In October 2022, ISO published the updated version of ISO/IEC 27001:2022, replacing the 2013 edition that had served as the global benchmark for information security management for nearly a decade. While the core management system clauses (4 through 10) saw only minor editorial changes, the Annex A control set underwent a significant restructure. Here is what changed, what it means for your organisation, and how to manage the transition.
What Changed in the Core Clauses
The management system requirements in Clauses 4 through 10 remain largely the same. The most notable changes are editorial rather than substantive:
- Clause 6.1.3 (Information security risk treatment): Now explicitly references Annex A as a reference list rather than a comprehensive catalogue, emphasising that organisations may need controls beyond Annex A.
- Clause 6.3 (Planning of changes): A new sub-clause requiring organisations to plan changes to the ISMS in a structured manner.
- Clause 8 (Operational planning and control): Minor clarifications on establishing criteria for security processes and controlling planned changes.
If your existing ISMS is well-implemented against the 2013 version, these clause-level changes should require minimal effort.
The Restructured Annex A
This is where the real change happened. The 2013 version organised 114 controls across 14 domains (A.5 through A.18). The 2022 version consolidates these into 93 controls across 4 themes:
| Theme | Number of Controls | Examples |
|---|---|---|
| Organisational (A.5) | 37 | Policies, roles, threat intelligence, cloud security |
| People (A.6) | 8 | Screening, awareness, responsibilities, remote working |
| Physical (A.7) | 14 | Perimeters, equipment, monitoring, clear desk |
| Technological (A.8) | 34 | Access control, cryptography, DLP, secure coding |
The restructure also introduced attributes for each control — metadata tags like control type (preventive, detective, corrective), information security properties (confidentiality, integrity, availability), cybersecurity concepts, and operational capabilities. These attributes are informative rather than normative, but they are valuable for mapping controls to frameworks like NIST and for filtering your Statement of Applicability.
The 11 New Controls
The 2022 revision introduced 11 entirely new controls that reflect the modern threat landscape:
- A.5.7 Threat intelligence: Collecting and analysing information about threats to inform security decisions.
- A.5.23 Information security for use of cloud services: Managing security of cloud service acquisition, use, and exit.
- A.5.30 ICT readiness for business continuity: Ensuring ICT systems can be recovered within required timescales.
- A.7.4 Physical security monitoring: Continuous monitoring of premises for unauthorised physical access.
- A.8.9 Configuration management: Maintaining secure configurations for hardware, software, and networks.
- A.8.10 Information deletion: Securely deleting information when it is no longer required.
- A.8.11 Data masking: Obscuring sensitive data in accordance with access policies and regulations.
- A.8.12 Data leakage prevention: Detecting and preventing unauthorised disclosure of information.
- A.8.16 Monitoring activities: Monitoring networks, systems, and applications for anomalous behaviour.
- A.8.23 Web filtering: Managing access to external websites to reduce exposure to malicious content.
- A.8.28 Secure coding: Applying secure coding principles throughout the software development lifecycle.
Transition Timeline
The transition period from the 2013 version to the 2022 version was set at three years from the publication of the standard. Key dates:
- 25 October 2022: ISO 27001:2022 published.
- 31 October 2025: All existing ISO 27001:2013 certificates must have transitioned. Certificates not transitioned by this date are no longer valid.
- New certifications: All new certifications should now be issued against the 2022 version.
If your organisation has not yet transitioned, the deadline has passed and immediate action is required. Contact your certification body to arrange a transition audit as soon as possible.
Steps to Transition
For organisations that need to complete or verify their transition, here is a practical step-by-step approach:
- Perform a gap analysis: Map your existing controls against the 2022 Annex A. Identify the 11 new controls and assess whether you already have equivalent measures in place (many organisations do, even if not formally documented).
- Update your Statement of Applicability (SoA): This is the most significant documentation change. Your SoA must reference the 2022 control numbering and include justifications for inclusion or exclusion of each control.
- Update your risk assessment: Ensure your risk treatment plan aligns with the new control structure. This may be a renumbering exercise if your existing controls are well-implemented.
- Address the new controls: For each of the 11 new controls, determine applicability and implement where necessary. Document the control objective, implementation, and evidence.
- Update policies and procedures: Align documentation references to the new clause and control numbers.
- Conduct an internal audit: Audit against the 2022 version before your transition audit to identify any remaining gaps.
- Schedule your transition audit: Coordinate with your CB. The transition can be conducted as a standalone audit, during a surveillance audit, or during recertification.
What Auditors Look For
During a transition audit, auditors will focus on:
- An updated Statement of Applicability referencing the 2022 controls
- Evidence that the 11 new controls have been assessed and, where applicable, implemented
- A risk assessment and treatment plan aligned to the updated control set
- That Clause 6.3 (planning of changes) has been applied to the transition itself
- Awareness among staff of any changes to policies or procedures
The transition audit is not a full recertification. Auditors focus on what has changed and whether the transition has been managed competently. If your underlying ISMS is mature, the transition should be straightforward.