ISO 27001:2022 was published in October 2022 as the successor to ISO 27001:2013. The International Accreditation Forum (IAF) established a transition period that expired on 31 October 2025. After that date, certificates based on the 2013 version are no longer valid. Organizations that have not yet completed the transition must do so at their next audit.
This article covers the key changes, their impact on your ISMS, and how to approach the transition practically.
What changed in the 2022 version?
Changes exist at two levels: the main clauses (4 through 10) and Annex A (the controls). In the main clauses, the changes are limited but relevant. Clause 4.2 now explicitly requires identifying which requirements of interested parties will be addressed through the ISMS. Clause 6.3 is new and requires that changes to the ISMS are carried out in a planned manner. Clause 8.1 now requires establishing criteria for operational processes and controlling those processes according to those criteria.
The biggest change is in Annex A. The 114 controls from the 2013 version have been reorganized into 93 controls, divided across four themes instead of fourteen domains. The four themes are: organizational (37 controls), people (8 controls), physical (14 controls), and technological (34 controls). Eleven new controls have been added that address current threats and technologies.
The eleven new controls
The new controls reflect developments in information security since 2013. Threat intelligence (A.5.7) requires collecting and analyzing threat information. Information security for cloud services (A.5.23) addresses specific risks of cloud adoption. ICT readiness for business continuity (A.5.30) explicitly links information security with business continuity.
On the technological side, there are controls for configuration management (A.8.9), information deletion (A.8.10), data masking (A.8.11), data leakage prevention (A.8.12), monitoring activities (A.8.16), web filtering (A.8.23), and secure coding (A.8.28). On the physical side, physical security monitoring (A.7.4) has been added.
Impact on your Statement of Applicability
The Statement of Applicability (SoA) must be completely revised. The mapping from 114 to 93 controls is not one-to-one. Some old controls have been merged, others split, and eleven are entirely new. Each control must be reassessed for applicability and how you comply with it. This is typically the most labor-intensive step in the transition.
Approaching the transition audit
The transition can be performed as part of a regular surveillance or recertification audit, or as a separate transition audit. In either case, the certification body assesses whether your ISMS meets the 2022 requirements.
Start with a gap analysis: compare your current ISMS with the 2022 requirements. Focus on the eleven new controls and the modified clauses. For each new control, determine whether you already have measures in place that address it (often you do, just structured differently) or whether you need additional measures.
Then update your documentation: the ISMS policy, the SoA, the risk treatment plan, and operational procedures. Conduct an internal audit against the 2022 version to verify everything is in order before the external audit takes place.
Secure Audit helps organizations with the transition from ISO 27001:2013 to 2022 through gap analyses, documentation updates, and internal audits. Contact us for a transition assessment.
About the author
Partner | IT Auditor