ISO/IEC 27001:2022 was published in October 2022, replacing the 2013 version. Organisations that were certified under the 2013 standard had until 31 October 2025 to transition to the 2022 version — a deadline that has now passed. All new certifications, and all existing certificates, are now against the 2022 standard.
The core clauses (4–10) of the standard changed relatively little. The most significant changes were in Annex A — the reference control set — which was substantially restructured and updated to reflect the modern threat landscape.
Annex A: From 14 Domains to 4 Themes
The most visible change in 2022 is the reorganisation of Annex A. The 2013 version grouped controls into 14 domains (physical, access control, cryptography, etc.). The 2022 version consolidates these into four themes:
2013 — 14 Domains
- · A.5 Security policies
- · A.6 Organisation of IS
- · A.7 Human resource security
- · A.8 Asset management
- · A.9 Access control
- · A.10 Cryptography
- · A.11 Physical & environmental
- · A.12 Operations security
- · A.13 Communications security
- · A.14 System acquisition
- · A.15 Supplier relationships
- · A.16 IS incident management
- · A.17 Business continuity
- · A.18 Compliance
2022 — 4 Themes
- 5. Organisational controls (37 controls)
- 6. People controls (8 controls)
- 7. Physical controls (14 controls)
- 8. Technological controls (34 controls)
- Total: 93 controls (down from 114)
The control count dropped from 114 to 93 — not because controls were removed, but because many overlapping controls were merged. No security requirement was dropped; the restructuring makes the standard easier to navigate and apply.
The 11 New Controls in ISO 27001:2022
Eleven controls are genuinely new in the 2022 version — they did not exist in the 2013 Annex A in any form. These reflect the changes in how organisations operate and the threats they face:
| Control | Reference | Why It Was Added |
|---|---|---|
| Threat intelligence | A.5.7 | Formalises the requirement to monitor and act on threat intelligence feeds |
| Information security for cloud services | A.5.23 | Addresses the widespread adoption of cloud infrastructure and SaaS |
| ICT readiness for business continuity | A.5.30 | Specifically covers IT/OT continuity planning |
| Physical security monitoring | A.7.4 | Covers CCTV, access monitoring, and physical intrusion detection |
| Configuration management | A.8.9 | Formalises secure configuration of systems and software |
| Information deletion | A.8.10 | Covers secure deletion of data — increasingly important under GDPR |
| Data masking | A.8.11 | Addresses pseudonymisation and masking of sensitive data |
| Data leakage prevention | A.8.12 | Covers DLP tools and processes to prevent unauthorised data exfiltration |
| Monitoring activities | A.8.16 | Formalises log monitoring and anomaly detection |
| Web filtering | A.8.23 | Covers controls on access to external websites |
| Secure coding | A.8.28 | Addresses SAST, DAST, and secure development practices |
Changes to the Core Clauses (4–10)
The clause requirements (4–10) were updated more modestly. The key changes:
- Clause 4.2: Now explicitly requires organisations to identify "relevant requirements of interested parties" that will be addressed through the ISMS — making scope definition more rigorous
- Clause 6.3: A new clause on "Planning of changes" — ISMS changes must now be planned in a controlled manner
- Clause 8.1: Requires organisations to establish criteria for processes and control them — more explicit about operational planning
- Clause 9.3: Management review inputs now explicitly include "changes in needs and expectations of interested parties" — connecting back to Clause 4.2
New Control Attributes
Each control in the 2022 Annex A now carries five attributes that can be used to filter and organise controls for your Statement of Applicability and implementation planning:
- Control type: Preventive, Detective, or Corrective
- Information security properties: Confidentiality, Integrity, and/or Availability
- Cybersecurity concepts: Aligned to NIST CSF — Identify, Protect, Detect, Respond, Recover
- Operational capabilities: Governance, Asset management, Information protection, etc.
- Security domains: Governance and Ecosystem, Protection, Defence, or Resilience
The attributes are optional — the standard does not require you to document them in your SoA. But they are useful for communicating your control set to different audiences: security teams, auditors, and executives all have different mental models, and the attribute system gives you a way to present the same controls through each lens.
What This Means If You Are Certifying Now
If you are starting an ISO 27001 implementation today, you are working with the 2022 standard. Your Statement of Applicability references the 93 controls in the 2022 Annex A. Your risk treatment plan maps risks to these controls. Your certification body audits you against the 2022 clauses and control set.
The practical impact of the new controls depends on your organisation. Cloud security (A.5.23) is relevant to almost every technology company. Secure coding (A.8.28) matters if you develop software. Data masking (A.8.11) and data leakage prevention (A.8.12) are particularly relevant if you handle sensitive personal data. Threat intelligence (A.5.7) applies if you have any form of security monitoring in place.
Our ISO 27001 template library is built against the 2022 standard — all 93 Annex A controls are covered. If you want help navigating the new control set and building a Statement of Applicability for your organisation, our ISO 27001 consulting service covers SoA development and control selection as part of the full implementation.