Who should read this iso standards article?

This article is written for compliance professionals, CISOs, GRC managers, audit teams, and risk officers working in iso standards. It provides actionable insights relevant to organizations managing compliance programs.

How can I apply these iso standards insights?

Use our AI-powered compliance platform to map your requirements across 692 frameworks with 819,000+ control mappings. Start with a free account to explore relevant frameworks, run gap analyses, and build remediation plans.

ISO 27001:2022 — What Changed and What It Means for Your ISMS | The Art of Service

The 2022 revision of ISO 27001 restructured Annex A from 114 controls across 14 domains to 93 controls across 4 themes. We break down every change, the new controls added, and what organisations need to do to transition.

The Biggest Overhaul in a Decade

ISO/IEC 27001:2022 represents the most significant update to the information security management standard since 2013. While the core management system requirements in Clauses 4-10 received relatively minor updates, Annex A underwent a complete restructuring that every certified organisation needs to understand.

What Changed in the Main Body

The management system clauses saw targeted refinements rather than wholesale changes. Clause 4.2 now requires organisations to identify which interested party requirements will be addressed through the ISMS. Clause 6.2 adds a requirement to monitor information security objectives. Clause 6.3 is entirely new, requiring organisations to plan changes to the ISMS in a structured manner. Clause 8.1 extends operational planning to require criteria for security processes and their control.

The New Annex A Structure

The most visible change is the restructuring of Annex A controls. The previous 114 controls across 14 domains have been consolidated and reorganised into 93 controls across four themes:

Organisational controls (37): Policies, roles, responsibilities, asset management, access control, supplier relationships, and incident management
People controls (8): Screening, terms of employment, awareness training, disciplinary processes, and responsibilities after termination
Physical controls (14): Physical security perimeters, entry controls, equipment security, clear desk, and secure disposal
Technological controls (34): User endpoint devices, privileged access, authentication, cryptography, logging, and network security

11 New Controls

The 2022 revision introduces 11 entirely new controls that reflect the evolving threat landscape:

Threat intelligence (5.7): Collecting and analysing information about threats
Cloud services security (5.23): Managing security for cloud service usage
ICT readiness for business continuity (5.30): Ensuring ICT supports business continuity plans
Physical security monitoring (7.4): Surveillance and monitoring of premises
Configuration management (8.9): Managing security configurations across systems
Information deletion (8.10): Secure deletion when no longer required

ISO 27001:2022 — What Changed and What It Means for Your ISMS

The Biggest Overhaul in a Decade

What Changed in the Main Body

The New Annex A Structure

11 New Controls

Frequently Asked Questions

Explore this topic on our compliance platform

Put compliance intelligence to work

Transition Timeline

What This Means for You