Key Takeaways
- ISO 27001:2022 restructures Annex A from 114 controls across 14 categories to 93 controls across 4 themes
- 11 entirely new controls address cloud security, threat intelligence, DLP, and secure coding
- The October 2025 transition deadline has passed — expired 2013 certificates require full recertification
- Complio maps old controls to new 2022 structure automatically, generating the gap analysis as a by-product
Why ISO 27001 Was Revised in 2022
The original ISO 27001:2013 standard was published at a time when cloud computing was still emerging, SaaS platforms were not yet the dominant delivery model, and supply-chain attacks had not become the systemic risk they are today. In the nine years between 2013 and 2022, the threat landscape changed fundamentally — yet the controls organisations used to manage information security risk had not kept pace.
ISO recognised this gap and initiated a revision with two primary objectives. First, to modernise the Annex A control set so it reflects the technologies and threats organisations actually face in 2022 and beyond. Second, to align ISO 27001 with the Annex SL harmonised management system structure, making it easier for organisations to integrate their ISMS with other management systems such as ISO 22301 (Business Continuity) and ISO 9001 (Quality).
It is important to understand that the 2022 revision is not a wholesale rewrite. The core clauses (4 through 10) remain largely unchanged. The most significant changes are in Annex A, where controls have been restructured, consolidated, and — in 11 cases — entirely new controls have been added to address modern security requirements.
What Changed — Annex A Restructure (114 → 93 Controls)
The most visible change in ISO 27001:2022 is the complete restructuring of Annex A. The previous version organised 114 controls across 14 categories (A.5 through A.18). The 2022 version consolidates these into 93 controls across just 4 themes:
| ISO 27001:2013 | ISO 27001:2022 |
|---|---|
| 14 categories (A.5–A.18) | 4 themes |
| 114 controls | 93 controls |
| — | Organisational (37 controls) |
| — | People (8 controls) |
| — | Physical (14 controls) |
| — | Technological (34 controls) |
The reduction from 114 to 93 controls does not mean that security requirements have been relaxed. Many controls were merged or renamed to eliminate duplication — for example, several access control policies from 2013 are now consolidated under a single, more comprehensive control. No control was simply deleted without its intent being captured elsewhere in the updated standard.
Each control now also includes a purpose statement and a set of attributes (control type, information security property, cybersecurity concept, operational capability, and security domain), making it easier to map controls to other frameworks and to demonstrate their relevance during audits.
The 11 New Controls Added in ISO 27001:2022
While most of the 93 controls in the 2022 version are reorganised versions of existing 2013 controls, 11 are entirely new. These reflect the modern threat landscape and the technologies that organisations now rely on:
| Control | Description |
|---|---|
| A.5.7 | Threat intelligence |
| A.5.23 | Information security for use of cloud services |
| A.5.30 | ICT readiness for business continuity |
| A.7.4 | Physical security monitoring |
| A.8.9 | Configuration management |
| A.8.10 | Information deletion |
| A.8.11 | Data masking |
| A.8.12 | Data leakage prevention |
| A.8.16 | Monitoring activities |
| A.8.23 | Web filtering |
| A.8.28 | Secure coding |
Most common gaps we see: In our experience across 45+ ISO 27001 certifications, the controls organisations struggle with most during transition are A.5.23 (Cloud security), A.8.12 (DLP), and A.5.7 (Threat intelligence). These require not just new documentation, but new operational processes that many organisations have not yet formalised.
The Transition Deadline — What It Means for Your Certificate
The International Accreditation Forum (IAF) set October 31, 2025 as the transition deadline for all ISO 27001:2013 certificates. This deadline has now passed. Here is what that means in practice:
- All new certifications issued after April 2024 must be against the 2022 version of the standard.
- Organisations that completed their transition audit before October 2025 now hold a valid 2022 certificate.
- Organisations whose 2013 certificates expired without transitioning will need to undergo a full initial certification audit against the 2022 standard — not a transition audit.
If your organisation still holds a 2013 certificate that expired after October 2025 without transitioning, the practical impact is that your certificate is no longer valid. You will need to pursue full recertification against the 2022 standard, which is a more extensive (and more expensive) process than a transition audit would have been.
