ISO 27001:2022 is the latest version of the international standard for information security management systems. The update introduces important changes that affect both new implementations and existing certified organisations.
New control structure
The previous control annex (Annex A) with 14 categories and 114 controls has been restructured into 4 themes and 93 controls:
- Organisational controls (37)
- People controls (8)
- Physical controls (14)
- Technological controls (34)
New controls
11 entirely new controls have been added, including:
- Threat intelligence
- Information security for use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Data masking
What does this mean for you?
If you are already certified, you need to update your Statement of Applicability (SoA) and ensure that the new controls are addressed. The transition period expires in October 2025.
If you are planning a new certification, you should base it directly on the 2022 version.
Need support with the transition to ISO 27001:2022? Contact us and we will help you.
More insights
Related articles
The quantum threat is a leadership question, not a technical one
The quantum threat isn't about when the quantum computer arrives, but how long your information must stay secret. Here's how to begin the move to post-quantum cryptography.
Stop chasing CRA. Start building securely.
The Cyber Resilience Act is already in force, with major obligations phasing in through 2027. The most common mistake is starting from the regulation. Flip the order — build securely with OWASP as your reference, and compliance becomes a by-product.
Proportionality has an expiry date
Why a correct risk assessment can still become your biggest vulnerability in an AI-driven organisation. The assessment was true the day it was written — the question is how long it stays that way.