ISO27001blog

ISO 27001:2022 — What Changed from 2013 and Why It Matters

A clear, jargon-free overview of the 2022 update to ISO 27001: the new Annex A structure, the 11 new controls, and what existing certified organisations must do.

By RGI bv editorial teamPublished December 18, 1969Updated December 30, 19697 min read
ISO 27001:2022UpdateTransition

The 2022 revision of ISO 27001 is the first major update since 2013. Most of the changes are in Annex A — the controls catalogue — which was completely restructured to align with ISO 27002:2022.

The headline change: Annex A restructure

The old 114 controls across 14 domains became 93 controls across 4 themes: Organizational, People, Physical, Technological. Some controls were merged, a few removed, and 11 brand-new controls were added.

The 11 new controls

  • A.5.7 Threat intelligence
  • A.5.23 Information security for use of cloud services
  • A.5.30 ICT readiness for business continuity
  • A.7.4 Physical security monitoring
  • A.8.9 Configuration management
  • A.8.10 Information deletion
  • A.8.11 Data masking
  • A.8.12 Data leakage prevention
  • A.8.16 Monitoring activities
  • A.8.23 Web filtering
  • A.8.28 Secure coding

Main clauses: minor edits

Clauses 4–10 saw small wording changes (e.g. planned changes in clause 6.3) but no structural overhaul. If your management system is mature, those changes are a one-day update.

Transition deadline

All certificates issued against ISO 27001:2013 expire on 31 October 2025. Organisations certified against the 2013 version must transition before then or lose certification.

What to do now

  1. Map your existing controls to the new Annex A structure.
  2. Assess the 11 new controls — most organisations already do several of them informally.
  3. Update the SoA.
  4. Coordinate with your certification body to schedule a transition audit.

Related posts

Related: external

RGI bv — ISO 27001 transition support

Keep reading