Transition vs recertification: A transition audit typically focuses only on the delta between the 2013 and 2022 versions — the restructured Annex A and the 11 new controls. A full recertification audit covers the entire ISMS from scratch, including all clauses and all 93 controls.
A 6-Step Transition Roadmap
Whether you are transitioning from an existing 2013 ISMS or pursuing certification for the first time against the 2022 standard, the following roadmap provides a structured approach:
Step 1: Gap Analysis — Map Your Current State
Begin by mapping your existing controls (whether formalised or informal) against the 93 controls in Annex A of the 2022 standard. The objective is to identify which controls you already satisfy, which require modification, and which are entirely new requirements for your organisation. EIC's Complio platform maps old controls to the new 2022 structure automatically, generating the gap analysis as a by-product of onboarding.
Step 2: Risk Assessment Update
The 2022 standard retains the risk-based approach from 2013, but the new controls — particularly those related to cloud services, threat intelligence, and data leakage prevention — may require you to reassess your risk register. Ensure that new threat scenarios (e.g., cloud misconfiguration, supply-chain compromise) are reflected in your risk assessment methodology.
Step 3: Update the Statement of Applicability (SoA)
The Statement of Applicability must reference the 93 controls from the 2022 standard, not the 114 from 2013. For each control, document whether it is applicable, how it is implemented, and provide justification for any exclusions. This is one of the most common areas where organisations make mistakes during transition.
Step 4: Implement New and Modified Controls
Focus your implementation effort on the 11 new controls and any existing controls that have been significantly modified. Pay particular attention to A.5.23 (Cloud security) — if your organisation uses any cloud services (and virtually all do), this control requires documented policies, supplier assessments, and ongoing monitoring of cloud security configurations.
Step 5: Internal Audit and Management Review
Conduct an internal audit against the 2022 standard before your certification or transition audit. This should cover both the updated Annex A controls and the core ISMS clauses. Follow this with a management review that explicitly addresses the transition and any residual gaps identified during the internal audit.
Step 6: Certification or Transition Audit
Engage your certification body to schedule the audit. If you are an existing 2013-certified organisation (and your certificate is still valid), this will be a transition audit focused on the delta. If you are pursuing certification for the first time, this will be a full Stage 1 + Stage 2 audit. EIC can support either pathway — see our ISO 27001 Certification service for details.
Common Transition Mistakes to Avoid
Having supported dozens of organisations through the transition process, we consistently see the same mistakes. Avoiding these will save your team significant time and reduce the risk of audit findings:
Assuming controls auto-convert. Many organisations assume that because the 2022 controls are largely derived from the 2013 controls, the mapping is trivial and can be done with a simple spreadsheet rename. In reality, many controls have been substantively modified — their scope has changed, they have been split or merged, and the expected evidence differs. A proper gap analysis is essential, not a superficial mapping exercise.
Treating the restructure as new requirements. The opposite mistake is equally common: organisations treat every restructured control as if it were an entirely new requirement, leading to unnecessary documentation and implementation effort. The restructure is primarily an organisational change — only the 11 new controls represent genuinely new requirements.
Not updating the Statement of Applicability. The SoA is the single most important document in your ISMS, and it must reference the 2022 control set. We have seen organisations proceed to transition audits with an SoA that still references the 2013 control numbering — this will result in a major nonconformity.
Ignoring A.5.23 (Cloud security). Almost every organisation uses cloud services in some capacity, yet many treat A.5.23 as not applicable or implement it with a single paragraph policy. Auditors expect to see documented cloud security policies, evidence of supplier security assessments, and operational monitoring of cloud configurations. If you use AWS, Azure, GCP, or any SaaS platform, this control applies to you.
How Complio helps: EIC's Complio platform automatically maps your existing 2013 controls to the 2022 structure, flags the 11 new controls for implementation, and generates your updated SoA. This eliminates the most common transition errors and reduces the gap analysis phase from weeks to days.
For a detailed comparison of ISO 27001 and PCI DSS — including when you need both — see our guide on PCI DSS vs ISO 27001.
For more information on the standard itself, refer to the official ISO 27001 page at iso.org.