Key Differences between ISO 27001:2022 and 27001:2013

Annex A Control Type	ISO/IEC 27001:2022 Annex A Identifier	ISO/IEC 27001:2013 Annex A Identifier	Annex A Name
Organisational Controls	Annex A 5.1	Annex A 5.1.1 Annex A 5.1.2	Policies for Information Security
Organisational Controls	Annex A 5.2	Annex A 6.1.1	Information Security Roles and Responsibilities
Organisational Controls	Annex A 5.3	Annex A 6.1.2	Segregation of Duties
Organisational Controls	Annex A 5.4	Annex A 7.2.1	Management Responsibilities
Organisational Controls	Annex A 5.5	Annex A 6.1.3	Contact With Authorities
Organisational Controls	Annex A 5.6	Annex A 6.1.4	Contact With Special Interest Groups
Organisational Controls	Annex A 5.7	NEW	Threat Intelligence
Organisational Controls	Annex A 5.8	Annex A 6.1.5 Annex A 14.1.1	Information Security in Project Management
Organisational Controls	Annex A 5.9	Annex A 8.1.1 Annex A 8.1.2	Inventory of Information and Other Associated Assets
Organisational Controls	Annex A 5.10	Annex A 8.1.3 Annex A 8.2.3	Acceptable Use of Information and Other Associated Assets
Organisational Controls	Annex A 5.11	Annex A 8.1.4	Return of Assets
Organisational Controls	Annex A 5.12	Annex A 8.2.1	Classification of Information
Organisational Controls	Annex A 5.13	Annex A 8.2.2	Labelling of Information
Organisational Controls	Annex A 5.14	Annex A 13.2.1 Annex A 13.2.2 Annex A 13.2.3	Information Transfer
Organisational Controls	Annex A 5.15	Annex A 9.1.1 Annex A 9.1.2	Access Control
Organisational Controls	Annex A 5.16	Annex A 9.2.1	Identity Management
Organisational Controls	Annex A 5.17	Annex A 9.2.4 Annex A 9.3.1 Annex A 9.4.3	Authentication Information
Organisational Controls	Annex A 5.18	Annex A 9.2.2 Annex A 9.2.5 Annex A 9.2.6	Access Rights
Organisational Controls	Annex A 5.19	Annex A 15.1.1	Information Security in Supplier Relationships
Organisational Controls	Annex A 5.20	Annex A 15.1.2	Addressing Information Security Within Supplier Agreements
Organisational Controls	Annex A 5.21	Annex A 15.1.3	Managing Information Security in the ICT Supply Chain
Organisational Controls	Annex A 5.22	Annex A 15.2.1 Annex A 15.2.2	Monitoring, Review and Change Management of Supplier Services
Organisational Controls	Annex A 5.23	NEW	Information Security for Use of Cloud Services
Organisational Controls	Annex A 5.24	Annex A 16.1.1	Information Security Incident Management Planning and Preparation
Organisational Controls	Annex A 5.25	Annex A 16.1.4	Assessment and Decision on Information Security Events
Organisational Controls	Annex A 5.26	Annex A 16.1.5	Response to Information Security Incidents
Organisational Controls	Annex A 5.27	Annex A 16.1.6	Learning From Information Security Incidents
Organisational Controls	Annex A 5.28	Annex A 16.1.7	Collection of Evidence
Organisational Controls	Annex A 5.29	Annex A 17.1.1 Annex A 17.1.2 Annex A 17.1.3	Information Security During Disruption
Organisational Controls	Annex A 5.30	NEW	ICT Readiness for Business Continuity
Organisational Controls	Annex A 5.31	Annex A 18.1.1 Annex A 18.1.5	Legal, Statutory, Regulatory and Contractual Requirements
Organisational Controls	Annex A 5.32	Annex A 18.1.2	Intellectual Property Rights
Organisational Controls	Annex A 5.33	Annex A 18.1.3	Protection of Records
Organisational Controls	Annex A 5.34	Annex A 18.1.4	Privacy and Protection of PII
Organisational Controls	Annex A 5.35	Annex A 18.2.1	Independent Review of Information Security
Organisational Controls	Annex A 5.36	Annex A 18.2.2 Annex A 18.2.3	Compliance With Policies, Rules and Standards for Information Security
Organisational Controls	Annex A 5.37	Annex A 12.1.1	Documented Operating Procedures
People Controls	Annex A 6.1	Annex A 7.1.1	Screening
People Controls	Annex A 6.2	Annex A 7.1.2	Terms and Conditions of Employment
People Controls	Annex A 6.3	Annex A 7.2.2	Information Security Awareness, Education and Training
People Controls	Annex A 6.4	Annex A 7.2.3	Disciplinary Process
People Controls	Annex A 6.5	Annex A 7.3.1	Responsibilities After Termination or Change of Employment
