ISO 27001:2022 — What Changed and What It Means for Your ISMS

The Biggest Overhaul in a Decade

ISO/IEC 27001:2022 represents the most significant update to the information security management standard since 2013. While the core management system requirements in Clauses 4-10 received relatively minor updates, Annex A underwent a complete restructuring that every certified organisation needs to understand.

What Changed in the Main Body

The management system clauses saw targeted refinements rather than wholesale changes. Clause 4.2 now requires organisations to identify which interested party requirements will be addressed through the ISMS. Clause 6.2 adds a requirement to monitor information security objectives. Clause 6.3 is entirely new, requiring organisations to plan changes to the ISMS in a structured manner. Clause 8.1 extends operational planning to require criteria for security processes and their control.

The New Annex A Structure

The most visible change is the restructuring of Annex A controls. The previous 114 controls across 14 domains have been consolidated and reorganised into 93 controls across four themes:

• Organisational controls (37): Policies, roles, responsibilities, asset management, access control, supplier relationships, and incident management
• People controls (8): Screening, terms of employment, awareness training, disciplinary processes, and responsibilities after termination
• Physical controls (14): Physical security perimeters, entry controls, equipment security, clear desk, and secure disposal
• Technological controls (34): User endpoint devices, privileged access, authentication, cryptography, logging, and network security

11 New Controls

The 2022 revision introduces 11 entirely new controls that reflect the evolving threat landscape:

1. Threat intelligence (5.7): Collecting and analysing information about threats
2. Cloud services security (5.23): Managing security for cloud service usage
3. ICT readiness for business continuity (5.30): Ensuring ICT supports business continuity plans
4. Physical security monitoring (7.4): Surveillance and monitoring of premises
5. Configuration management (8.9): Managing security configurations across systems
6. Information deletion (8.10): Secure deletion when no longer required
7. Data masking (8.11): Masking personal and sensitive data
8. Data leakage prevention (8.12): Controls to prevent unauthorised data exfiltration
9. Monitoring activities (8.16): Monitoring networks, systems, and applications for anomalous behaviour
10. Web filtering (8.23): Managing access to external websites
11. Secure coding (8.28): Applying secure coding principles in software development

Transition Timeline

Organisations certified to ISO 27001:2013 have until 31 October 2025 to transition to the 2022 revision. This requires updating the Statement of Applicability, conducting a gap assessment against the new Annex A controls, implementing any new controls that are applicable, and undergoing a transition audit.

What This Means for You

The restructuring is more than cosmetic. The new controls around threat intelligence, cloud security, and data leakage prevention reflect the reality of modern security operations. Organisations that treat this as a tick-box exercise will miss the opportunity to genuinely improve their security posture. Start with a thorough gap assessment:the new controls may already be partially addressed by existing practices.