ISO 27001:2022

What is ISO 27001:2022?

ISO 27001:2022 is the globally recognised standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). Published jointly by the International Organization for Standardization and the International Electrotechnical Commission, it defines the requirements for systematically managing information security risks. Certification is awarded by accredited third-party auditors after a successful Stage 1 (documentation review) and Stage 2 (implementation audit).

What changed in ISO 27001:2022 compared to ISO 27001:2013?

The 2022 revision introduced significant structural and content changes. The main body (Clauses 4 to 10) received minor updates, including new requirements around understanding stakeholder needs and planning changes to the ISMS. The major overhaul was in Annex A, which was completely reorganised:

• 114 controls reduced to 93 through merging and consolidation
• 14 domains replaced by 4 themes: Organisational (37 controls), People (8 controls), Physical (14 controls), and Technological (34 controls)
• 11 new controls added, including Threat Intelligence (A.5.7), Information Security for Cloud Services (A.5.23), ICT Readiness for Business Continuity (A.5.30), and Data Masking (A.8.11)
• Each control now has attributes: control type, information security properties, cybersecurity concepts, operational capabilities, and security domains

Organisations certified to ISO 27001:2013 had until 31 October 2025 to transition. New certifications are issued exclusively against the 2022 edition.

What are the key clauses of ISO 27001?

The standard follows the Annex SL high-level structure shared by all ISO management system standards, making it straightforward to integrate with ISO 9001, ISO 22301, and ISO 27701. The mandatory clauses are:

1. Clause 4: Context of the Organisation defines the scope of the ISMS and the needs of interested parties
2. Clause 5: Leadership requires top management commitment, an information security policy, and defined roles and responsibilities
3. Clause 6: Planning covers risk assessment methodology, risk treatment plans, and information security objectives
4. Clause 7: Support addresses resources, competence, awareness, communication, and documented information
5. Clause 8: Operation requires implementation of risk treatment plans and operational controls
6. Clause 9: Performance Evaluation mandates monitoring, internal audits, and management reviews
7. Clause 10: Improvement covers nonconformities, corrective actions, and continual improvement

How does ISO 27001 map to other frameworks?

ISO 27001 has the broadest mapping coverage of any framework in our database, with control-to-control mappings to 612 other standards. The most common mapping pairs include SOC 2 Trust Services Criteria, NIST Cybersecurity Framework 2.0, NIST SP 800-53, GDPR, and PCI DSS v4.0. Organisations pursuing multiple certifications can use these mappings to build a unified control set, reducing duplicate audit evidence and implementation effort by 40-60%.

How long does ISO 27001 certification take?

For a mid-sized organisation (100 to 500 employees) starting from scratch, expect 6 to 12 months to achieve certification. The timeline depends on existing security maturity, scope complexity, and resource availability. Key milestones include: gap assessment (weeks 1 to 4), risk assessment and treatment plan (weeks 4 to 10), control implementation (weeks 10 to 30), internal audit (weeks 30 to 34), management review (week 35), and certification audit (weeks 36 to 40). Organisations with existing SOC 2 or NIST CSF programmes can often compress this to 3 to 6 months.