ISO 27001:2022 is published! What are the changes and what should organisations expect?

We are pleased to announce that a new and improved version of ISO 27001 has just been released to address global cybersecurity challenges and improve digital trust.

We believe that these changes will help to make ISO/IEC 27001:2022 even more effective in helping organisations to protect their information assets.

What is ISO 27001?

ISO 27001 is an information security management system standard that defines international best practices for developing and maintaining ISMS – information security management system. Information security management is the world’s most well-known standard that helps organizations safeguard their electronic assets – a vital function in today’s increasingly digital age. By implementing it, companies can ensure that their information is available and secure.

What’s new in the 2022 edition of ISO 27001 over the 2013 edition?


The biggest change in ISO 27001 for 2022 is the updated Annex A reflecting ISO/IEC 27002:2022.

The ISO/IEC 27002 Standard for Information Security Controls, published in February 2022, outlines a set of generic information security controls and implementation guidelines.

The changes include:

  • Category restructure
  • 11 new controls added
  • 47 controls merged into 24 controls
  • 58 updated controls

The new categories:

There have been four new categories of controls consolidated from 14 previous categories.

  • People (8 controls) – those that relate to individuals, such as remote work, screening, confidentiality, or non-disclosure agreements.
  • Organisational (37 controls) – those that are relevant to the organisation, such as information security policies, asset return policies, and cloud services
  • Technological (34 controls) – those that relate to technology, such as authenticating, erasing, preventing data leaks, and outsourcing development
  • Physical (14 controls) – those relating to physical objects, such as storage media, equipment maintenance, monitoring physical security, or securing offices, rooms, and facilities.

The new controls:

The number of controls has been reduced from 114 to 93, but 11 new controls have been added, including:


1. Threat Intelligence (5.7)

2. Information security for use of cloud services (5.23)

3. ICT readiness for business continuity (5.30)


4. Physical security monitoring (7.4)


5. Configuration management (8.9)

6.  Information deletion (8.10)

7.  Data masking (8.11)

8.  Data leakage prevention (8.12)

9.  Monitoring services (8.16)

10.  Web filtering (8.22)

11.  Secure coding (8.28)

People – No change

What is the deadline for transitioning to ISO/IEC 27001:2022?

After ISO 27001:2022, there will be a three-year transition period. This updated Standard is published in October 2022, so organisations will have to comply by October 2025.

ISO 27001 Certified Organisations:

  • Organisations may conduct audits against ISO/IEC 27001:2013 or ISO/IEC 27001:2022, at their request, until October 2023.
  • If non-compliances are found with the additional requirements in the 2022 edition, they will be raised as Areas of Concern and will need to be resolved before the transition period starts.
  • As of October 2023, all audits will be based on ISO/IEC 27001:2022.

Organisations Looking to become ISO 27001 certified:

  • Prior to the release of the 2022 edition, organisations applying for certification will be evaluated on their compliance with ISO/IEC 27001:2013
  • Following the release of the 2022 edition, organisations applying for certification will be assessed against ISO/IEC 27001:2022 compliance.

It is important to note that if you upgrade from ISO 27001:2013 to ISO 27001:2022, additional time will be required for the upgrade component of the audit.

Organisations that adopt cybersecurity establish themselves as leaders in their industry

Those organisations that implement cybersecurity through confident vulnerability quickly become leaders in their industries. As part of ISO/IEC 27001’s holistic approach, the entire organisation is covered, not just the IT department. It benefits people, technology, and processes all at the same time. 

By implementing ISO 27001, you demonstrate your commitment to securely and safely managing information and prove that you can be trusted.

If you would like to learn more about the new standard and the changes, visit our past Webinar: How To Get Ready For ISO 27001:2022 Transition.

As ISO 27001 consultants, AWD offers an ISO 27001 implementation consultation service that can help your business make the necessary changes to ensure compliance with the new standard. AWD has helped many businesses successfully transition to ISO 27001:2022 and would love to help you too.

For the most comprehensive, layered security solutions, fill out the contact form and book your Free Security Assessment.

Enquire about our IT services today.