If your organization is preparing for ISO 27001 certification for the first time or needs to transition from the 2013 version by the October 31, 2025 deadline, understanding the latest version of the standard, ISO 27001:2022, is essential.

The 2022 update to ISO/IEC 27001 brought important changes to both its core requirements and controls, with a complete overhaul of the control structure based on the updated companion guidance standard ISO 27002:2022.

In this guide, we’ll break down the major updates to ISO 27001:2022 and ISO 27002:2022 and provide actionable tips to help you prepare for ISO 27001:2022 certification with confidence.

ISO/IEC 27001:2022 release date

The ISO/IEC 27001:2022 standard was officially released on October 25, 2022. ISO/IEC 27002:2022, the supporting control implementation guide, was released earlier on February 15, 2022.

While organizations pursuing ISO 27001 for the first time had to be certified on the 2022 version starting April 2024, organizations currently certified to ISO 27001:2013 have until October 31, 2025 to complete their transition to the latest version.

With this October deadline to transition to ISO 27001:2022 fast approaching, understanding these updates is more important than ever. Whether you’re newly pursuing certification or working to update your information security management system (ISMS), the changes to ISO 27001 and ISO 27002 will shape how you manage information security risks in 2025 and beyond. We’ll cover these major updates below. 

Want to read the official ISO/IEC 27001:2022 PDF? Access it via the ISO website here. Note: This is a paid publication.

What’s new in ISO 27001:2022 and ISO 27002:2022?

In 2022, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) released updated versions of two foundational standards in the ISO 27000 series:

• ISO/IEC 27001:2022 – The standard that sets out the requirements for an ISMS (Clauses 4-10) and controls to meet them (Annex A)
• ISO/IEC 27002:2022 – The reference guide that provides implementation guidance for the controls listed in Annex A of ISO 27001

You can think of ISO/IEC 27001 as the “what” and ISO/IEC 27002 as the “how” of compliance.   

Since the changes in ISO 27001:2022 Annex A are a direct result of the structural overhaul of the control set in ISO 27002:2022, it’s essential to understand the updates to each if you want to implement and get certified for ISO 27001:2022. We’ll cover these updates below. 

Reduced number of Annex A controls 

One of the most noticeable changes to ISO 27001:2022 Annex A and ISO 27002:2022 is that the total number of controls was reduced from 114 to 93. 

This might sound like some controls from the 2013 versions were removed, but that’s not the case. Here's what actually happened:

• 57 were simply merged into 24 controls
• 11 controls were added
• 1 was split
• 58 controls remain mostly unchanged, with minor contextual updates

It can be confusing at first: fewer controls, but 11 new ones? The table below shows how 2013 controls were consolidated in the 2022 versions of ISO 27001 Annex A and ISO 27002 for clarity and modernization.

11 new controls added to Annex A

Some controls are brand new in the 2022 version, meaning they are not found in either ISO/IEC 27001:2013 Annex A or ISO 27002:2013. 

The 11 new controls in ISO 27001:2022 Annex A are:

• A.5.7 Threat intelligence  
• A.5.23 Information security for use of cloud services 
• A.5.30 ICT readiness for business continuity 
• A.7.4 Physical security monitoring  
• A.8.9 Configuration management  
• A.8.10 Information deletion  
• A.8.11 Data masking  
• A.8.12 Data leakage prevention  
• A.8.16 Monitoring activities  
• A.8.23 Web filtering  
• A.8.28 Secure coding 

Reduced Annex A control domains

In the previous versions of ISO 27001:2013 Annex A and ISO 27002:2013, controls were divided into 14 domains. In the 2022 versions, these were consolidated and reorganized into 4 clauses referred to as themes. These are: 

• Clause 5: Organizational Controls (37 controls)
• Clause 6: People Controls (8 controls)
• Clause 7: Physical Controls (14 controls)
• Clause 8: Technological Controls (34 controls)

Introduced attributes for Annex A controls

ISO 27002:2022 introduced a simpler taxonomy for ISO 27001:2022 Annex A controls. However, the four categories mentioned above are such broad descriptors that it can be challenging to know how you are using the controls in each category and if you need to implement every one.

To address this challenge, ISO 27002:2002 also introduced associated attributes. These offer different lenses to view controls so that you’re able to better understand which you need to implement and how you’re using them throughout your risk assessment and treatment process.

ISO 27002:2002 defines the following five attributes that are meant to be generic enough to be used by any organization. These attributes are also customizable so you can use your own. 

1. Control types

When and how does the control impact the risk outcome during an information security incident?

Possible attribute values are

• Preventive: control acts before a threat occurs
• Detective: control acts when a threat occurs
• Corrective: control acts after a threat occurs

2. Information security properties

Which characteristic of information will the control help preserve?

Possible attribute values are:

• Confidentiality
• Integrity
• Availability

3. Cybersecurity properties

What cybersecurity concept defined in the framework described in ISO/IEC TS 27110 is associated with the control?

Possible attribute values are:

• Identify
• Protect
• Detect
• Respond
• Recover

4. Operational capabilities

What operational capabilities is the control associated with? Or, which department should be assigned this control or risk?

Possible attribute values include but are not limited to:

• Application security
• Asset management
• Governance
• Information protection
• Human resource security
• Identity and access management
• Information security event management 
• Physical security
• Secure configuration

5. Security domains

What security field, expertise, service, and/or product is the control associated with? 

Possible attribute values are:

• Governance and ecosystem
• Protection
• Defence
• Resilience

Editorial updates in ISMS Clauses 4-10

Overall, the updates in the ISMS Clauses 4-10 of ISO 27001:2022 include minor wording and structural changes.  

