ISO 27001:2022 – Key Changes You Need to Know

ComplianceISO 27001

📅 Dec 2024 · 🕐 6 min read · By HackersFood Compliance Team

ISO/IEC 27001:2022 was published on 25 October 2022, replacing the 2013 edition. If you are currently certified or implementing ISO 27001, this revision affects your Statement of Applicability, Annex A controls, and your transition deadline. Here is everything you need to know.

📋 What Changed — The Big Picture

The 2022 revision made changes in two key areas: the main body (clauses 4–10) and Annex A (the controls catalogue).

Main Body Changes (Clauses 4–10)

The main clauses saw relatively minor but important updates:

Clause 4.2: New requirement to identify "interested parties' requirements relevant to information security" — you must now also document which requirements you have decided to address
Clause 6.2: Information security objectives must now be "monitored" and "available as documented information"
Clause 6.3: Brand new clause — "Planning of changes" requires planned changes to the ISMS to be carried out in a controlled manner
Clause 8.1: Reference to "processes needed" for planning and controlling operations
Clause 9.1: Clarified that monitoring, measurement, analysis, and evaluation results must be "available as documented information"

Annex A — Major Restructuring

The biggest change is in Annex A:

Old (2013): 14 control categories, 35 control objectives, 114 controls
New (2022): 4 themes, 93 controls (including 11 brand new ones)

The 4 new themes (replacing 14 categories) are:

5. Organizational controls (37 controls)
6. People controls (8 controls)
7. Physical controls (14 controls)
8. Technological controls (34 controls)

📌 What Happened to the 114 Controls?

58 controls remain essentially unchanged, 35 were merged into 24 controls, and 23 were renamed/reorganized. No controls were deleted — only consolidated or restructured. And 11 brand new controls were added.

🆕 The 11 New Controls in ISO 27001:2022

These are the controls that did not exist in the 2013 version:

5.7 – Threat Intelligence

Organizations must collect and analyze information about threats to produce actionable threat intelligence relevant to their environment.

5.23 – Information Security for Use of Cloud Services

Processes for acquisition, use, management, and exit from cloud services must be established, aligned with information security requirements.

5.30 – ICT Readiness for Business Continuity

ICT readiness must be planned, implemented, maintained, and tested based on business continuity objectives and ICT continuity requirements.

7.4 – Physical Security Monitoring

Premises must be monitored for unauthorized physical access on a continuous basis.

8.9 – Configuration Management

Configurations of hardware, software, services, and networks must be established, documented, implemented, monitored, and reviewed.

8.10 – Information Deletion

Information stored in systems, devices, or other storage media must be deleted when no longer required.

8.11 – Data Masking

Data masking must be used in accordance with the organization's access control policy and other policies, and business requirements.

8.12 – Data Leakage Prevention

Data leakage prevention measures must be applied to systems, networks, and devices that process, store, or transmit sensitive information.

8.16 – Monitoring Activities

Networks, systems, and applications must be monitored for anomalous behavior, and actions taken to evaluate potential information security incidents.

8.23 – Web Filtering

Access to external websites must be managed to reduce exposure to malicious content.

8.28 – Secure Coding

Secure coding principles must be applied to software development. This is now a formal requirement, not just good practice.

⏱️ Transition Deadline

📅 Transition Deadline: 31 October 2025

All ISO 27001:2013 certificates must transition to ISO 27001:2022 by 31 October 2025. After this date, certificates based on the 2013 version will no longer be valid. Organizations should begin their transition immediately if they have not already done so.

✅ Transition Checklist for Certified Organizations

Gap Assessment: Compare your current Annex A controls against the 2022 controls catalogue — identify gaps, especially for the 11 new controls
Update Statement of Applicability (SoA): Revise your SoA to reflect the new 93 controls structure
Address Clause Changes: Update your ISMS documentation for the main body clause changes (especially 4.2, 6.2, 6.3)
Implement New Controls: Develop and implement policies, procedures, and technical controls for the 11 new controls relevant to your scope
Internal Audit: Conduct an internal audit against ISO 27001:2022 before your transition audit
Management Review: Hold a management review covering the transition changes
Transition Audit: Work with your certification body to schedule a transition audit before October 2025

🆕 Implementing the New Controls — Practical Tips

Threat Intelligence (5.7)

Subscribe to relevant threat feeds (CERT-In alerts, sector-specific ISACs, commercial threat intel). Document how you consume and act on threat intelligence. Even a simple process of reviewing CERT-In advisories and updating controls accordingly counts.

Cloud Services (5.23)

Document all cloud services in use. Create a cloud security policy covering acceptable use, shared responsibility model, exit strategy, and data residency requirements. Conduct cloud security assessments for critical cloud workloads.

Secure Coding (8.28)

Formalize your secure SDLC. Implement SAST tools in CI/CD pipelines, document secure coding guidelines (reference OWASP), and require security code reviews for critical modules. Train developers on secure coding.

Data Leakage Prevention (8.12)

Classify your data assets. Implement DLP tools or policies for email, endpoint, and cloud. At minimum, document what sensitive data exists, where it flows, and what controls prevent unauthorized exfiltration.