In 2022, ISO 27001 received its first major revision in nearly a decade. The changes were significant but focused: the mandatory clauses barely moved, while Annex A — the control set — was thoroughly modernised for cloud computing, remote work, and modern software development.
This guide explains what changed between ISO 27001:2013 and ISO 27001:2022, why, and what it means whether you are certifying for the first time or transitioning an existing certificate toward your renewed iso 27001 certification.
Why the standard was updated
The 2013 edition served well for almost a decade, but the world changed around it. Cloud computing became universal, remote and hybrid work became normal, and supply-chain and software-supply attacks rose sharply. The control set needed to reflect these realities.
The 2022 revision modernised ISO 27001 to address these developments, ensuring the standard remained relevant and practical. It is an update for how organisations actually operate today, not a wholesale reinvention.
The continuity of the core philosophy is as notable as the changes.
The headline change: Annex A restructured
The biggest change is Annex A. The 2013 edition had 114 controls in 14 domains; the 2022 edition has 93 controls in four themes — Organizational, People, Physical, and Technological. Controls were consolidated, merged, and updated, and some new ones added.
The reduction from 114 to 93 does not mean less security; it reflects merging overlapping controls and reorganising for clarity. The four-theme structure is more intuitive than the old 14 domains.
This restructure is what most people mean when they talk about ‘the 2022 changes’.
Free resource
The Complete Guide to ISO 27001
A practical, plain-English guide to building your ISMS and earning ISO 27001 certification.
The four new themes
The new themes group controls by what they concern. Organizational (37 controls) covers policies, governance, supplier and cloud security, and incident management. People (8) covers the human element. Physical (14) covers facilities and equipment. Technological (34) covers the technical controls.
This structure aligns with how organisations actually divide security responsibilities and makes the control set easier to navigate and assign. It replaced the older domain-based grouping entirely.
Mapping your existing controls onto these themes is part of transitioning.
The eleven new controls
The 2022 edition introduced eleven genuinely new controls reflecting modern risks: threat intelligence; information security for use of cloud services; ICT readiness for business continuity; physical security monitoring; configuration management; information deletion; data masking; data leakage prevention; monitoring activities; web filtering; and secure coding.
Most address realities the 2013 edition handled only implicitly — cloud, supply chain, and modern development. For many organisations, these new controls are the main practical work of adopting 2022.
They are also where teams migrating from 2013 most often find genuine gaps.
What did not change much: the clauses
Importantly, the mandatory management-system clauses (4–10) changed only modestly in 2022. The requirements around context, leadership, planning, support, operation, performance evaluation, and improvement remained substantially the same.
This means the fundamental shape of an ISMS — scope, risk assessment, Statement of Applicability, internal audit, management review, continual improvement — is unchanged. If you understood the 2013 management system, you understand the 2022 one.
The continuity here is what makes transition manageable rather than daunting.
The new 'attributes' concept
A new feature in the accompanying ISO 27002 guidance is control attributes: tags that classify each control by characteristics such as control type (preventive, detective, corrective), the security properties it supports, and operational capabilities.
Attributes are optional but useful: they let you view and report on the control set from different angles, aiding planning and communication. They are a modern aid layered on top of the controls rather than a new requirement.
You can adopt them as your program matures.
What it means for first-time certifiers
If you are certifying for the first time now, you simply certify against ISO 27001:2022 — there is no transition to worry about. You build your ISMS using the 93-control Annex A and the four themes from the start.
The main caution is that older templates, blog posts, and advice may still reference the 2013 numbering and 114 controls. Make sure the resources and tools you use are aligned to the 2022 edition to avoid confusion.
Otherwise, the 2022 edition is just ‘the standard’ for you.
What it means for existing certificate holders
Organisations certified against the 2013 edition were given a transition period to migrate to 2022, typically aligning the move with a scheduled surveillance or recertification audit. The transition involves re-mapping controls to the new structure and addressing the eleven new controls.
For most, transition is manageable: the clauses are unchanged, most controls map across, and the work concentrates on the new controls and the re-structured Statement of Applicability. Planning it around an existing audit minimises disruption.
If you have not yet transitioned, doing so promptly is important to keep your certificate valid.
How to transition from 2013 to 2022
A practical transition follows a clear path: map your existing 2013 controls onto the 2022 themes and control numbers; identify which of the eleven new controls apply to you via your risk assessment; implement those that do; update your Statement of Applicability to the new structure; and refresh affected documentation.
Because the bulk of your controls and your whole management system carry over, this is usually an evolution rather than a rebuild. A mapping spreadsheet keyed to the new structure makes it straightforward.
Aligning the transition with a planned audit keeps it efficient.
Common transition pitfalls
Pitfalls include overlooking the new controls (assuming ‘we already do everything’), leaving the transition too late and risking the certificate, and using outdated 2013-based templates that do not match the new Annex A.
Another is treating the re-structure as merely cosmetic and not genuinely assessing the new controls against your risks. The remedy is a proper gap analysis against the 2022 edition, focused on what is genuinely new for you.
Approached deliberately, transition is low-risk; approached carelessly, it can produce findings.
The bigger picture
The 2022 update reaffirms ISO 27001’s enduring design: a stable, risk-based management system paired with an evolving control set. The standard adapts its controls to new technology while keeping its core approach constant — which is why a well-built ISMS ages gracefully through revisions.
For organisations, the lesson is reassuring: certify against the current edition, keep your control set under review, and future updates will be evolutions rather than upheavals. ISpectra builds and transitions ISMSs to the 2022 edition as standard, with free VAPT and a multi-framework discount.
The update is best seen as the standard keeping pace, not changing direction.
The bottom line
ISO 27001:2022 modernised the standard chiefly through Annex A: 114 controls in 14 domains became 93 controls in four themes, with eleven new controls for cloud, supply chain, and modern development. The mandatory clauses changed little, so the ISMS shape is unchanged.
First-time certifiers simply use the 2022 edition (and current resources); existing holders transition by re-mapping controls, addressing the new ones, and updating the Statement of Applicability — usually an evolution, not a rebuild.
Certify against the current edition with up-to-date tools and guidance, and the update is straightforward — exactly how ISpectra handles it for its clients.
Free consultation
Need help with ISO 27001?
Talk to our certified compliance team — we’ve supported 200+ audits.