ISO 27001 Updates, News, and Revisions

Welcome to our ISO 27001 revisions and updates page. Here, you will find the latest information, news, updates, and revisions regarding the ISO 27001 standard.

ISO/IEC 27001:2022, also known as ISO 27001, is the internationally recognised Management System Standard for information security, published by The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The standard supports organisations of all sizes in establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). ISO 27001 could help organisations meet compliance obligations and stakeholder expectations and could help mitigate information security risks.

We regularly update this page with new information to help organisations stay aligned with ISO 27001 requirements.

• Explore how ISO 27001 could help organisations to protect their sensitive data from cyber threats.
• Learn how an ISO 27001-certified ISMS could benefit organisations and their clients.
• Browse our selection of online and in-person ISO 27001 training courses, designed to build awareness of the standard.

ISO standards undergo periodic reviews to remain effective as business changes. This involves considering changes, such as new ways of working and new technologies, that could influence the effectiveness of the standards.

A major, relatively recent example of one of these changes is ISO 27001:2013, which incorporated the High Level Structure, or Annex SL (also known as the Harmonised Structure) to support integration with other management system standards.

Read our Guide to ISO 27001 for more in-depth information on the standard. It includes details on Information Security Management Systems, the standard’s requirements, and the audit and certification process.

ISO/IEC 27001 is developed by technical committees and reviewed by working groups.

When ISO standards are updated, the changes are vetted by experts from a range of industries and language backgrounds who make them easily understandable and universally applicable.

The revision process typically involves these steps:

1. Experts review the standard to identify sections that may require clarification or improvement, determining where revisions are needed.
2. Next, they reach consensus on the specific updates that should be implemented.
3. Working drafts are then shared internally among relevant ISO specialists for discussion and further refinement.
4. When these drafts are considered to meet the necessary professional criteria, they progress to the committee draft stage.
5. The initial committee draft may be further revised based on the input of ISO member bodies, who are invited to review, comment on, and vote on it.
6. Following a successful ballot, the Committee Draft (CD) advances to become a Draft International Standard (DIS).
7. ISO and national standards bodies manage the public commenting process. At the DIS stage, the standard is made available for public comment, allowing end users to share their feedback directly.
8. After all comments are addressed, a final round of voting takes place, leading to the preparation of the Final Draft International Standard (FDIS).
9. Once all changes are finalised and agreed upon, the revised International Standard is officially published.

ISO 27001:2022 Published

ISO/IEC 27001:2022 was rolled out in October 2022, replacing ISO/IEC 27001:2013 as the current version of the standard. Organisations certified to ISO/IEC 27001:2013 had to transition to the 2022 version by 31st October 2025.

This revision was driven by the ongoing evolution of the information security environment. The rapid development of new digital technologies, the rise of sophisticated cyber threats, and increased reliance on cloud computing and remote work have all highlighted the need to update the standard.

There was also a strong push to align ISO/IEC 27001 with the newly revised ISO/IEC 27002:2022, which provided a modernised set of controls reflecting current industry practices.

Additionally, the revision seeks to further clarify requirements and terminology, making the standard more accessible and easier to implement across global organisations.

Key updates to this standard include:

Modernised Annex A structure and controls

The most prominent change in the 2022 edition is the complete restructuring of Annex A. The reference controls have been streamlined and reorganised from 114 controls in 14 categories to 93 controls grouped into four themes (Organisational, People, Physical, and Technological), as detailed in ISO/IEC 27002:2022, to improve clarity and usability.

Introduction of new controls

Annex A has been updated to reflect ISO/IEC 27002:2022, which introduced 11 new controls, including threat intelligence, information security for cloud services, physical security monitoring, and ICT readiness for business continuity.

Enhanced focus on supplier and supply chain security

The updated standard places greater emphasis on managing information security risks in supplier relationships and the supply chain, recognising the growing importance of third-party and external partner security.

Updated terminology and definitions

The 2022 revision updates key terms and definitions to align with current information security practices and ensures consistency with other ISO management system standards.

Improved clarity on continual improvement and measurement

Clarifications of requirements for continual improvement, monitoring, and measurement will help organisations effectively evaluate and enhance the performance of their ISMS.

Minor changes to main body requirements

While most changes focus on Annex A, the main body of the standard has also received minor updates to improve readability, remove ambiguities, and reflect the modernised approach to controls.

ISO 27001:2022 integrates what ISO has officially termed the Harmonised Structure (HS) (formerly known as High Level Structure or Annex SL).

