Request a Demo

Fill in the form below and we will contact you shortly to organised your personalised demonstration of the Noggin platform.

The Noggin Platform

The world's leading integrated resilience workspace for risk and business continuity management, operational resilience, incident & crisis management, and security & safety operations.

Learn More
Resilience Management Buyers Guide - Thumbnail
A Resilience Management Software Buyer's Guide
Access the Guide

Who We Are

The world’s leading platform for integrated safety & security management.

Learn More

ISO 27001 Has Changed: What’s new?


The international information security management system (ISMS) standard ISO/IEC 27001 was originally published in 2012. And much has changed in the ecosystem since then – too much to track in one article anyway. That’s exactly why last year, its authors gave the standard a refresh. What are some key updates?

Holdovers from the original ISO 27001

Well, the short answer is many of the controls in ISO 27001 have changed.

But before we get there, remember that ISO 27001 itself suggests generic methods and practices of implementing information security in organizations. Not much changed there.

What’s more, the standard also provides a means of enabling secure, reliable communications of security risk, while emphasizing the necessity of adequate training as a prerequisite for implementing then communicating security procedure.

Even with updates, that procedure must be continuously monitored, checked on, and improved upon, to ensure the effectiveness and efficiency of the ISMS.

Who’s responsible?

Here, the standard continues to task senior management – not just top executives but business line owners, as well – with the control of the end-to-end certification and implementation process.

That process, in its entirety, consists of determination of security policy, definition of roles and responsibilities, recruitment, and preparation of necessary personnel and material resources, as well as decisions on risk management.

Download the Guide: New Information Management and Physical Security Controls in ISO 27001

ISO 27001 gets a refresh

Despite these continuities, there are clear differences.

For one, the new ISO 27001:2022 more clearly emphasizes process orientation in information security management. Another major change: the increased centrality of risk management. And that’s demonstrated by the below:

  • Adaptation to the so-called Harmonized Structure
  • Emphasis on best practices for managing various information security vulnerabilities
  • Highlighting the significance of process orientation, a feature shared by all HS-based management systems

Security management is all about execution, though. That’s where controls come in.

The original standard included an appendix replete with detailed security controls for multiple security risk points. The updated standard does, as well, revising many of the earlier controls for an era of increased security risk.  

Specifically, the updated standard adds 11 new controls. Meanwhile, 24 existing controls get combined, and 58 controls get modifications.

Focus on changes to physical security controls

Where do physical security controls (including people) factor among these changes?

Information assets, as they’re known, exist in physical space, manipulated by personnel. That basic reality leaves those assets vulnerable despite the most stringent (purely) information security measures.

And so, like the original, the updated standard dedicates time to discussing physical and environmental security control objectives and controls as well as the role of people. But unlike the original, the updated standard singles out physical security monitoring.

The recommended control to effect serious physical security monitoring is to continuously monitor all premises for unauthorized physical access.

What are some other controls for physical assets and people, recycled from the original or otherwise? To get the comprehensive list, download our Guide to ISO/IEC 27001:2022. Download the Guide: New Information Management and Physical Security Controls in ISO 27001