ISO 27001:2022 Changes: What's New & Transition Guide
Quick Answer
ISO 27001:2022 restructured Annex A controls from 114 controls in 14 domains to 93 controls in 4 themes, added 11 new controls for cloud security, threat intelligence, and data protection, and made minor updates to clauses 4-10. The transition deadline from ISO 27001:2013 is October 31, 2025.
Summary of Changes
ISO 27001:2022 was published in October 2022, replacing the 2013 version. The most significant changes are in Annex A (controls), while the management system clauses (4-10) received minor updates. Organizations certified to ISO 27001:2013 must transition by October 31, 2025.
Key Takeaways
- Annex A restructured: 114 controls in 14 domains → 93 controls in 4 themes
- 11 brand-new controls added for cloud, threat intelligence, DLP, secure coding, and more
- Clauses 4-10 received minor wording updates but no structural changes
- Transition deadline from 2013 to 2022: October 31, 2025
- All new certifications should use ISO 27001:2022
Annex A Restructuring
| Feature | ISO 27001:2013 Annex A | ISO 27001:2022 Annex A |
|---|---|---|
| Controls | 114 controls | 93 controls |
| Structure | 14 domains (A.5 to A.18) | 4 themes (Organizational, People, Physical, Technological) |
| Organization | Organized by security function | Streamlined and modern structure |
| Overlap | Some controls overlapping | Merged overlapping controls |
| Cloud | No cloud-specific controls | 11 new controls for modern threats |
The 11 New Controls
| Control | Theme | What It Addresses |
|---|---|---|
| A.5.7 Threat Intelligence | Organizational | Collecting and using threat intelligence for informed security decisions |
| A.5.23 Cloud Services Security | Organizational | Managing information security for cloud service acquisition, use, and exit |
| A.5.30 ICT Readiness for Business Continuity | Organizational | Ensuring ICT infrastructure supports business continuity plans |
| A.7.4 Physical Security Monitoring | Physical | Continuous surveillance and monitoring of physical premises |
| A.8.9 Configuration Management | Technological | Establishing and maintaining secure configurations for all systems |
| A.8.10 Information Deletion | Technological | Securely deleting information when no longer needed |
| A.8.11 Data Masking | Technological | Masking PII and sensitive data to limit exposure |
| A.8.12 Data Leakage Prevention | Technological | Detecting and preventing unauthorized data exfiltration |
| A.8.16 Monitoring Activities | Technological | Monitoring networks, systems, and applications for anomalies |
| A.8.23 Web Filtering | Technological | Filtering access to external websites to reduce threats |
| A.8.28 Secure Coding | Technological | Applying secure coding practices in software development |
Changes to Clauses 4-10
- Clause 4.2: Added requirement to analyze which stakeholder needs will be addressed through the ISMS
- Clause 6.2: Information security objectives must now be monitored
- Clause 6.3: New clause requiring planned approach to ISMS changes (change management)
- Clause 8.1: Added requirement to establish criteria for processes and implement control of those processes
- Clause 9.2 & 9.3: Minor restructuring of internal audit and management review requirements
- Overall: Wording alignment with ISO harmonized structure (common to all ISO management system standards)
Transition Requirements
Transitioning from 2013 to 2022
Understand the gap
Compare your current 2013 controls against the 2022 structure. Map your 114 controls to the new 93. Identify which of the 11 new controls apply to your risk profile.
Update your risk assessment
Review your risk assessment considering the new controls. Determine if new controls (cloud security, DLP, secure coding, etc.) address risks in your environment.
Update the Statement of Applicability
Rewrite your SoA against the 93 controls in 4 themes. This is the most significant documentation change. Map previous control implementations to the new structure.
Implement new applicable controls
For the 11 new controls that apply to your organization, implement the necessary measures. Many organizations already have informal practices — formalize and document them.
Update documentation and policies
Update policy references from 2013 control numbers to 2022 control numbers. Update any documents that reference the old 14-domain structure.
Schedule transition audit
Coordinate with your certification body to schedule a transition audit. This can be combined with a surveillance audit or recertification audit. Must complete by October 31, 2025.
⚠️ Transition Deadline: October 31, 2025
All ISO 27001:2013 certificates must transition to ISO 27001:2022 by October 31, 2025. After this date, 2013 certificates are no longer valid. Plan your transition audit well in advance — certification body schedules are filling up as the deadline approaches.
Oct 2025
Transition Deadline
All 2013 certificates must transition
11
New Controls
Added in the 2022 revision
93 vs 114
Control Count
2022 vs 2013 Annex A
4 Themes
New Structure
Replaces 14 domains
Do I need to recertify from scratch for 2022?
No. The transition is handled through a transition audit, which can often be combined with your regular surveillance or recertification audit. Your certification body will assess the changes you've made to comply with the 2022 version.
Is the transition difficult?
For most organizations, the transition is moderate effort. The main work is restructuring your SoA, assessing the 11 new controls, and updating documentation references. If you already have good security practices, many of the new controls (like configuration management, monitoring, secure coding) may already be informally implemented.
Should new organizations certify to 2013 or 2022?
Always certify to ISO 27001:2022. There's no reason to certify to the 2013 version — you would need to transition immediately. All new certification audits should use the 2022 standard.
What if we miss the transition deadline?
Your ISO 27001:2013 certificate will expire and become invalid. You would need to go through the full certification process against ISO 27001:2022 as a new certification. This is more expensive and time-consuming than transitioning. Don't miss the deadline.
Manage Your ISO 27001:2022 Transition
Compare platforms that support the 2022 standard with updated control mappings and transition tools.
Browse ISO 27001 Tools