For example:

• Clause 6: Planning was re-worded to remove ambiguity and outdated language (i.e., control objectives)
• Clause 4.4, an existing requirement to establish, implement, maintain, and continually improve your ISMS, now includes the phrase “including the processes needed and their interactions.” 
• Clause 9.2: Internal audit was split into 9.2.1: General and 9.2.2: Internal audit programme. However, the requirements remain the same. 
• Clause 9.3: Management review was split into three subsections — 9.3.1: General, 9.3.2: Management review inputs, and 9.3.3: Management review results.

Introduced Clause 6.3

The 2022 version of ISO 27001 also introduced a new subclause. Clause 6.3: Planning for Changes requires that any change to the ISMS be carried out in a planned manner. The goal of this subclause is to ensure organizations consider the purpose of any change to their ISMS, potential consequences, impact on the ISMS, resource availability, and allocation or reallocation of responsibilities and authorities, among other factors. 

ISO 27001:2022 Summary of Changes

The table below provides a recap of key differences between ISO 27001 versions 2013 and 2022​, as informed by changes in ISO 27002:2022.

What do these changes mean for ISO 27001:2013 certified organizations?

If you’re currently certified to ISO/IEC 27001:2013, here’s what you need to know:

• You have until October 31, 2025 to complete your transition audit.
• You can complete your transition during a recertification or surveillance audit.
• Certifications under the 2013 version will expire or be withdrawn after the transition deadline.

What do these changes mean for organizations pursuing ISO 27001 certification for the first time?

As of April 2024, organizations can now only be certified on ISO/IEC 27001:2022.

If you're starting from scratch, use these ISO 27001 resources to kickstart your certification process:

• ISO 27001 Checklist: Your 14-Step Roadmap for Becoming ISO Certified
• 5 Tips for Preparing for ISO 27001 Certification From Real Auditors
• The ISO 27001 Compliance Kit

How to prepare for ISO 27001:2022 certification

Whether you’re transitioning to the 2022 version of ISO 27001 or preparing for certification for the first time, you may feel overwhelmed and unsure where to start. To help streamline the readiness process and ensure your ISMS is effective and ready for an ISO 27001 audit, we’ve provided some key steps to get started:

1. Conduct a gap analysis between ISO/IEC 27001:2013 and 2022 requirements

Start by comparing your current ISMS against the 2022 version to identify where updates are needed. Focus on:

• Changes to Clauses 4–10
• The new Clause 6.3 (Planning for changes)
• Annex A control modifications and the addition of 11 new controls
• The restructuring of control domains and introduction of control attributes

2. Update your Statement of Applicability (SoA)

The ISO 27001 Statement of Applicability outlines which Annex A controls you’ve selected to implement and why. You’ll need to:

• Map your existing controls to the updated 2022 structure
• Justify inclusion, exclusion, or partial implementation of each new control
• Align each control with the updated four-theme structure (Organizational, People, Physical, Technological)

3. Train your team on ISO/IEC 27001:2022 changes

Because of the new structure and terminology, ISO 27001:2022 training is critical. Ensure relevant personnel understand:

• The updated control set and their practical applications
• Use cases for the 11 new controls
• Attribute tagging and how it can support risk assessment and control mapping
• Timeline and requirements for the ISO/IEC 27001:2022 transition

4. Use ISO 27002:2022 control attributes to streamline your risk assessment

The new control attributes provide a more dynamic and flexible way to categorize and manage security controls. Incorporate them into your ISMS to:

• Clarify control purpose and impact
• Assign control ownership more efficiently
• Simplify reporting and audit preparation
• Enhance your ability to identify gaps or redundancies

5. Plan your transition audit early

If you’re already certified to ISO 27001:2013, certification bodies are offering transition audits that can be scheduled as part of your next surveillance or recertification audit or as a standalone event.

Coordinate with your auditor before the October 31, 2025 deadline to:

• Confirm timelines
• Understand documentation requirements
• Avoid audit bottlenecks as demand increases closer to the deadline

ISO 27001:2022 checklist

Need more help preparing for the ISO 27001:2022 transition? Download our free ISO 27001 checklist to see all the steps you'll need to complete as you prepare for, achieve, and maintain compliance.

How Secureframe simplifies ISO 27001:2022 compliance

Whether you're transitioning from ISO/IEC 27001:2013 or pursuing certification for the first time, Secureframe can simplify every step of your compliance journey. Our platform is designed to reduce manual effort, eliminate guesswork, and get you audit-ready faster.

Here’s how we help:

• Automated evidence collection: Connect your cloud services, HR systems, and endpoint providers to collect audit evidence automatically and keep it updated.
• Policy templates and management: Access dozens of pre-built, auditor-approved ISO 27001 policy templates like the ISO 27001 Information Security Policy and easily customize, distribute, and track approvals from one centralized dashboard.
• Continuous control monitoring: Stay compliant year-round with automated alerts and monitoring for configuration drift, expired evidence, and other control gaps.
• Built-in risk management: Use our end-to-end risk management tool to evaluate, score, and mitigate risks more efficiently.
• Expert guidance and support: Work with ISO 27001 compliance experts who can help tailor your ISMS, map controls, and guide your audit prep.

With Secureframe, what once took hundreds of hours can now be managed in a fraction of the time, without sacrificing audit readiness or security integrity. This customer achieved ISO 27001 certification in just six weeks.  

If you’re interested in achieving similar results, schedule a demo of Secureframe today to see how we simplify ISO/IEC 27001:2022 compliance. 

This post was originally published in November 2022 and has been updated for comprehensiveness.