ISO/IEC 27001: 2022

Understanding the “New ISO

27001 standard”, a step-by-step
journey for new certification or
recertification.

February 2023

Enhanced information security framework

As a result of an ever-changing global digital landscape
ISO/IEC 27001:2022
and evolving cyber threats, cybercrime is growing more
(Certification and
severe and sophisticated. To address this evolution and
Controls) • To ensure that an
better tackle cybersecurity challenges, the International
Information Security organisation’s information
Organization for Standardization (“ISO”) has updated the
Management security risks are being
ISO/IEC 27001 Information Security Management and
managed appropriately.
ISO/IEC 27002 Controls for Information Security. • To identify the controls in
An enhanced scheme, ISO/IEC 27001:2022, has now ISO/IEC 27002:2022 place to mitigate or reduce
(Implementation the identified information
been introduced, with a structured implementation timeline
Guidance) security risks.
starting in end-2022 and continuing through 2025. We
have summarised the changes below: Controls for Information
Security standards

ISO/IEC 27001: 2013 vs 27001:2022 changes at a glance

Dismantling the “New ISO 27001 standard” to help you diagnose information security issues and enhance protection

• The ISO/IEC 27001:2022 title has changed from

ISO/IEC 27001:2013 Information Technology -
Security techniques - Information security
management system - requirements to ISO/IEC Reduction
Changes to 27001:2022 Information security, cybersecurity Structural in the
changes on number of
the title of the and privacy protection - Information security
the 93 Annex A
standard management systems - Requirements.
controls controls
• This change is the result of a need to consider the
modern compliance landscape, regulations such as
GDPR and the evolving cyber risks organisations
face. Key
Changes in
Minor New Changes
• There have been minor updates in management ISO/IEC
changes in Annex A to the title
clauses 4 – 10. 27001:2022 of the
clauses 4 - 10 Controls
standard
New Annex A
• 11 new controls have been added to Annex A.
Controls

• 93 Annex A controls have been structured to 4

Structural
categories (People, Technological, Physical and
changes on
Organizational) to simplify and streamline the
the 93 Minor
process of selecting and implementing security
controls changes
controls.
in clauses
Reduction in 4 - 10
• There has been a decrease in the number of Annex
the number
A controls from 114 to 93 due to the merging of
of Annex A
controls. No controls were removed.
controls

© 2023 KPMG Advisory (Hong Kong) Limited, a Hong Kong (SAR) limited liability company and a member firm of the KPMG global organisation of independent member
firms affiliated with KPMG International Limited ("KPMG International"), a private English company limited by guarantee. All rights reserved.
 ISO/IEC 27001:2022 2

The ISO 27001:2022 certification process

1. Companies seeking certification for the first time
Companies wishing to be ISO 27001 certified are required to comply with 27001:2013 or 27001:2022 requirements for the first time. If
your company plans to obtain certification before March 2023, your company should use the 2013 release, but if your company plans
to obtain certification after March 2023, you can start now with the 2022 version. This is due to the fact that once the 2022 version is
published, certification bodies will need time to prepare the certifications according to the updated standard, which will be ready only
after March 2023. Your company will need to go through the transition to meet the 2022 version until mid-2024, and this transition will
require approximately 5% to 10% of the effort compared to the initial implementation.
Re-assess your Get ISO 27001:2022 certified
Gap remediation Control readiness Pre-certification of ISMS
Readiness Start to certify against the
Review, create and implementation Assist client with
assessment Schedule and
implement policies, certification body at new release.
Conduct readiness Implement new conduct an internal
procedures, and controls or modify the certification stage.
assessment to audit to reassess
documentation based existing controls.
understand the your readiness.
on readiness
changes that will be assessment results.
required. 2023 - 2025
2023 - 2025
2023 - 2024
2023 - 2024
Get ISO 27001:2013
2023 - 2024
2023 - 2024

Transition Period
2. Currently-certified companies
There will be a transition period of three years after the publication of ISO 27001:2022. Currently-certified companies will need to
certify for the updates before the end of 2025.
Certification audit Get ISO 27001:2022 certified
Gap remediation Control implementation Schedule and conduct an
Readiness assessment Start to certify against new
Implement new controls internal audit to reassess
Conduct readiness Review and modify ISMS release
or modify existing your readiness.
assessment to understand policies and supporting controls.
the changes that will be documentation.
required.
Late 2023 to 2025
2023
2023
2023
2022 or Early 2023

How KPMG can help

Asset identification,
Risk assessment & risk Pre-certification &
Scoping Gap assessment ownership, ISMS implementation
treatment planning certification
classification
• Assist in determining • Assist in reviewing in- • Identify, classify and • Assist in conducting a • Assist in providing ISO • Perform the pre-
external and internal scope ISMS document relevant detailed risk 27001 standard certification audit
issues. elements. assets. assessment. awareness & training (internal audit).
• Assist in determining programs (as per
• Assist in delivering • Define ownership and • Assist in delivering a • Assist and work with
relevant interested agreed).
gap assessment responsible risk assessment client to prepare the
parties and the results. departments of report, prioritised • Assist in reviewing the documentation
requirements of these assets and perform risks, risk treatment implementation required.
interested parties. • Assist in delivering a
asset valuation. plan, information risk documents in order to
roadmap remediation
• Assist in determining inventories, SOA fulfil the identified gap.
plan. • Classify assets
the scope of the (Statement of
according to the • Provide assistance in
system. Applicability).
criticality based on monitoring the progress
• Assist in delivering business area and • Assist in delivering a of risk mitigation and
scoping usage. risk treatment plan. remediation
documentation
required as per • Deliver asset list with • Liaising with
processes. ACT PLAN
ISO/IEC 27001:2022 defined ownership respective party
standard. and classification. (including internal
audit and top ISO27001
Implementation
management).

CHECK DO

Contact us
Henry Shek Brian Cheung Lanis Lam Jack Chan
Partner Partner Partner Associate Director
Technology Consulting Technology Consulting Technology Consulting Technology Consulting
KPMG China KPMG China KPMG China KPMG China
T: +852 2143 8799 T: +852 2847 5026 T: +852 2143 8803 T: +852 2847 5027
E: henry.shek@kpmg.com E: brian.cheung@kpmg.com E: lanis.lam@kpmg.com E: jack.k.chan@kpmg.com

kpmg.com/cn/socialmedia The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual
or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is
accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information
without appropriate professional advice after a thorough examination of the particular situation.
© 2023 KPMG Advisory (Hong Kong) Limited, a Hong Kong (SAR) limited liability company and a member firm of the KPMG global
© 2023 KPMG Advisory (Hong Kong) Limited, a Hong Kong (SAR) limited organisation of independent
liability company member
and a member firms
firm affiliated
of the KPMGwith KPMG
global International
organisation Limited ("KPMG
of independent International"), a private English
member
company
firms affiliated with KPMG International Limited ("KPMG International"), a limited by
private English guarantee.
company All by
limited rights reserved.
guarantee. AllPrinted in Hong Kong (SAR), China.
rights reserved.