ISO 27001:2022 is the latest version of the international standard for information security management systems. The update introduces important changes that affect both new implementations and existing certified organisations.
New control structure
The previous control annex (Annex A) with 14 categories and 114 controls has been restructured into 4 themes and 93 controls:
- Organisational controls (37)
- People controls (8)
- Physical controls (14)
- Technological controls (34)
New controls
11 entirely new controls have been added, including:
- Threat intelligence
- Information security for use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Data masking
What does this mean for you?
If you are already certified, you need to update your Statement of Applicability (SoA) and ensure that the new controls are addressed. The transition period expires in October 2025.
If you are planning a new certification, you should base it directly on the 2022 version.
Need support with the transition? Contact us and we will help you.
More insights
Related articles
NIS2 and the Cybersecurity Act — what applies now?
The Swedish Cybersecurity Act entered into force in January 2025. We walk through the key requirements and what your organisation needs to do.
CISO-as-a-Service: the right choice for mid-sized organisations?
Not every organisation needs a full-time CISO. We explore when a shared security leader is the smartest choice.