People Controls	Annex A 6.6	Annex A 13.2.4	Confidentiality or Non-Disclosure Agreements
People Controls	Annex A 6.7	Annex A 6.2.2	Remote Working
People Controls	Annex A 6.8	Annex A 16.1.2 Annex A 16.1.3	Information Security Event Reporting
Physical Controls	Annex A 7.1	Annex A 11.1.1	Physical Security Perimeters
Physical Controls	Annex A 7.2	Annex A 11.1.2 Annex A 11.1.6	Physical Entry
Physical Controls	Annex A 7.3	Annex A 11.1.3	Securing Offices, Rooms and Facilities
Physical Controls	Annex A 7.4	NEW	Physical Security Monitoring
Physical Controls	Annex A 7.5	Annex A 11.1.4	Protecting Against Physical and Environmental Threats
Physical Controls	Annex A 7.6	Annex A 11.1.5	Working In Secure Areas
Physical Controls	Annex A 7.7	Annex A 11.2.9	Clear Desk and Clear Screen
Physical Controls	Annex A 7.8	Annex A 11.2.1	Equipment Siting and Protection
Physical Controls	Annex A 7.9	Annex A 11.2.6	Security of Assets Off-Premises
Physical Controls	Annex A 7.10	Annex A 8.3.1 Annex A 8.3.2 Annex A 8.3.3 Annex A 11.2.5	Storage Media
Physical Controls	Annex A 7.11	Annex A 11.2.2	Supporting Utilities
Physical Controls	Annex A 7.12	Annex A 11.2.3	Cabling Security
Physical Controls	Annex A 7.13	Annex A 11.2.4	Equipment Maintenance
Physical Controls	Annex A 7.14	Annex A 11.2.7	Secure Disposal or Re-Use of Equipment
Technological Controls	Annex A 8.1	Annex A 6.2.1 Annex A 11.2.8	User Endpoint Devices
Technological Controls	Annex A 8.2	Annex A 9.2.3	Privileged Access Rights
Technological Controls	Annex A 8.3	Annex A 9.4.1	Information Access Restriction
Technological Controls	Annex A 8.4	Annex A 9.4.5	Access to Source Code
Technological Controls	Annex A 8.5	Annex A 9.4.2	Secure Authentication
Technological Controls	Annex A 8.6	Annex A 12.1.3	Capacity Management
Technological Controls	Annex A 8.7	Annex A 12.2.1	Protection Against Malware
Technological Controls	Annex A 8.8	Annex A 12.6.1 Annex A 18.2.3	Management of Technical Vulnerabilities
Technological Controls	Annex A 8.9	NEW	Configuration Management
Technological Controls	Annex A 8.10	NEW	Information Deletion
Technological Controls	Annex A 8.11	NEW	Data Masking
Technological Controls	Annex A 8.12	NEW	Data Leakage Prevention
Technological Controls	Annex A 8.13	Annex A 12.3.1	Information Backup
Technological Controls	Annex A 8.14	Annex A 17.2.1	Redundancy of Information Processing Facilities
Technological Controls	Annex A 8.15	Annex A 12.4.1 Annex A 12.4.2 Annex A 12.4.3	Logging
Technological Controls	Annex A 8.16	NEW	Monitoring Activities
Technological Controls	Annex A 8.17	Annex A 12.4.4	Clock Synchronization
Technological Controls	Annex A 8.18	Annex A 9.4.4	Use of Privileged Utility Programs
Technological Controls	Annex A 8.19	Annex A 12.5.1 Annex A 12.6.2	Installation of Software on Operational Systems
Technological Controls	Annex A 8.20	Annex A 13.1.1	Networks Security
Technological Controls	Annex A 8.21	Annex A 13.1.2	Security of Network Services
Technological Controls	Annex A 8.22	Annex A 13.1.3	Segregation of Networks
Technological Controls	Annex A 8.23	NEW	Web filtering
Technological Controls	Annex A 8.24	Annex A 10.1.1 Annex A 10.1.2	Use of Cryptography
Technological Controls	Annex A 8.25	Annex A 14.2.1	Secure Development Life Cycle
Technological Controls	Annex A 8.26	Annex A 14.1.2 Annex A 14.1.3	Application Security Requirements
Technological Controls	Annex A 8.27	Annex A 14.2.5	Secure System Architecture and Engineering Principles
Technological Controls	Annex A 8.28	NEW	Secure Coding
Technological Controls	Annex A 8.29	Annex A 14.2.8 Annex A 14.2.9	Security Testing in Development and Acceptance
Technological Controls	Annex A 8.30	Annex A 14.2.7	Outsourced Development
Technological Controls	Annex A 8.31	Annex A 12.1.4 Annex A 14.2.6	Separation of Development, Test and Production Environments
Technological Controls	Annex A 8.32	Annex A 12.1.2 Annex A 14.2.2 Annex A 14.2.3 Annex A 14.2.4	Change Management
Technological Controls	Annex A 8.33	Annex A 14.3.1	Test Information
Technological Controls	Annex A 8.34	Annex A 12.7.1	Protection of Information Systems During Audit Testing