Skip to content
27kay27kay

ISO 27001:2022 - What Changed and Why

(updated: ) · 6 min read · 27kay
ISO 27001ISMScomplianceinformation security

The short version - a restructure, not a revolution

ISO 27001:2022 replaced the 2013 version with a moderate but meaningful update. The management system clauses (4-10) received minor refinements. The real change is in Annex A, which was completely restructured to align with ISO 27002:2022. The previous 114 controls across 14 domains became 93 controls across four themes. If you are implementing ISO 27001 today, the 2022 version is the only one that matters - the transition deadline passed in October 2025.

What changed in the management system clauses

The core ISMS requirements in Clauses 4 through 10 remain fundamentally the same. The changes are incremental, mostly aligning ISO 27001 with the Harmonized Structure used across all ISO management system standards. The significant updates:

Clause 4.2 now requires organizations to analyze which interested party requirements will be addressed through the ISMS - not just identify interested parties, but explicitly decide what you are going to do about their needs.

Clause 4.4 explicitly references the processes needed within the ISMS, including their interactions. This was always implied, but the 2022 version makes it a stated requirement.

Clause 6.3 is entirely new. It requires that changes to the ISMS are planned - you cannot just modify your management system ad hoc. Any significant change needs a defined approach.

Clause 8.1 now requires organizations to establish criteria for processes and implement control of those processes. This strengthens the operational planning requirements.

Clause 9.3 adds that management review should consider changes to the needs and expectations of interested parties - linking back to the expanded Clause 4.2.

Clause 10 reorders its subclauses - continual improvement now comes first (10.1), followed by nonconformity and corrective action (10.2). A small change in structure, but it signals the standard’s emphasis on improvement as the primary objective.

The new Annex A structure

This is where the real change happened. The old Annex A had 114 controls spread across 14 domains (A.5 through A.18). The 2022 version consolidates these into 93 controls across four themes:

ThemeControlsWhat it covers
Organizational (A.5)37 controlsPolicies, roles, asset management, supplier relationships, compliance
People (A.6)8 controlsScreening, terms of employment, awareness, disciplinary process
Physical (A.7)14 controlsSecure areas, equipment, clear desk, physical media
Technological (A.8)34 controlsAccess management, cryptography, operations security, network security

The restructuring merged overlapping controls (57 controls combined), renamed others for clarity (23 renamed), and removed 3 that were redundant. The net result is a cleaner, more logical structure that is easier to navigate and implement.

For organizations writing a Statement of Applicability, the new structure means fewer line items to justify, but each control tends to be broader in scope.

The 11 new controls

The 2022 version introduced 11 controls that reflect how information security has evolved since 2013. These address areas that were either missing or only partially covered:

A.5.7 - Threat intelligence. Requires gathering and analyzing information about threats relevant to your organization. This is not about buying expensive threat feeds - for a small company, it might mean monitoring CERT advisories, vendor security bulletins, and industry threat reports relevant to your technology stack.

A.5.23 - Information security for cloud services. Establishes requirements for acquiring, using, managing, and exiting cloud services. Given that most organizations now depend heavily on cloud infrastructure, this formalizes what was already necessary practice.

A.5.30 - ICT readiness for business continuity. Requires that ICT systems can be recovered and restored when disruptions occur. This bridges ISO 27001 and ISO 22301 by making ICT recovery planning an explicit security control.

A.7.4 - Physical security monitoring. Requires monitoring of sensitive physical areas to detect unauthorized access. This means CCTV, access logs, or intrusion detection for server rooms and secure areas.

A.8.9 - Configuration management. Requires that configurations of hardware, software, services, and networks are established, documented, implemented, monitored, and reviewed. This was always good practice but is now an explicit control.

A.8.10 - Information deletion. Requires that information stored in systems, devices, or media is deleted when no longer required. This supports GDPR data minimization requirements and reduces the risk surface.

A.8.11 - Data masking. Requires the use of data masking in accordance with access control policies and business requirements. Particularly relevant for development and testing environments where production data should not be used in its original form.

A.8.12 - Data leakage prevention. Requires measures to prevent unauthorized disclosure of information from systems, networks, and devices. DLP tools, email gateway rules, and USB restrictions all fall under this control.

A.8.16 - Monitoring activities. Requires that networks, systems, and applications are monitored for anomalous behavior and appropriate actions taken. This formalizes security monitoring and SIEM requirements.

A.8.23 - Web filtering. Requires managing access to external websites to reduce exposure to malicious content. This covers URL filtering, category blocking, and protection against drive-by downloads.

A.8.28 - Secure coding. Requires that secure coding principles are established and applied in software development. For organizations that develop software, this means defined secure coding standards, code review processes, and vulnerability testing.

What this means in practice

If you are implementing ISO 27001 for the first time, you work directly with the 2022 version. The implementation process is the same - scope your ISMS, run your risk assessment, select controls, build documentation, audit, and certify.

If you transitioned from the 2013 version, the main practical changes were:

  • Remapping your Statement of Applicability from the old 114-control structure to the new 93-control structure
  • Addressing the 11 new controls - conducting risk assessments for threat intelligence, cloud security, DLP, and the other new areas
  • Updating documentation to reference the new control numbering and themes
  • Training internal auditors on the new structure so they audit against the correct controls

The management system clause changes required minimal effort for most organizations - mainly updating ISMS documentation to reflect the expanded Clause 4.2 requirements and adding planned change processes for Clause 6.3.

How 27kay can help

We implement ISO 27001 exclusively on the 2022 version. For organizations building an ISMS from scratch, we structure the entire program around the four-theme Annex A from day one. For those who transitioned from 2013, we can review your updated Statement of Applicability and ensure the new controls are properly addressed.

Questions about the 2022 requirements? Let’s talk - we are happy to walk through what the changes mean for your specific organization and ISMS scope.