1.2Addressing security within supplier agreementsA.5.20Addressing information security within supplier agreementsOrganizational
A.15.1.3Information and communication technology supply chainA.5.21Managing information security in the information and communication technology (ICT) supply chainOrganizational
A.15.2.1Monitoring and review of supplier servicesA.5.22Monitoring, review, and change management of supplier servicesOrganizational
A.15.2.2Managing changes to supplier servicesMerged into A.5.22 with A.15.2.1
NewA.5.23Information security for use of cloud servicesOrganizational
Information Security Incident Management
A.16.1.1Responsibilities and proceduresA.5.24Information security incident management planning and preparationOrganizational
A.16.1.2Reporting information security eventsA.6.8Information security event reportingPeople
A.16.1.3Reporting information security weaknessesMerged into A.6.8 with A.16.1.2
A.16.1.4Assessment and decision on information security eventsA.5.25Assessment and decision on information security eventsOrganizational
A.16.1.5Response to information security incidentsA.5.26Response to information security incidentsOrganizational
A.16.1.6Learning from information security incidentsA.5.27Learning from information security incidentsOrganizational
A.16.1.7Collection of evidenceA.5.28Collection of evidenceOrganizational
Information Security Aspects of Business Continuity Management
A.17.1.1Planning information security continuityA.5.29Information security during disruptionOrganizational
A.17.1.2Implementing information security continuityMerged into A.5.29 with A.17.1.1 and A.17.1.3
A.17.1.3Verify, review, and evaluate information security continuityMerged into A.5.29 with A.17.1.1 and A.17.1.2
NewA.5.30ICT readiness for business continuityOrganizational
A.17.2.1Availability of information processing facilitiesA.8.14Redundancy of information processing facilitiesTechnical
Compliance
A.18.1.1Identification of applicable legislation and contractual requirementsA.5.31Legal, statutory, regulatory, and contractual requirementsOrganizational
A.18.1.2Intellectual property rightsA.5.32Intellectual property rightsOrganizational
A.18.1.3Protection of recordsA.5.33Protection of recordsOrganizational
A.18.1.4Privacy and protection of personally identifiable informationA.5.34Privacy and protection of personally identifiable informationOrganizational
A.18.1.5Regulation of cryptographic controlsMerged into A.5.31 with A.18.1.1
Information Security Reviews
A.18.2.1Independent review of information securityA.5.35Independent review of information securityOrganizational
A.18.2.2Compliance with security policies and standardsA.5.36Compliance with policies, rules, and standards for information securityOrganizational
A.18.2.3Technical compliance reviewMerged into A.5.36 with A.18.2.2

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.