The international standard for information security management received a significant update in October 2022. If your organisation is still working from the 2013 version — or you're starting ISO 27001 for the first time — this guide explains what changed, what it means in practice, and what you need to do.
Important note on transition: The three-year transition period ended on 31 October 2025. All ISO 27001 certifications are now issued against the 2022 version only. If you were certified to 2013 and haven't transitioned, your certificate will no longer be valid. Contact your certification body to discuss your options.
At a Glance: The Key Differences
| Feature | ISO 27001:2013 | ISO 27001:2022 |
|---|---|---|
| Number of controls | 114 controls | 93 controls |
| Control categories | 14 domains (A.5–A.18) | 4 themes (Organisational, People, Physical, Technological) |
| New controls | — | 11 new controls added |
| Modern threats | Limited coverage | Explicitly covers cloud, threat intelligence, data leakage |
| Core ISMS structure | Clauses 4–10 | Unchanged |
| Certification process | Third-party audit | Unchanged |
The core of the standard — the ISMS requirements in Clauses 4 to 10, the risk-based approach, and the Plan-Do-Check-Act cycle — is unchanged. The main differences are in Annex A.
What Changed in Annex A
Controls Consolidated from 114 to 93
The 114 controls across 14 domains have been reorganised into 93 controls across 4 themes. This isn't just cosmetic — many controls were merged, some were split, and 11 are genuinely new.
The four themes are:
- Organisational (37 controls) — policies, roles, responsibilities, supplier relationships, incident management
- People (8 controls) — screening, terms of employment, awareness, training, disciplinary process
- Physical (14 controls) — physical security perimeters, equipment, clear desk/screen, supporting utilities
- Technological (34 controls) — access control, cryptography, vulnerability management, secure coding, monitoring
What Happened to the Old Controls
| 2013 Status | Count |
|---|---|
| Unchanged and carried forward | 24 |
| Merged into other controls | 57 |
| Renamed or updated | 11 |
| Split into multiple controls | 1 |
| New in 2022 | 11 |
| Total 2022 controls | 93 |
No controls were deleted outright — the 57 that were "merged" still exist as concepts within the consolidated controls.
The 11 New Controls
These are the controls that didn't exist as standalone requirements in 2013. If you were certified to 2013, these are the primary gaps to assess:
| Control | Title | What it requires |
|---|---|---|
| A.5.7 | Threat intelligence | Collecting and analysing information about cyber threats relevant to your organisation |
| A.5.23 | Information security for use of cloud services | Formal security requirements for acquiring, using, and managing cloud services |
| A.5.30 | ICT readiness for business continuity | Ensuring IT systems can support business continuity requirements |
| A.6.8 | Information security event reporting | Clear processes for staff to report security events |
| A.7.4 | Physical security monitoring | Monitoring of sensitive physical areas |
| A.8.9 | Configuration management | Managing secure configurations for hardware, software, and networks |
| A.8.10 | Information deletion | Secure deletion of data when no longer required |
| A.8.11 | Data masking | Masking sensitive data in systems, particularly test environments |
| A.8.12 | Data leakage prevention | Controls to prevent unauthorised data exfiltration |
| A.8.16 | Monitoring activities | Continuous monitoring of networks and systems for anomalies |
| A.8.23 | Web filtering | Restricting access to malicious or inappropriate websites |
| A.8.28 | Secure coding | Applying security principles throughout the software development lifecycle |
For most SMBs, the highest-effort new controls are A.5.7 (threat intelligence), A.5.23 (cloud security), and A.8.28 (secure coding) — these typically require new processes rather than just documentation updates.
What Hasn't Changed
It's worth being clear on this because the transition sounds more daunting than it is for most organisations. The following are unchanged:
- Clauses 4–10 — the core ISMS requirements around context, leadership, planning, support, operations, performance evaluation, and improvement
- The risk-based approach — you still identify risks, assess them, and select controls to treat them
- The Statement of Applicability (SoA) — still required, though it needs updating to reflect the new control structure
- The certification process — still a third-party audit by an accredited certification body
- Surveillance audits — still annual, still required to maintain certification
Transition: What You Actually Need to Do
If you were certified to 2013 and haven't yet transitioned, speak to your certification body as your first step — the transition window has closed and your situation will depend on your last audit date and your certification body's approach.
For organisations currently pursuing ISO 27001 for the first time, you're implementing 2022 from the start — there's no transition to worry about.
For organisations mid-transition or planning their ISMS, here's the practical checklist:
1. Run a gap analysis against the 11 new controls Assess each new control against your current practices. Some you may already satisfy informally — document the evidence. Others will require new processes or technologies.
2. Update your Statement of Applicability Your SoA needs to reference the 2022 control numbers and structure. Every control needs a justified inclusion or exclusion decision.
3. Remap your existing controls If you have existing control documentation referencing 2013 Annex A numbers, update them to 2022 references. This is mostly administrative but needs to be done before your transition audit.
4. Update your risk treatment plan Re-run or review your risk assessment to ensure the new controls are considered where relevant threats exist.
5. Update internal audit procedures Your internal auditors need to be auditing against 2022 requirements. Update audit checklists and schedules accordingly.
6. Brief key stakeholders Management review, control owners, and internal auditors all need to understand the changes — particularly the 11 new controls and their responsibilities.
Common Mistakes During Transition
Treating it as a complete rebuild. Most of your 2013 ISMS is still valid. This is an update, not a replacement. Focus your effort on the gaps.
Updating documentation without implementing controls. The 11 new controls need to be genuinely implemented, not just added to your SoA. Auditors will look for evidence of operation.
Leaving the SoA update too late. The SoA is one of the first documents your auditor will review. Get it updated early.
Not involving control owners. Changes to controls like threat intelligence (A.5.7) and secure coding (A.8.28) affect IT and development teams directly. Don't let compliance handle it in isolation.
Managing the Transition with a GRC Platform
The most time-consuming part of transitioning is remapping your existing controls from the 2013 structure to 2022 — updating your SoA, cross-referencing old and new control numbers, and identifying genuine gaps versus administrative renames.
SnapGRC pre-maps controls to ISO 27001:2022 out of the box, so your compliance status automatically reflects the current standard. If you're transitioning from a spreadsheet-based ISMS, it's a good time to move to a platform that won't need manually updating every time a standard changes.
See how SnapGRC supports ISO 27001:2022 →
SnapGRC is a compliance management platform for SMBs and MSPs. ISO 27001, Cyber Essentials, SOC 2, GDPR, NIS2 and 40+ other frameworks — without the enterprise price tag. Learn more →
