ISO 27001:2022 — What Changed and What It Means for Your ISMS
The 2022 revision of ISO 27001 restructured Annex A from 114 controls across 14 domains to 93 controls across 4 themes. We break down every change, the new controls added, and what organisations need to do to transition.
The Biggest Overhaul in a Decade
ISO/IEC 27001:2022 represents the most significant update to the information security management standard since 2013. While the core management system requirements in Clauses 4-10 received relatively minor updates, Annex A underwent a complete restructuring that every certified organisation needs to understand.
What Changed in the Main Body
The management system clauses saw targeted refinements rather than wholesale changes. Clause 4.2 now requires organisations to identify which interested party requirements will be addressed through the ISMS. Clause 6.2 adds a requirement to monitor information security objectives. Clause 6.3 is entirely new, requiring organisations to plan changes to the ISMS in a structured manner. Clause 8.1 extends operational planning to require criteria for security processes and their control.
The New Annex A Structure
The most visible change is the restructuring of Annex A controls. The previous 114 controls across 14 domains have been consolidated and reorganised into 93 controls across four themes:
- Organisational controls (37): Policies, roles, responsibilities, asset management, access control, supplier relationships, and incident management
- People controls (8): Screening, terms of employment, awareness training, disciplinary processes, and responsibilities after termination
- Physical controls (14): Physical security perimeters, entry controls, equipment security, clear desk, and secure disposal
- Technological controls (34): User endpoint devices, privileged access, authentication, cryptography, logging, and network security
11 New Controls
The 2022 revision introduces 11 entirely new controls that reflect the evolving threat landscape:
- Threat intelligence (5.7): Collecting and analysing information about threats
- Cloud services security (5.23): Managing security for cloud service usage
- ICT readiness for business continuity (5.30): Ensuring ICT supports business continuity plans
- Physical security monitoring (7.4): Surveillance and monitoring of premises
- Configuration management (8.9): Managing security configurations across systems
- Information deletion (8.10): Secure deletion when no longer required
Frequently Asked Questions
Explore this topic on our compliance platform
Our platform covers 692 compliance frameworks with 819,000+ cross-framework control mappings. Start free, no credit card required.
Try the Platform Free →