Organisations certified to ISO/IEC 27001:2013 were required to transition their certification to the 2022 version before the 31st October 2025, as mandated by ISO, IAF, and national accreditation bodies such as INAB. This helped ensure certification remained valid under the updated standard.

Administrative update ISO/IEC 27001:2017

An administrative update, ISO/IEC 27001:2017, has been issued to align references with EU data protection regulations without introducing technical changes to the standard.

This update is primarily relevant in jurisdictions subject to the EU General Data Protection Regulation (GDPR).

Major revision of ISO/IEC 27001

The 2013 revision of ISO/IEC 27001 was prompted by several important factors. Since the 2005 edition, organisations had been confronted with increasingly complex information security threats and a rapidly changing regulatory environment.

It was essential for the standard to remain relevant and support organisations of all sizes and sectors.

Another driving force was the introduction of the High-Level Structure (HLS) by ISO, which aimed to harmonise the clause structure of all management system standards and make it easier for companies to integrate multiple systems, such as quality and environmental management, alongside information security.

Feedback from users highlighted the necessity to clarify documentation requirements, risk management, and the continual improvement process to remove ambiguities and simplify implementation.

Key differences between ISO 27001:2013 and the ISO 27001:2005 version included:

• Adoption of the High-Level Structure (Annex SL): The Annex SL High-Level Structure aligns ISO/IEC 27001 with other ISO management system standards, making it easier for organisations to integrate information security with quality, environmental, and other management systems.
• Flexible documentation requirements: The revised standard removed prescriptive documentation rules, eliminating the strict separation between documents and records. Organisations gained more flexibility to decide what documented information was appropriate for their unique ISMS, enabling an approach appropriate to the organisation’s context.
• Enhanced leadership and management commitment: Greater emphasis was placed on the role of top management, requiring leaders to set objectives, support the ISMS, and foster a culture of continual improvement throughout the organisation.
• Organisation-specific risk assessment: Organisations were allowed to select their own risk assessment methodologies, moving away from a one-size-fits-all approach and supporting a process that reflected each organisation’s unique context.
• Updated Annex A controls: Annex A was revised to align with ISO/IEC 27002:2013, modernising the list of information security controls and ensuring their continued relevance to emerging threats and technologies.
• Clarified continual improvement and audit requirements: The requirements for continual improvement, corrective actions, and internal audits were clarified and streamlined, making it easier for organisations to maintain and enhance their ISMS over time.

ISO/IEC 27001 was published

ISO/IEC 27001:2005 was published, representing a major step forward in information security standardisation.

Unlike ISO/IEC 17799, which served as a code of practice, ISO/IEC 27001 introduced a formal set of requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an ISMS.

This standard enabled organisations to achieve independent, accredited certification of their ISMS, providing assurance to customers, partners, and regulators that robust information security controls were in place.

The publication of ISO/IEC 27001:2005 established a globally recognised benchmark for information security management and set the stage for ongoing developments and improvements in the field.

International adoption as ISO/IEC 17799

Part 1 of BS 7799 was formally adopted by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) as ISO/IEC 17799:2000.

This significant development marked the transition of information security best practices from a British standard to an internationally recognised framework.

ISO/IEC 17799 provided comprehensive guidance on a wide range of information security controls, including risk assessment, asset management, access control, and incident response. This adoption played a crucial role in harmonising global approaches to information security and laid the foundation for the ongoing development of international standards in this field.

In May 1999, BS 7799 was revised and divided into two parts. This was done to separate the specification for an Information Security Management System from the code of practice for security controls.

Part 1 became the Code of Practice for Information Security Management, while Part 2 introduced the specification for implementing an Information Security Management System, enabling organisations to work towards early certification.

Introduction of BS 7799

In February 1995, the British Standards Institution (BSI) published BS 7799, one of the first formal standards for information security management.

This standard provided organisations with guidance on establishing policies and controls to safeguard information assets.

For organisations that are already ISO /IEC 27001-certified, revisions may involve adapting operations to fit the new requirements. This helps to demonstrate your commitment to consistently meeting stakeholder expectations and striving for continual improvement. Staying compliant as requirements evolve could support the ongoing validity of certification.

If you are not yet working to the most current version of the standard, Amtivo can provide information on the audit and certification process, including what revisions may mean for audit timing and certification cycles.

Contact us to discuss the ISO/IEC 27001 audit and certification process.