top of page
  • Writer's pictureScott Naisbett

ISO/IEC 27001 - What are the main changes in 2022?

The new ISO/IEC 27001:2022 has been published on October 25, 2022. Some of the main new updates of ISO/IEC 27001:2022 include a major change of Annex A, minor updates of the clauses, and a change in the title of the standard.

The latest version of ISO/IEC 27002 has been published at the beginning of 2022, and its latest changes have also impacted ISO/IEC 27001.

The new changes of ISO/IEC 27001:2022

As the world is facing new evolving security challenges, the internationally recognized standard ISO/IEC 27001, which aims to protect the confidentiality, availability, and integrity of organisations’ information assets has been updated and its new more relevant, and up-to-date edition has been published.

Different from ISO/IEC 27001:2013, the new version’s complete title is ISO/IEC 27001:2022 Information Security, Cybersecurity and Privacy Protection.

The part that has gone under the most significant changes is Annex A of ISO/IEC 27001 which is aligned with the ISO/IEC 27002:2022 updates, published earlier this year.

As for other parts, clauses 4 to 10 have undergone several minor changes, especially in clauses 4.2, 6.2, 6.3, and 8.1 where additional new content has been added. Other updates include minor changes in the terminology and restructuring of sentences and clauses. However, the title and order of these clauses remain the same:

Clause 4 Context of the organization

Clause 5 Leadership

Clause 6 Planning

Clause 7 Support

Clause 8 Operation

Clause 9 Performance evaluation

Clause 10 Improvement

What are the main control changes in Annex A?

Annex A of ISO/IEC 27001:2022 contains changes in both, the number of controls, and their listing in groups. The title of this Annex has also changed from Reference control objectives and controls to Information security controls reference. Therefore, the reference objectives of each control group that were present in the previous version of the standard, now have been removed.

The number of Annex A controls has decreased from 114 to 93. The decrease in the number of controls has mostly come from merging many of them. 35 controls have remained the same, 23 controls were renamed, 57 controls were merged into 24 controls, and one control has been divided into two. The 93 controls have been restructured to four control groups or sections.

The new control groups of ISO/IEC 27001:2022 are:

  1. A.5 Organizational controls - contains 37 controls

  2. A.6 People controls - contains 8 controls

  3. A.7 Physical controls - contains 14 controls

  4. A.8 Technological controls - contains 34 controls

ISO/IEC 27001:2022 has also added the below-mentioned 11 new controls to its Annex A:

  1. Threat intelligence

  2. Information security for the use of cloud services

  3. ICT readiness for business continuity

  4. Physical security monitoring

  5. Configuration management

  6. Information deletion

  7. Data masking

  8. Data leakage prevention

  9. Monitoring activities

  10. Web filtering

  11. Secure coding

Will ISO/IEC 27001:2022 changes affect my current ISO/IEC 27001 certificate?

The new updates do not impact your existing certification against the ISO 27001 standard. Instead, the accreditation bodies will jointly work with the certification companies on a transition period to allow organisations with ISO 27001 certification to shift to the newer version efficiently.

Still, even now that the updated version of ISO 27001 has been released, your Statement of Applicability (SoA) should refer to the controls contained in Annex A of ISO 27001:2013. ISO 27002:2022 should only be used as a reference to other controls and as guidance to understand the changes.

Planning to certify to ISO 27001? Should you wait until the certification bodies can certify to the new version?

No! Even though the new 2022 version is published, you shouldn’t wait to certify. Waiting for the ability to get certified against the new standards will likely leave your organisation at a greater risk.

The transition timeline is set to be 3 years. Current 2013-certificates therefore need to be transitioned to the new version before November 2025.

If you wish to discuss your information security requirements, you can contact our ISMS Lead Implementer Scott Naisbett -


bottom of page