When it comes to safeguarding sensitive information, ISO 27001 is a globally recognized standard for information security management. This standard helps organizations implement robust security measures to protect data from breaches and other risks.
The latest certification, ISO 27001:2022, builds on its predecessor from 2013, with key updates designed to tackle today’s evolving cybersecurity landscape – particularly around cloud services, privacy protection, and threat intelligence.
Understanding the differences between these two versions is essential for businesses aiming to stay ahead in data protection. Recently, PageProof achieved ISO 27001:2022 certification for its information security management system (ISMS).
In this article, we’ll explore the key differences between ISO 27001 version 2013 and 2022 and how these changes could impact your business, based on our own experience with the certification process.
What is ISO 27001?
ISO 27001 is a widely recognized framework that helps organizations identify and manage information security risks.
By implementing an information security management system (ISMS) tailored to their needs, businesses can safeguard their data from potential threats.
From small businesses to large corporations, this standard is used across a wide range of industries, allowing organizations to adapt their risk management processes as they grow and as security challenges change.
ISO 27001 offers a clear and structured way to maintain control wherever information security is a priority.
Why was the ISO 27001:2022 update needed?
The 2022 update to ISO 27001 aims to strengthen governance over security controls and help organizations address new and evolving threats.
As cybercrime becomes more advanced, being aware of potential vulnerabilities is crucial. The updated standard offers a clear guide for organizations to improve risk awareness and strengthen their defenses.
With software security now a top priority – second only to cost – ISO 27001:2022 helps businesses confidently protect their systems from emerging cyber risks.
Source: Gartner – Why Security Is a Priority for Software Buyers in 2024
Key differences between ISO 27001:2013 and ISO 27001:2022
The ISO 27001:2022 revisions, when compared with the 2013 version, introduce notable updates to improve clarity and address new security needs. But while the changes, particularly in Annex A, may appear significant at first, their overall impact remains moderate.
Here’s an in-depth comparison of the key updates.
Changes in the Main Clauses
The core structure of ISO 27001, consisting of 11 clauses, remains largely intact.
However, subtle adjustments have been made to align the standard more closely with other ISO management frameworks, such as ISO 9001 and ISO 14001, particularly through the application of Annex SL.
- Clause 4.2 – A new item (c) has been introduced, requiring an analysis of which interested party requirements must be addressed through the Information Security Management System (ISMS).
- Clause 4.4 – An additional requirement has been included for planning processes and their interactions within the ISMS.
- Clause 5.3 – Clarifies that communication of organizational roles and responsibilities should be conducted internally.
- Clause 6.2 – Now includes a requirement (d) that emphasizes monitoring information security objectives.
- Clause 6.3 – A completely new clause, outlining that changes within the ISMS must be planned in advance.
- Clause 7.4 – A previous requirement (e) related to establishing communication processes has been removed.
- Clause 8.1 – New criteria for security processes and their implementation have been added, while the requirement to implement plans for achieving objectives was removed.
- Clause 9.3 – Now includes 9.3.2 (c), specifying that inputs from interested parties must be relevant to the ISMS.
- Clause 10 – The structure has been modified, with “Continual improvement” now appearing as subclause 10.1, followed by “Nonconformity and corrective action” (10.2), though the text itself remains unchanged.
Annex A: reorganization and control updates
Annex A has seen the most visible transformation. The number of security controls has decreased from 114 to 93, and the 14 domains from the 2013 version have been consolidated into four thematic sections.
However, the extent of the changes is more moderate than it appears.
- Control consolidation: 57 controls have been merged, reducing the total number, yet maintaining the core requirements.
- Renamed controls: 23 controls have been renamed, although their core elements remain the same.
- Unchanged controls: 35 controls remain identical to those in the 2013 version.
- Split controls: One control has been divided into two, though the overall requirements are unchanged.
New security controls have also been introduced to address modern security challenges, including threat intelligence, cloud security, and data protection. These additions reflect the growing importance of these areas in today’s security landscape.
