5 mins read

ISO 27001:2022- UPDATES

ISO 27001 is a globally recognised standard for managing information security. It sets out the criteria for an information security management system (ISMS). Over time, updates to the standard reflect evolving threats, technologies, and best practices in information security. The differences between ISO 27001:2013 and ISO 27001:2022 are part of the standard’s evolution, addressing the need for organisations to better manage and protect their information assets.

In this blog we will cover:

  1. What are the version differences?
  2. When do you need to transition?
  3. What are the 2024 amendments?


  • Structure and Terminology Updates:

ISO 27001:2022 continues to follow the high-level structure used by other ISO management system standards, making it easier to integrate with other ISO standards. However, it updates some terminologies and definitions to align with current practices and understanding.

  • Risk Management Enhancements:

The 2022 revision places a greater emphasis on risk management, not just for information security risks but also considering the broader context of organisational risks. This reflects a more holistic approach to risk management.

  • Control Set Revision:

The Annex A controls in ISO 27001:2013 have been revised and reorganised in the 2022 version. The number of controls has been reduced from 114 to 93, with some controls being merged and others updated to reflect current technology trends and threats. This includes considerations for cloud computing, Internet of Things (IoT), and other modern technologies.

  • Increased Flexibility:

ISO 27001:2022 offers organisations more flexibility in how they apply controls and manage their information security, recognising the diverse ways in which businesses operate and leverage technology today.

  • Attention to Cybersecurity Trends:

The latest revision addresses contemporary cybersecurity trends and threats, providing a more up-to-date framework for organisations to protect against breaches and cyber-attacks.

  • Threat Intelligence and Information Security Incidents:

Greater emphasis on the importance of threat intelligence and more detailed guidance on information security incident management.

  • Consideration for Privacy Concerns:

While ISO 27001 focuses on information security, the 2022 revision includes more explicit considerations for privacy issues, reflecting the increasing global concern over personal data protection.

  • Leadership and Commitment:

The new version places a stronger emphasis on the role of top management in leading and supporting the ISMS, highlighting the importance of leadership commitment to the success of information security initiatives.

Organisations seeking to certify or recertify to ISO 27001 should consider these updates to ensure their ISMS meets the current standard’s requirements. Transitioning to the updated standard will help organisations address modern security challenges and demonstrate their commitment to protecting information assets.


In Australia some organisation are also certified to a customised version of the ISO 27001 Information Security Management Systems Standard that includes additional controls from the Australian Government Information Security Manual to protect the People, Processes and IT Infrastructure.

The Right Fit For Risk Cyber Security Accreditation from the Department of Employment and Workplace Relations has mandated that all providers of employment skills training and disability employment services must be compliant to ISO 27001:2022 by April 2024 or risk losing certification.

As of April 2024, any organisations wishing to certifiy to ISO 27001 will only be able to certify to version ISO 270001:2022.

3. 2024 Amendment

Organisations will also need to consider the latest amendment. The amendment to ISO/IEC 27001:2022, titled AMD 1:2024, focuses on “Climate action changes” in the realm of information security, cybersecurity, and privacy protection.

This reflects an increasing recognition of the intersection between environmental sustainability and digital infrastructure, suggesting that organisations will need to consider their impact on climate within their information security practices.


With cyber criminals working harder and harder to overcome system protocols, the threat of cyber-crimes is on the rise and new threats are constantly emerging.It can seem difficult or even impossible to manage cyber-risks. ISO/IEC 27001 helps organisations become risk-aware and proactively identify and address weaknesses.ISO/IEC 27001 promotes a holistic approach to information security: vetting people, policies and technology. An information security management system implemented according to this standard is a tool for risk management, cyber-resilience and operational excellence.
Contact us for more information or to book in your AUDIT to ensure you continue to be Compliant

Contact Us

Sales Enquiries


Not a sales enquiry? Click here to view our office locations and contact details.
Chat with us