By /

ISO 27001:2022 vs ISO 27001:2013 – What’s Changed?

Organisations worldwide are gradually moving to the updated ISO/IEC 27001:2022 standard, and for good reason. The changes reflect the evolving cybersecurity landscape: more cloud, more remote work, more threats, more regulatory pressure. If you’re certified (or planning to be) under ISO 27001, knowing what’s new and what’s stayed the same, is essential.

In this post, we’ll cover:

  • Why the update was needed
  • What stayed the same (clauses / structure)
  • What’s changed — especially Annex A controls
  • What’s new: controls / themes / attribute structure
  • Transition timelines & what you need to do to move from 2013 → 2022
  • Practical tips & pitfalls to avoid
  • Why it matters

To get customised support specific to your organisation, please get in touch with us.

Why the Update?

ISO/IEC 27001:2013 served organisations well. However, nearly nine years on, many new challenges have arisen:

  • Increased reliance on cloud services, remote work, and digital supply chains
  • More frequent and sophisticated cyber threats (data leakage, insider threats, phishing, etc.)
  • Regulatory requirements (privacy, data protection) becoming stricter in many jurisdictions
  • Desire for clearer alignment with other ISO management system standards (so organisations can integrate ISMS more easily)

The 2022 revision aims to keep the standard current and more usable, reducing redundancy, clarifying control intent, and introducing new controls to cover modern risks.

Looking for help to align your management systems, streamline operations, and achieve certification? Chat with us for a quick review!

What Has Stayed Mostly the Same?

Before diving into the new stuff, it’s reassuring to know some of the core of the standard remains consistent.

  1. Clauses 4-10 — Context, Leadership, Planning, Support, Operation, Performance Evaluation, Improvement. These fundamental management system clauses are still present. Their intent is largely retained. However, there are some minor tweaks in wording, clarity, and some additional detail in certain sub-clauses.
  2. Risk-Based Approach — The idea that you must identify risks, assess, treat, and review remains central. ISO 27001:2022 continues to emphasize risk management as foundational.
  3. Leadership & Management Commitment — Still an important part. Top management must support, integrate ISMS processes into business, ensure necessary resources, etc.
  4. Continuous Improvement — The PDCA (Plan-Do-Check-Act) mindset remains. You still need to monitor, measure, audit, and continually improve.

So: if you already have an ISMS under 2013, you’re not starting over. Many of your policies, procedures, risk assessments, etc., will still be valid, though likely some will need updating.

The Big Changes

The most substantial differences are in Annex A (the set of controls) – what’s included, how they’re grouped, how they’re described. There are also some smaller but important changes in other clauses. Let’s go through them.

ISO 27001 2022

Annex A: Controls — Number, Structure, New Controls

AspectISO 27001:2013ISO 27001:2022What Changed / Why It Matters
Number of controls114 controls across 14 domains (Annex A, A.5 → A.18)93 controls divided into 4 thematic control groups: Organisational (37), People (8), Physical (14), Technological (34) Controls have been merged, some renamed, some new ones added. This reduces overlap, removes redundancies, and groups controls more logically.
Domains / themes14 domains such as Asset Management, Communications Security, Human Resource Security, etc.4 themes: Organizational, People, Physical, TechnologicalSimplifies control selection, mapping, auditing. Makes it easier for organisations to understand which controls apply to which area.
Merged / Renamed ControlsMany granular controls; some overlap; more domains.Merged: Many of the old 114 controls (≈ 57) were merged into new combined ones (≈ 24 merged groups).
Renamed: Some controls have had their names changed so they better reflect what they cover.
Split: One control was divided into two.
35 controls unchanged from 2013.		Improves clarity; removes duplication; aligns with modern terminology. But it does mean organisations must review their Statement of Applicability (SoA) and mapping.
New ControlsNone (in 2013 version beyond what was then defined)11 new controls have been added. Examples include:
• Threat Intelligence
• Information security for use of cloud services
• ICT readiness for business continuity
• Physical security monitoring
• Configuration management
• Information deletion
• Data masking
• Data leakage prevention
• Monitoring activities
• Web filtering
• Secure coding		These address modern cybersecurity risks that were either implicit or poorly addressed before. Organisations may need to add or update processes/documents to cover these.

Other Changes / Clause-Level Improvements

While Annex A is the biggest change, there are several meaningful tweaks in the clauses 4-10. These may be smaller but can affect how you implement or audit the ISMS. Some of the key clause-level changes:

  • Title of the Standard: The full title has been updated in 2022 to “Information security, cybersecurity and privacy protection — Information security management systems — Requirements.” This reflects the broader scope regarding privacy and cybersecurity.
  • Clause 4.2 (Context of the Organisation): Additional detail around understanding the needs and expectations of interested parties.
  • Clause 4.4 (ISMS Plan / Processes): Added requirements about establishing, implementing, maintaining, and continually improving processes and their interactions.
  • Clause 6.2 / 6.3 (Risk & Planning of Changes): More clarity on how to plan for risk treatment; also “planning of changes” has been emphasised.
  • Clause 8.1 (Operational Planning & Control): Expanded wording about how to ensure controls / processes are predictable and managed. Some rewording for clarity.

