FACGFACG
What ISO 27001:2022 actually changed (and what it didn't)
All insights
Compliance April 2026 9 min read

What ISO 27001:2022 actually changed (and what it didn't)

The 2022 revision is widely misunderstood. We unpack the new Annex A, the four themes, the 11 new controls and what it really means for organisations recertifying in 2026.

By FACG GRC team

ISO 27001:2022 was published in October 2022 and the transition deadline for organisations holding the 2013 version is now firmly behind us. We have led 22 transition audits in the last 18 months. Here is what actually changed, what did not, and what we wish more clients had understood before they started.

The clauses (the body of the standard) barely moved

Clauses 4 to 10 of ISO 27001 are essentially unchanged. The management system requirements, the leadership commitments, the risk methodology, the internal audit and management review obligations: all materially the same. If your management system worked under the 2013 version, it still works.

The wording was tightened in places. The most-cited example is clause 6.1.3 d), which now requires that you produce a Statement of Applicability (SoA) determining all controls that are necessary, including controls from sources other than Annex A. In practice every mature SoA we see already did this.

Annex A was reorganised, not rewritten

The 2013 version of Annex A had 114 controls in 14 sections. The 2022 version has 93 controls in 4 themes:

  • A.5 Organisational controls (37 controls)
  • A.6 People controls (8 controls)
  • A.7 Physical controls (14 controls)
  • A.8 Technological controls (34 controls)

Most of what looks new is consolidation. For example, the old A.9 Access control, A.13 Communications security and several scattered cryptography controls all merged into the technological theme. The mapping is well-documented in ISO/IEC 27002:2022 and most ISMS platforms will produce the cross-walk for you.

There are 11 genuinely new controls. These are them.

  1. A.5.7 Threat intelligence: requires a documented process for gathering and analysing threat intel relevant to your environment
  2. A.5.23 Information security for use of cloud services: explicit cloud governance, supplier review and exit strategy
  3. A.5.30 ICT readiness for business continuity: business-continuity-aware IT planning, recovery time and recovery point objectives
  4. A.7.4 Physical security monitoring: detection of unauthorised physical access (cameras, sensors, logs)
  5. A.8.9 Configuration management: hardened baselines, drift detection, restoration
  6. A.8.10 Information deletion: secure deletion across endpoints, servers and cloud
  7. A.8.11 Data masking: protect production data when used outside production (test, dev, analytics)
  8. A.8.12 Data leakage prevention: technical and procedural controls to prevent unauthorised exfiltration
  9. A.8.16 Monitoring activities: structured monitoring of networks, systems and applications for anomalous behaviour
  10. A.8.23 Web filtering: control of access to external websites and web content
  11. A.8.28 Secure coding: requirements for secure development practices

What this actually means for you in 2026

If you are recertifying, your auditor will want to see evidence of these new controls in your SoA, your risk register and your operational records. They will not want to see a 230-page policy refresh. What we recommend is a focused gap exercise that produces three artefacts:

  • A control mapping table (2013 to 2022) with a column for residual gaps
  • Updated SoA reflecting the 93 controls and the 5 attributes (control type, infosec property, cyber concept, operational capability, security domain)
  • Evidence pack for each new control, light but specific (a screenshot, a config export, a runbook reference)

What did not change but everyone asks anyway

  • Annex SL structure: still in force, still the basis for ISO 9001/14001/27001 alignment
  • Risk methodology: still your choice, still need to be documented and applied consistently
  • Internal audit cycle: still annual at a minimum, still need to cover the whole ISMS over a defined period
  • Management review: still need to cover the standard inputs, still need leadership engagement evidenced in the minutes

If you have not transitioned yet

You should have. The transition deadline was 31 October 2025. Existing 2013 certificates ceased to be valid on that date. If you are out of certification, the path back is a fresh stage 1 + stage 2 audit against the 2022 standard, which we can typically deliver inside a 4 to 6 month engagement depending on scope.

Related reading

Cyber Essentials Plus: the 12 things that fail organisations on first attempt

Read article

How to actually measure security: a board-ready KPI and KRI sheet

Read article

Have a question on this?

Book a 30 minute discovery call. We answer questions in plain English, with or without a follow-on engagement.

Book a call