ISO 27001:2022 is the latest version of the international standard for information security management systems. The update introduces important changes that affect both new implementations and existing certified organisations.
New control structure
The previous control annex (Annex A) with 14 categories and 114 controls has been restructured into 4 themes and 93 controls:
- Organisational controls (37)
- People controls (8)
- Physical controls (14)
- Technological controls (34)
New controls
11 entirely new controls have been added, including:
- Threat intelligence
- Information security for use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Data masking
What does this mean for you?
If you are already certified, you need to update your Statement of Applicability (SoA) and ensure that the new controls are addressed. The transition period expires in October 2025.
If you are planning a new certification, you should base it directly on the 2022 version.
Need support with the transition? Contact us and we will help you.
More insights
Related articles
Civil cyber resilience is part of total defence
The day Sweden's payment and e-ID services go down for three hours, we feel how thin the digital layer is. Why governance, not technology, decides whether the country holds.
Your vendor register isn't a crisis plan
When the alarm goes off, knowing who your suppliers are isn't enough. You need to know what actually stops working, and who decides what. From list to dependency map.
What was right yesterday isn't right today
Europe isn't stuck with the hyperscalers by force. We made good decisions and stopped reconsidering them. NIS2, DORA and the Cybersecurity Act now make reconsideration a formal duty.