Transition Timeline & Deadline

Understanding the deadlines is critical.

  • Certification bodies: After 30 April 2024, no new certifications (or recertification) may be issued against the 2013 edition.
  • Transition period: Organisations currently certified under ISO 27001:2013 have until 31 October 2025 to fully transition their ISMS to the 2022 version. After that date, certificates against the 2013 standard expire.

So if you’re thinking “maybe later”, note that 2025 is not far away. Organisations should be planning their gap analysis, mapping, updates, audits now.

Practical Steps for Transition: What Organisations Need to Do

Here are high-impact, actionable steps to move from the 2013 standard to 2022:

  1. Perform a gap analysis
    • Map your existing controls / SoA under the 2013 standard to the new 2022 version. Identify which controls are merged, renamed, split, or new.
    • Use existing mapping tools/worksheets. ISO/IEC 27002:2022 and many consulting firms have published mapping tables.
  2. Review and update Statements of Applicability (SoA)
    • The SoA should reflect which controls you’re applying, which are excluded, and the justification. Under 2022, new controls may need to be included, or at least considered.
  3. Update policies, procedures, and processes
    • For new controls (e.g., secure coding, data leakage prevention, web filtering), define or update documentation.
    • For merged or renamed controls, ensure references in your policies match new names/structure.
  4. Training and awareness
    • Educate teams about the new/changed controls. Auditors will expect awareness, not just policy documents.
    • Ensure that people understand the new requirements for planning of changes, process interaction, etc.
  5. Internal audit
    • Before the external audit, carry out an internal audit using the 2022 requirements (or hybrid if in transition). This helps find non-conformities early.
    • Review whether your audit checklists match the new control structure.
  6. Change management of the ISMS
    • Because controls have changed, policies and operational practices may need adjusting. Ensure your change control processes cover these.
  7. Certification planning
    • Talk with your certification body to understand how they conduct transition audits. Some will add extra audit days focusing on new controls.
    • Avoid leaving transition activities to the last minute (auditor availability, resource constraints).

Pitfalls & Challenges

Knowing what to watch out for can save time, cost, and certification stress.

PitfallHow to Avoid It
Treating the changes as “just renaming”Many controls have merged or been reframed — meaning the content might be broader or shifted. Don’t assume 1:1. Undertake detail in mapping.
Ignoring organisational context or interested partiesThe updated clauses emphasise stakeholder needs, external issues. If your ISMS context doesn’t capture new relevant parties (e.g. cloud providers, subcontractors), you may miss important risks.
Underestimating documentation / evidence neededAuditors will expect you to show you not only updated policies but that you are using the new controls (monitoring, secure coding practices, etc.).
Last-minute transitionAudit bodies will be busy close to deadlines. Also, any misalignment discovered late can cause non-conformities.
Complexity in merged controlsWhen multiple old controls are merged, you may need to ensure all the subcomponents (from the old separate controls) are addressed somewhere.

Why These Changes Matter: Benefits & Risks

Benefits

  • More relevant to modern cybersecurity threats: Covers cloud, supply chain, leakage, monitoring, etc.
  • Reduced redundancy: Merged controls mean less overlap, less confusion.
  • Smoother integration: Grouping by themes may make it easier to align ISMS with other systems (e.g., business continuity, privacy, health & safety).
  • Improved clarity: New wording, better definitions, attributes help in selecting and justifying controls.

Risks if You Don’t Transition / Update Properly

  • Certificate invalidation after the deadline if still under 2013 version.
  • Auditors raising non-conformities for unaddressed new controls.
  • Missed opportunities to cover emerging threats (e.g. web filtering, secure coding).
  • Potential misalignment with regulatory or contractual obligations around privacy, cloud, cyber.

Conclusion

ISO/IEC 27001:2022 is not a completely different standard from 2013, many core requirements and overall ISMS structure remain. But the updates are meaningful:

  • Annex A has been reworked: fewer, more grouped controls; new controls added to address modern risks.
  • Clauses 4-10 have relatively modest, but important refinements.
  • Organisations must plan, map, update, train, and audit if they want to remain compliant, avoid gaps, and maintain certification.

If your organisation is still operating under ISO 27001:2013, the time to act is now. A well-managed transition will strengthen your security posture and ensure your ISMS stays relevant and effective.

Ready to Transition Smoothly to ISO 27001:2022?

Don’t leave your compliance to chance. Our ISO 27001 consultants can help you carry out a full gap analysis, update your controls, and prepare for a successful transition audit before the 2025 deadline.

👉 Get in touch today to book your free consultation and ensure your ISMS meets the latest ISO 27001:2022 requirements.

Contact Us | Request a Quote | Learn More About ISO 27001


About Us 

Candy Management Consultants has guided UK businesses through stress-free ISO certifications since 2017. Our 100% first-pass success rate comes from tailoring frameworks to your operations and personalised approach – not checklists, at fixed day rates, transparent per-project contracts and with the help of the modern ISO management software.

Get A FREE Quote Now!
close slider

Scroll to Top