ISO 27001:2022 update

Security6 min read·
K

Kees van der Vlies

Partner | IT Auditor

Also available in:Nederlands

ISO 27001:2022 is the most recent version of the globally recognised standard for information security. The update introduced significant changes that organisations with existing certificates must implement.

The most noticeable change is the restructuring of Annex A. The old 14 domains with 114 controls have been replaced by 4 themes with 93 controls: Organisational (37), People (8), Physical (14) and Technological (34). This reorganisation brings a more logical grouping of related controls, which simplifies implementation and maintenance. In addition, 11 entirely new controls have been added.

The new controls include Threat Intelligence, meaning organisations must actively collect and use threat information to improve their security measures. Data Masking and Information Security for Cloud Services are also new, reflecting the modernisation of the standard.

Cloud computing has become more prominent in the 2022 version. The standard recognises that many organisations are migrating their IT infrastructure to the cloud and sets specific requirements for how cloud usage is set up securely. This includes requirements for data segregation, encryption and access management in cloud environments.

Another important addition is the control around Data Leakage Prevention (DLP). Organisations must take measures to prevent unauthorised data outflow. In an era of remote working and BYOD policies, this is an essential addition.

Monitoring activities have been strengthened. The 2022 version emphasises the importance of continuous monitoring of networks, systems and applications. Organisations must demonstrate that they detect anomalous behaviour and potential incidents at an early stage, rather than only analysing them after the fact.

The transition period to ISO 27001:2022 ran until 31 October 2025. Organisations with existing certificates had to transition before that date. New certifications are carried out exclusively against the 2022 version.

Does your organisation hold ISO 27001 certification or are you considering certification? We help you implement the 2022 requirements and prepare you for the certification audit. The certification itself is carried out by an accredited body such as DigiTrust (www.digitrust.nl). Get in touch.

About the author

K
Kees van der Vlies

Partner | IT Auditor

Back to knowledge base

Have a question?

Get in touch for advice on IT audit, compliance and information security.

Contact us