ISO 27001 is the leading international standard for information security management systems (ISMS). In October 2022, ISO 27001 was updated for the first time since 2013. While the core structure of the standard remains familiar, several important changes have been made to reflect evolving security challenges and technologies. Here’s what you need to know.
Annex A Overhaul: Control Changes
The most notable update is the complete revision of Annex A, which outlines the reference controls for risk treatment. Here’s a summary of the changes:
- Controls Reduced and Reorganised:
The number of controls has been reduced from 114 to 93. These are now grouped into 4 themes rather than 14 domains:- Organiwational (37 controls)
- People (8 controls)
- Physical (14 controls)
- Technological (34 controls)
- New Controls Introduced:
11 new controls have been added, including:- Threat intelligence
- Information security for the use of cloud services
- ICT readiness for business continuity
- Data masking
- Monitoring activities
- Web filtering
- Secure coding
These changes reflect the growing importance of cloud services, threat monitoring, and secure development practices.
Updated Terminology and Language
The 2022 revision simplifies and modernises language for better clarity and usability. For example:
- “Assets” are now more broadly defined.
- References to “risk owners” and “risk treatment plans” are made clearer.
- The focus has shifted from documentation to outcomes, helping align with real-world application.
Alignment with ISO 27002:2022
ISO 27001:2022 aligns with ISO 27002:2022, the guidance document for implementing controls. ISO 27002 now includes attributes for each control (e.g., cybersecurity concepts, operational capabilities), making it easier to categorise and apply them in a practical setting.
Minor Changes to Clauses 4–10
The main clauses (context, leadership, planning, support, operation, performance evaluation, and improvement) have seen minimal but meaningful adjustments:
- Greater emphasis on planning for changes to the ISMS.
- Clarified requirements for performance monitoring and continual improvement.
These updates help ensure better integration of the ISMS into business processes.
Transition Timeline
Organisations certified to ISO 27001:2013 have until October 2025 to transition to the 2022 version. It’s important to:
- Conduct a gap analysis.
- Update your Statement of Applicability (SoA).
- Train relevant staff on new controls and structure.
Final Thoughts
ISO 27001:2022 makes the standard more relevant to modern threats and technology. Whether you’re maintaining certification or pursuing it for the first time, understanding and applying these changes will ensure your ISMS stays compliant, and fit for purpose.
Need support transitioning to ISO 27001:2022?
We can guide you through the changes and help strengthen your information security posture.
