Introduction#
ISO 27001:2022 is the latest revision of the world's most recognized information security management standard. This guide walks through the key changes, the new control structure, and provides a practical certification roadmap.
Organizations certified to ISO 27001:2013 must transition to 2022 by October 31, 2025. New certifications should pursue the 2022 version directly.
Key Changes from 2013#
ISO 27001:2022 restructures the control framework while maintaining the core ISMS management system requirements. Understanding these changes is essential for transition planning.
Transition Deadline
Control Restructuring
Annex A now contains 93 controls (was 114) organized into 4 themes instead of 14 domains. 11 new controls were added while many existing controls were merged or refined.
New Control Themes
Controls are now organized by: Organizational (37), People (8), Physical (14), and Technological (34). This replaces the previous 14-domain structure.
Control Attributes
New attribute tags help categorize controls by type, security properties, cybersecurity concepts, and operational capabilities.
Clause Updates
Minor updates to clauses 4-10, including clarified requirements for interested parties, organizational context, and planning.
New Controls in 2022#
ISO 27001:2022 introduces 11 new controls addressing modern security challenges including cloud, threat intelligence, and data protection.
Control Themes & Attributes#
The 2022 revision organizes 93 controls into four themes, replacing the previous 14-domain structure. Each control also has new attribute tags for enhanced categorization.
The four control themes are:
- Organizational (37 controls): Policies, roles, processes
- People (8 controls): HR, training, awareness
- Physical (14 controls): Facilities, equipment
- Technological (34 controls): Technical security measures
ISMS Requirements (Clauses 4-10)#
The management system requirements in clauses 4-10 remain largely unchanged, with minor clarifications and alignment with other ISO management system standards.
Clause 4: Context of the Organization
Understand your organization's context, interested party needs, and determine ISMS scope. Minor clarifications in 2022 around interfaces and dependencies with external organizations.
Clause 5: Leadership
Top management commitment, policy establishment, and role assignment. New explicit requirement for information security policy to be "available as documented information."
Clause 6: Planning
Risk assessment, risk treatment, and objectives. Clarified requirement for planning changes to the ISMS when needed.
Clause 7: Support
Resources, competence, awareness, communication, and documented information. Requirements largely unchanged from 2013.
Clause 8: Operation
Operational planning, risk assessment execution, and risk treatment implementation. Enhanced emphasis on controlling planned changes and reviewing consequences of unintended changes.
Clauses 9-10: Performance & Improvement
Monitoring, measurement, analysis, internal audit, management review, and continual improvement. Requirements unchanged.
Gap Analysis Process#
Whether transitioning from 2013 or pursuing initial certification, a structured gap analysis identifies areas requiring attention.
Map Current Controls
If transitioning, map your existing 2013 controls to the 2022 structure. ISO provides a mapping table showing how 114 controls map to the 93 new controls.
Identify New Control Gaps
Assess implementation status for the 11 new controls. These require fresh implementation unless already covered by existing practices.
Review Statement of Applicability
Update your Statement of Applicability (SoA) to reflect the new control structure. Justify any non-applicable controls using the 2022 numbering.
Assess Documentation
Review policies and procedures for alignment with 2022 requirements. Update control references and terminology.
Prioritize Remediation
Rank gaps by risk impact and implementation complexity. Create a remediation roadmap with realistic timelines.
Transition Advantage
Certification Roadmap#
ISO 27001 certification follows a defined process with initial certification and ongoing surveillance audits. Plan for a 6-12 month journey for initial certification.
Certification Body Selection
Implementation Tips#
Successful ISO 27001 implementation balances comprehensive security with practical, sustainable processes that fit your organization.
- Start with risk assessment—it drives all control decisions
- Engage leadership early and maintain visible sponsorship
- Keep documentation proportionate to organization size
Framework Mapping#
ISO 27001:2022 aligns well with other major security frameworks. Mapping between frameworks enables efficient multi-compliance programs.
Next Steps#
Whether you're transitioning from 2013 or pursuing initial certification, start your ISO 27001:2022 journey today.
Conduct Gap Assessment
Evaluate your current security posture against ISO 27001:2022 requirements. Our gap assessment template helps identify priority areas.
Build Your Roadmap
Create a realistic implementation timeline based on gap assessment findings. Factor in resource availability and the October 2025 transition deadline.
Select Certification Body
Research accredited certification bodies with experience in your industry. Early engagement helps align audit schedules with your readiness timeline.
Get Expert Help