Unpicking the ISO 27001:2022 changes


The much-anticipated 2022 update to the ISO 27001 Standard is here! Its official name – ISO/IEC 27001:2022 Information Security, Cybersecurity and Privacy Protection — Information Security Management Systems.

If you want to learn more about this standard before reading all of these updates, see our blog ‘What is ISO 27001’.


What’s changed in the ISO 27001:2022 update?

Let’s start with the key changes.

  • The management system of 27001:2022 will be aligned to the latest Annex SL structure (this is the same structure as ISO 9001, ISO 14001 and other ISO management standards).
  • Changes to Annex A of ISO 27001 which is aligned to ISO 27002 the code of practice and provides guidance on applying the security controls.

Let’s have a look at the changes in more detail…


ISO 27001:2022 changes

  1. Under Context of organisation – new additions and changes to 4.2 and 4.4
  2. Leadership – no change
  3. Planning – no change

6.1.3 Risk treatments – Information security risk treatments has a few minor changes throughout

6.2 Objectives – two new additions

6.3 Change management – a new clause to this Standard which has been brought in as part of the improvements – it’s all about planning for change!

  1. Support – no change

7.4 Communication – one new update to the communication requirement

8.1 Operation – some improvements to the descriptions of these categories and clauses. The addition of ‘products and services’ has also been brought into consideration

9.1 Performance evaluation – two amendments regarding the methods for monitoring, measurement and evaluation of results and the way in which documentation is provided as evidence

9.2 Internal audit section – now split into two subclauses for enhanced clarity referred to as General and Internal Audit Programme

9.3 Management system review – split into three subclauses – again to enhance clarity

10.1 Continual improvement – changed places with Nonconformity and corrective action but there are no other changes to note

10.2 Nonconformities and corrective actions – no change except to the way documentation is made available as evidence


ISO 27001:2022 controls

Both the controls and their classifications have changed for ISO 27001:2022.


What are the four control themes?

Previously, there were 114 controls of Annex A divided into 14 sections A5 to A18, organised into control objectives and underlying control activities.

But the ISO 27001:2022 version has been restructured, and there are now 93 controls consolidated into four clauses, referred to as ‘Themes’.

Clause 5 – Organisational (37 controls)

Clause 6 – People (8 controls)

Clause 7 – Physical (14 controls)

Clause 8 – Technological (34 controls)

Some ISO 27001 controls have been merged with similar controls, others updated, and some are brand-new. So even though the number of controls has reduced from 114 to 93, no controls have been excluded.


Organisational controls in ISO 27001:2022 cover security policies, rules, processes and procedures. The new controls added to this clause include:

  • Threat Intelligence (5.7)
  • Information security for use of cloud services (5.23)
  • ICT readiness for business continuity (5.30)


These controls help businesses to oversee the way people interact with data. It covers areas such as human resources management, confidentiality, remote work, and screening. There were no new controls added to this clause for ISO 27001:2022.


How are you protecting data against physical and environmental threats? These make sure that your tangible assets are safe and secure, including areas like facility security, monitoring, and storage medium protocols.
There was only one new control added in ISO 27001:2022:

  • Physical security monitoring (7.4)


Technological controls are there to help organisations protect their networks from breaches through digital regulations. This could cover authentication, data masking, network security and more.
There were seven new controls added to this clause:

  • Data masking (8.1)
  • Configuration management (8.9)
  • Information deletion (8.10)
  • Data leakage prevention (8.12)
  • Monitoring activities (8.16)
  • Web filtering (8.23)
  • Secure coding (8.28)


What are the new controls?

Among the 93 controls, there will be 11 new controls that reflect the changing technical and threat landscapes:

Threat intelligence (5.7)

Starting with threat intelligence which is part of the organisational clause, this control is all about how you gain information about potential threats to your organisation. Once you find out about the trends and new methods hackers are using, the next step is mitigating these risks. What action will you take? What defences will you put in place? Get one step ahead of the cyber attackers.

Information security for the use of cloud services (5.23)

Storing information in the cloud? This control is here to help protect it. You’ll need to consider a range of factors to make sure that data is secure, including the use of the cloud, your provider and more.

ICT readiness for business continuity (5.30)

It’s always best to be prepared, right? Well, the same goes for the continuity of your business if an IT incident did happen. This control requires your organisation to have a plan ready to support the recovery of your information and communication technology (ICT) and the continuity of your business.

Physical security monitoring (7.4)

This control makes sure areas holding sensitive information are secure which only authorised personnel have access to. How would you follow this? A security guard could be a solution, as well as alarms and CCTV cameras.

Configuration management (8.9)

You’ll need to create policies for how you document, implement, monitor, review, manage and approve security configurations.

Information deletion (8.10)

This control means you’ll need to set out a process for deleting information. Whether that’s from the cloud or other IT systems, this is needed to make sure that your business meets data, privacy and security requirements.

Data masking (8.11)

Masking your sensitive data is now a part of the technology clause of ISO 27001:2022. It means that your business will need to set out what data needs to be masked, who’s able to access it and how it’ll be masked.

Data leakage prevention (8.12)

The data leakage prevention control requires you to have technical measures in place to detect and prevent data leaks.

Monitoring activities (8.16)

How will you monitor your networks, systems, and applications? This includes log-ins, activity and others, which helps you to detect any unusual activity.

Web filtering (8.23)

This added control requires your business to manage your employees’ access to external websites. These measures are in place to help prevent your systems from being compromised.

Secure coding (8.28)

Secure coding effectively means that your business needs to follow secure coding principles in software development to keep you safe from attacks.


ISO 27001:2022 control attributes

These are:

  1.  Control types: preventative; detective; corrective.
  2. Information security properties: confidentiality; integrity; availability
  3. Cybersecurity concepts: identify; protect; detect; respond; recover.
  4. Operational capabilities: governance; asset management; information protection; human resource security; physical security; system and network security; application security; secure configuration; identity and access management; threat and vulnerability management; continuity; supplier relationships security; legal and compliance; information security event management; information security assurance.
  5. Security domains: governance and ecosystem; protection; defence; resilience


What do these changes mean for my ISO 27001 certification?

Even though the new Standard has been published by the ISO we are still waiting for its official release within the UK, before we can begin helping clients to adopt its new content. Following its official release, it’s expected that organisations will have the usual three year window to complete the transition to the new Standard. So, if you’re an existing QMS client certified to ISO 27001:13 you can upgrade to ISO 27001:2022 now, just get in touch. Want to dive deeper? Check out our guide to ISO 27001.

Or if you’re looking to gain ISO 27001 certification, contact us today at 0333 920 6588 or use our fee calculator to get a quick quote.

Sign up to get the latest in your inbox

    • Email address

About the author

  • Name:

    Serena Cooper

  • Company:

    Citation ISO Certification

  • Bio:

    Serena has worked for Citation ISO Certification since 2022, writing creative and informative content on ISO certification and consultation to help businesses reach their potential.


QMS International use cookies to provide you with a better site experience, enable features and to help us understand how our website is being used.

By continuing, you consent to the use of cookies in accordance with our Cookie Policy

Allow All Cookies

Allow Strictly Necessary Cookies Only