ISO 27001:2022 vs ISO 27001:2013 What Changed from 2013?

The ISO 27001:2013 certification standard is the most commonly used framework to provide assurance of an organization’s information security management system.

It has been updated by the ISO 27001:2022 standard, which took effect on April 1st, 2018.

In this article, we will discuss what changed since 2013 and why it was important for organizations to undergo this change.

ISO ISMS: Information Security Management System

ISO 27001:2022 is an updated version of the ISO 27001 standard.

It has been revised to reflect new challenges and changes in the global business environment that have come about since it was first published back in 2008.

The major change is that now you can use both versions interchangeably, which means you don’t need to worry about choosing between them when implementing your information security management system (ISMS).

A Recap:

ISO 27001:2013, the foundation for all Information Security Management Systems (ISMSs), has been published since 2013.

This version of ISO 27001 is based on best-practice models from around the world and includes a risk assessment framework to help organizations establish a baseline for their information security management processes.

The latest revision to this standard was published in March 2019 as ISO/IEC 27001:2019 — version 2.

ISO ISMS Framework Scope

The ISO 27001:2013 standard is a framework for managing an organization’s information security risk.

It specifies the requirements for establishing, implementing, operating, monitoring, and reviewing an Information Security Management System (ISMS).

Context of the Organization

The organization’s context is the external environment, which includes the industry and market that it operates. Internal context refers to how your company operates internally.

For example, if you are an auditor for a large corporation, then your internal context may include its financial systems along with information about its employees and customers.

The business context includes all aspects of an organization’s day-to-day operations such as sales figures and customer service metrics.


Leadership is the process of influencing a group of people to achieve a common objective.

Leadership is required for the success of any organization, and it’s an important part of ISO 27001:2013.

In addition to being able to influence others, you also need to be able to influence yourself as well.

This can be done by following through on your commitments and taking ownership of your actions and decisions in order for them not only to benefit you but also to benefit others around you as well (for example: if something goes wrong during implementation).


Planning is the process of defining the purpose, goals, and objectives of an ISMS. It involves determining what needs to be accomplished, who will do what, and when.

It is a continuous process because it continues throughout implementation.

Planning helps to identify risks and vulnerabilities by understanding how your organization operates; then you can plan how best to mitigate them or eliminate them altogether from occurring again in future years.

Once you’ve identified these concerns, you can begin implementing controls that will help ensure they don’t happen again – this is called “risk identification.


ISO 27001:2022 has introduced the concept of ‘Support’ as a part of its management system.

Support is defined as an activity carried out by the management to ensure that the ISMS is implemented properly and in accordance with established standards.

It includes activities such as auditing, training, and awareness raising.

The new standard also introduced an additional requirement to provide “a clear understanding” within your organization about what support will be provided (e.g., how many people will be involved, where they will come from etc).


The scope of operation is the area that you will monitor and report on.

This includes any processes, procedures, or tools that are used by your organization in fulfilling its obligations under ISO 27001:2013,

But does not include those used for internal management or for other non-compliance purposes (e.g., legal compliance).

The boundaries of operation are those areas where you believe there might be a risk to your organization’s compliance with ISO 27001:2013.

For example, if there is no clear boundary between two different departments within an organization then this could constitute a potential risk area for both departments because they would share resources and services which could lead to cross-contamination between them if one department fails its audits by failing to comply with its own policies and procedures while another department fails its audits due to poor record keeping practices or lack thereof!

Performance Evaluation

Performance Evaluation is a new section of ISO 27001:2022 that covers how an organization can evaluate its ISMS.

This is an important part of the ISO 27001 standard and it’s something you should consider implementing in your own company.

For example, if you’re worried about cyber security threats, but don’t have time or resources to do all the training required by the standard (or any other type of risk management program), then this may be something worth considering.


ISO 27001:2013 is the latest version of the standard, and it has been updated to reflect some significant changes in the industry.

The most significant change is that ISO 27001:2013 now requires organizations to assess their risk management processes to determine how well they are performing.

The other key difference between these two standards is how they define “the organization” as an entity, rather than just businesses alone.

In order for an organization to be considered compliant with both standards (either one), it must comply with all six principles outlined by each respective standard.

Contextual Change:

Change from 2013 has been done keeping in mind the current scenario.

ISO 27001:2022 is more aligned with the current cybersecurity needs, as it includes more security requirements than ISO 27001:2013.

ISO 27001:2022 is a more comprehensive standard than ISO 27001:2013 and covers all areas of information security management, including compliance with laws and regulations, risk assessment and control for information systems (IS), incident management process integration within IS governance structures, developing program metrics for measuring performance against baseline targets against regulatory requirements/standards, etc.,

Establishing controls over risks associated with external factors such as natural disasters etc., complying with privacy laws by protecting personal data during processing activities where necessary or appropriate.

ISO 27001:2013 is the standard that was approved by ITU in April 2013.

After this, it has been revised and updated to include changes made by the ISO 27001:2022 committee which was formed in 2017.

Some of these changes include the removal of limits on the number of information security management systems an organization can have and instead giving them flexibility for their requirements based on their current situation.

So why not get certified today and show the world that you are up to date with the industry standards and are capable of aligning organizations with their goals.

Check out our official ISO 27001 2022 Lead Auditor for more!

Thank you for reading!

Leave a Reply