In terms of content, ISO 27001:2022 is not a revolution, but it is an important refresh. The biggest change is in Annex A: from 114 controls in 14 clauses to 93 controls across 4 themes (organisational, people, physical, technological). In addition, there are new controls and every control has been given attributes for better filtering.
The most important changes
- New Annex A structure: 4 themes instead of 14 domains.
- 11 new controls, including threat intelligence, cloud security, data leakage prevention, secure coding and monitoring.
- Attributes per control (e.g. preventive/detective, confidentiality/integrity/availability).
- Textual clarifications in clauses 4 to 10.
What does this mean for your ISMS?
Existing certified organisations must, within the transition period, revise their Statement of Applicability and risk treatment to align with the new Annex A. A gap analysis quickly clarifies which (new) controls you still need to address. See also clauses 4 to 10 explained.
ISO/IEC 27001 — official standard page (official source).
Frequently asked questions
Short, direct answers — written for people and for AI search functions alike.
No, you do not need to certify again from scratch, but you do need to transition to the 2022 version within the transition period. This usually happens during a regular surveillance or recertification audit, where the certification body checks whether you have correctly implemented the new Annex A.
Annex A of ISO 27001:2022 contains 93 controls, divided across four themes: organisational, people, physical and technological. This is a rearrangement and consolidation of the 114 controls from the previous version, plus 11 new controls.
The 11 new controls focus on areas such as threat intelligence, information security for cloud services, ICT continuity, physical security monitoring, configuration management, data leakage prevention, monitoring, web filtering and secure coding — topics that have become more important in recent years.
Want to know whether you are audit-ready?
Schedule a no-obligation audit scan and, within a single conversation, find out where you stand and what the next step is.
