If your organisation is certified to ISO 27001:2013, you're likely wondering what's changed and what you need to do next.
This isn't a complete overhaul but a strategic evolution. The core principles remain intact, but the 2022 version introduces crucial refinements to address today's complex cyber threat landscape.
In this guide, we’ll demystify the differences between ISO 27001:2013 and ISO 27001:2022, focusing on the updated Annex A controls and what your transition plan should look like.
Key at a Glance: The High-Level Differences
| Feature | ISO 27001:2013 | ISO 27001:2022 |
|---|---|---|
| Number of Controls | 114 controls in 14 clauses | 93 controls in 4 themes |
| Control Structure | Clustered by security domain | Grouped by purpose and outcome |
| Modern Threats | Less explicitly addressed | Explicitly covers cloud, AI, and threat intelligence |
| Focus | Broad information security | Organisational context and outcomes |
Breaking Down the Major Changes in ISO 27001:2022
1. A Restructured and Consolidated Annex A
The most noticeable change is in Annex A, the list of information security controls.
2013: 114 controls were organised into 14 categories (A.5 to A.18).
2022: These have been consolidated into 93 controls, grouped into just 4 logical themes:
Organisational (37 controls)
People (8 controls)
Physical (14 controls)
Technological (34 controls)
This new structure is less technical and more strategic, making it easier to align controls with business outcomes and present them to management.
2. Introduction of 11 New Controls
The 2022 update introduces 11 new controls to address modern security challenges. These weren't absent in 2013 but are now explicitly called out, requiring formal assessment and implementation.
Key new controls include:
A.5.7 Threat Intelligence: Collecting and analysing information on cyber threats.
A.5.23 Information Security for Use of Cloud Services: Formalising security practices for cloud providers (crucial for SaaS companies).
A.5.30 ICT Readiness for Business Continuity: Aligning IT disaster recovery with business continuity plans.
A.7.4 Physical Security Monitoring: Monitoring sensitive areas with cameras, sensors, etc.
A.8.10 Information Deletion: Ensuring data is securely deleted when no longer needed.
A.8.11 Data Masking: Hiding sensitive data within systems (e.g., in test environments).
A.8.12 Data Leakage Prevention: Implementing measures to prevent data exfiltration.
A.8.16 Monitoring Activities: Continuously monitoring networks and systems for anomalies.
A.8.23 Web Filtering: Restricting access to malicious websites.
A.8.28 Secure Coding: Integrating security principles into the software development lifecycle.
3. Clearer Attributes for Each Control
Every control in Annex A now comes with a set of attributes (like tags) that allow for better filtering and management. The five attribute types are:
Control type (Preventive, Detective, Corrective)
Information security properties (Confidentiality, Integrity, Availability)
Cybersecurity concepts (Identify, Protect, Detect, Respond, Recover)
Operational capabilities (Governance, Asset Management, etc.)
Security domains (Physical, Network, Application, etc.)
This makes it easier to map controls to frameworks like NIST CSF and track them in GRC platforms.
4. Enhanced Terminology and Concepts
The standard's language has been updated throughout for clarity and alignment with other ISO management system standards (like ISO 9001 and ISO 22301). Key terms like "interested parties" and "processes" are now more consistently applied.
What Hasn't Changed? The Core Remains
It's important to note that the fundamental principles and requirements of the ISMS (Information Security Management System) are unchanged.
The High-Level Structure (HLS) - the core clauses from 4 to 10 - remains the same. You still need to establish context, demonstrate leadership, plan, support your operation, perform performance evaluation, and drive improvement.
The risk-based approach is still the heart of the standard.
The Plan-Do-Check-Act (PDCA) cycle still underpins the ISMS.
The certification process remains unchanged.
Your Action Plan: Transitioning from 2013 to 2022
If you are currently certified to ISO 27001:2013, you have a three-year transition period. This means all certifications must migrate to the 2022 version by October 31, 2025.
Here’s your step-by-step plan:
Gap Analysis: Conduct a thorough review of your current ISMS against the new 2022 requirements. Identify where you already meet new controls and where gaps exist (especially for the 11 new ones).
Update Your Risk Assessment: Re-run your risk assessment, considering the new threat landscapes addressed by the new controls (e.g., cloud security, data leakage).
Revise Key Documents: Update your Statement of Applicability (SoA) to reflect the new control structure and justify inclusions/exclusions. You will also need to update your Risk Treatment Plan and other relevant policies and procedures.
Implement New Controls: Address the gaps identified, implementing the necessary processes and technologies for any new controls you've deemed applicable.
Train Your Team: Ensure all relevant personnel (especially internal auditors) understand the changes in the new standard.
Schedule Your Audit: Contact your certification body to schedule your transition audit well before the October 2025 deadline.
Conclusion:
The shift from ISO 27001:2013 to ISO 27001:2022 is a necessary and welcome evolution. It doesn't invalidate your previous work but enhances it, providing a more streamlined, relevant, and business-focused framework for managing information security in a digital-first world.
While the changes are logical, manually managing the transition—from remapping controls and updating your Statement of Applicability (SoA) to implementing new requirements—can be a complex and resource-intensive task. This is where a dedicated GRC platform like SnapGRC becomes a powerful ally.
SnapGRC is designed to simplify this exact process. Its dynamic framework can instantly map your existing 2013 controls to the new 2022 structure, automatically generate an updated SoA, and provide a clear gap analysis to highlight where you need to focus your efforts. By automating the heavy lifting, SnapGRC allows your team to concentrate on what truly matters: implementing robust security measures and strengthening your organisation's defense against the cyber threats of today and tomorrow.
Embracing the new standard is not just about maintaining compliance; it's about proactive improvement. With the right strategy and tools, your transition to ISO 27001:2022 can be a smooth and strategic step forward for your entire organisation.
