ISO 27001:2022 Update: What Changed and What It Means for Your ISMS
Consultant Manager
Six Sigma White Belt (AIGPE), Internal Auditor - Integrated Management System (ISO), Gold Medalist MBA, 8+ years in cloud and cybersecurity content
ISO 27001:2022 Update: What Changed and What It Means for Your ISMS
ISO 27001:2022 was published in October 2022, replacing ISO 27001:2013 (technically corrected in 2014). The transition deadline for organisations holding 2013-edition certificates was 31 October 2025 β past which point all certificates issued reference the 2022 edition. If your last audit was against 2013 and you haven't transitioned, your certificate is no longer valid.
This article covers what actually changed between the editions, why the changes matter for the operating model of your ISMS, and the transition pattern we have run with customers across the deadline window.
What Changed in the Main Body (Clauses 4-10)?
The main body changes are smaller than most marketing makes them out to be. Clauses 4-10 retained their structure and most of their requirements. The notable updates:
- Clause 4.4 now explicitly requires the ISMS to include processes for identifying necessary processes and their interactions β slightly stronger language than 2013
- Clause 6.2 added a requirement that information security objectives be monitored, communicated, and updated β strengthening the previous "establish" wording
- Clause 6.3 is new: planning of changes to the ISMS must be done in a planned manner
- Clause 8.1 requires criteria for processes and control of those processes β explicit operational discipline
For organisations whose 2013 ISMS was operating well, these changes typically require minor documentation tweaks rather than fundamental redesign.
The Big Change: Annex A Restructuring
Annex A is where the 2022 revision is genuinely different. The control set was reorganised from 14 control domains and 114 controls into 4 themes and 93 controls. The four themes:
| Theme | Control count | Examples |
|---|---|---|
| 5. Organisational | 37 | Policies, threat intelligence, identity management, supplier relationships |
| 6. People | 8 | Screening, awareness, disciplinary process, remote working |
| 7. Physical | 14 | Physical security perimeters, equipment siting, secure disposal |
| 8. Technological | 34 | Endpoint protection, cryptography, secure development, monitoring |
The total dropped from 114 to 93 by merging 24 controls into 11 consolidated ones, retiring 1, and adding 11 new controls β net change of negative-21. The new controls are the most consequential part of the update for most organisations.
Need expert help with iso 27001?
Our cloud architects can help you with iso 27001 β from strategy to implementation. Book a free 30-minute advisory call with no obligation.
The 11 New Annex A Controls
These are the controls that didn't exist in 2013 and that most organisations need to design specifically for the transition:
- 5.7 Threat intelligence β collect, analyse, and produce information about threats relevant to the organisation
- 5.23 Information security for use of cloud services β explicit cloud-service security requirements
- 5.30 ICT readiness for business continuity β IT continuity tied to business continuity
- 7.4 Physical security monitoring β monitor premises continuously
- 8.1 User endpoint devices (consolidated) β endpoint protection across managed and BYOD
- 8.9 Configuration management β establish, document, monitor, review configurations
- 8.10 Information deletion β delete information when no longer required
- 8.11 Data masking β apply masking to limit exposure of sensitive data
- 8.12 Data leakage prevention β DLP controls applied to in-scope information
- 8.16 Monitoring activities β continuous monitoring of network, system, and application behaviour
- 8.23 Web filtering β control external website access from corporate devices
- 8.28 Secure coding β secure coding principles applied to software development
(That's 12 listed because 8.1 is a consolidation, not a strictly new control; the official ISO count is 11 new + 1 consolidated.)
What This Means for Your SoA
The Statement of Applicability is the document that names every Annex A control and either declares it applicable or justifies its exclusion. Transitioning from 2013 to 2022 SoA requires:
- Mapping every existing 2013 SoA control to its 2022 equivalent (mostly mechanical via the official ISO mapping)
- Adding the 11 new controls and deciding applicability
- Re-running risk assessment for the new controls β they exist because risk landscape changed
- Updating policy and procedure documents to reference the new control numbers
- Briefing the management team on changes in scope and any newly-implemented controls
For most organisations the new controls weren't completely absent in 2013 β threat intelligence, cloud security, monitoring, and secure coding were generally implemented under broader 2013 control wording. The 2022 update makes them explicit and auditable.
The Five Attributes Tagged on Each Annex A Control
The 2022 edition introduced a tagging system for Annex A controls. Each control carries five attribute tags:
- Control type: preventive / detective / corrective
- Information security properties: confidentiality / integrity / availability
- Cybersecurity concept: identify / protect / detect / respond / recover (NIST CSF alignment)
- Operational capabilities: governance / asset management / etc.
- Security domain: governance and ecosystem / protection / defence / resilience
The tags do not change requirements; they make the control set easier to filter and report against. For organisations that already align their security programme to NIST CSF, the tags simplify the cross-mapping.
Transition Pattern That Actually Works
Across the customer transitions we've run, the pattern that delivered cleanly within the 31 Oct 2025 deadline:
- Q1 of transition year: Gap analysis against 2022 controls, especially the 11 new ones
- Q2: Update policies, procedures, and the SoA to reference 2022 controls. Implement any genuinely new controls
- Q3: Internal audit against the updated ISMS. Management review with explicit transition decision
- Q4: Stage 1 / Stage 2 transition audit by the certification body
The transition audit can usually be combined with a regular surveillance audit, reducing the additional CB cost. Plan it 6-9 months ahead with the CB.
How Opsio Helps
Opsio runs ISO 27001:2022 transition programmes for customers carrying forward 2013-edition certificates and for first-time certifications under 2022. Our ISMS implementation services service includes the full SoA mapping, design and implementation of the 11 new controls in cloud-native environments, and CB-aligned audit preparation. We tie the new 5.23 Cloud Services and 8.16 Monitoring controls into existing managed cloud security and how Opsio delivers elk stack infrastructure rather than running parallel processes.
About the Author
Consultant Manager at Opsio
Six Sigma White Belt (AIGPE), Internal Auditor - Integrated Management System (ISO), Gold Medalist MBA, 8+ years in cloud and cybersecurity content
Editorial standards: This article was written by a certified practitioner and peer-reviewed by our engineering team. We update content quarterly to ensure technical accuracy. Opsio maintains editorial independence β we recommend solutions based on technical merit, not commercial relationships.