The 11 new controls found in ISO 27001:2022.
Improved structure and focus
The new, simplified structure of Annex A groups security controls into four key themes, improving the accessibility and application of controls.
This shift from 14 domains to a more condensed framework allows organizations to more easily integrate these controls into their existing security strategies, focusing on core areas of threat management, organizational security, and data protection.
Why PageProof is the best choice for enterprises
By being the first online proofing software to achieve ISO 27001:2022 certification, this showcases PageProof’s commitment to delivering a secure, seamless experience for businesses of all sizes.
Our platform ensures that your proofs are protected and accessible only to authorized users, thanks to several key security features.
1. Patented triple-layer encryption
PageProof takes data security seriously with our patented triple-layer encryption process. Your proofs, comments, and attachments are fully encrypted before they leave your device, transmitted via an encrypted connection, and stored encrypted at rest. Only those with access to the proof can decrypt the content, ensuring maximum confidentiality without the complexity of key management.
PageProof’s patented triple-layer encryption in action.
2. Single sign-on (SSO) for your organization
With PageProof, your team can use Single Sign-On (SSO) to log in using the same credentials they use across other corporate applications. We support leading SSO providers such as Microsoft Azure Active Directory, Okta, Ping Identity, OneLogin, and G Suite, simplifying the login process and enhancing security with multi-factor authentication.
3. SCIM (system for cross-domain identity management)
SCIM allows seamless user provisioning within your organization. When a new team member is added to your SSO directory, they are automatically provisioned into your PageProof team, streamlining access management and ensuring security consistency across your organization.
4. Data sovereignty
PageProof automatically stores your data in one of 14 data regions. Storage regions as of 2024 include the following:
- Australia
- Brazil
- Canada
- France
- Germany
- Japan
- Norway
- South Africa
- United Arab Emirates
- United States – Central
- United States – East
- United States – South Central
- United States – West
- United Kingdom
The enterprise plan allows you to nominate your data storage region – ensuring your data resides in your region of choice rather than scattered over multiple regions. PageProof maintains at least a primary and secondary storage location within a single region.
World map displaying the fourteen data sovereignty locations available with PageProof.
5. Regular penetration tests and monitoring
PageProof is regularly penetration tested (for those not familiar with this term, think of penetration testing as ‘ethical hacking’) by a world-class independent specialist testing organization that uses the OWASP penetration testing framework. In addition, vulnerability scanning takes place monthly.
6. Feel secure with Microsoft Azure
Built on the Microsoft Azure cloud platform, PageProof benefits from SOC 2 Type 2 compliance and other industry-leading ISO certifications. This partnership allows us to deliver a highly secure, reliable service that meets the highest standards of information security.
How secure is Microsoft Azure?
PageProof’s commitment to security is unwavering, which is why we partnered with one of the world’s most secure hosting providers – Microsoft Azure.
Microsoft Azure also meets the highest standards of data protection and has achieved a range of industry-leading certifications, including:
- ISO/IEC 27001
- ISO/IEC 27018, CSA CCM
- FIPS 140-2
- PCI DSS Level 1
- NZ GCIO (New Zealand)
- UK G-Cloud (United Kingdom)
- MLPS/TCS CCCPPF (China)
- MTCS SS (Singapore)
- IRAP (Australia)
Stay ahead in data protection
ISO 27001:2022 introduces key updates from its 2013 predecessor, including a streamlined control structure and new controls addressing emerging threats. Staying up to date with the latest standards is vital for robust security for your business.
PageProof exemplifies this commitment to security, offering advanced features and certifications tailored for high-security needs across the globe. Our platform also meets the rigorous demands of sectors, for which security measures are crucial to protect sensitive information, maintain trust, and ensure the integrity and smooth operation of systems and services.
For a powerful and secure proofing solution, choose PageProof for your enterprise’s needs.
