Number of Controls in ISO 27001:2022 vs ISO 27001:2013

ISO 27001, the international standard for Information Security Management Systems (ISMS), underwent a significant revision in 2022. One of the key changes was the reduction in the number of controls in Annex A. This article will explore this change in detail, comparing the number of controls in ISO 27001:2022 with that of ISO 27001:2013 (ISO 27001:2022 vs ISO 27001:2013).

ISO 27001:2022 vs ISO 27001:2013, Key differences between ISO 27001:2022 and ISO 27001:2013, Comparison of ISO 27001:2022 and ISO 27001:2013, Changes in ISO 27001:2022, New controls in ISO 27001:2022, Holistic approach in ISO 27001:2022, Risk management in ISO 27001:2022, Transition to ISO 27001:2022, ISO 27001:2022 requirements, ISO 27001:2022 certification.

Number of Controls in ISO 27001:2013

In the 2013 version of ISO 27001, Annex A contained 114 controls that were divided into 14 categories. These controls covered a wide range of topics such as access control, cryptography, physical security, and incident management. The controls were designed to help organizations mitigate risk and demonstrate compliance with the standard.

Number of Controls in ISO 27001:2022

The 2022 revision of ISO 27001 introduced a new structure for Annex A. The number of controls was reduced to 93, and they were reorganized into four themes: Organizational, People, Physical, and Technological. This change was made to reflect the current cybersecurity and information security environment.

Organizational Controls

The Organizational theme includes 37 controls. These controls are related to the management and organization of information security within the organization.

People Controls

The People theme consists of 8 controls. These controls focus on the human aspect of information security, including responsibilities and awareness.

Physical Controls

The Physical theme comprises 14 controls. These controls deal with the physical security of the organization’s assets.

Technological Controls

The Technological theme contains 34 controls. These controls are related to the technological aspects of information security, including system configuration, data protection, and secure coding.

Conclusion – ISO 27001:2022 vs ISO 27001:2013

The reduction in the number of controls in ISO 27001:2022 represents a significant shift from the 2013 version. By reducing the number of controls and reorganizing them into four themes, the standard aims to provide a more streamlined and focused approach to information security management. However, it’s important for organizations to understand these changes and adapt their ISMS accordingly to ensure continued compliance with the standard.

ISO 27001 Services

ITSec Security Consulting Limited provides ISO 27001 Consulting and Certification. Our experts can guide you through the process of achieving ISO 27001 certification, ensuring that your business meets the highest standards of information security.