ISO 27001:2022 Annex A: What changed and what it means for your ISMS

ISO 27001 is the international standard for information security management systems. The original 2013 edition served organisations well for nearly a decade, but the threat landscape changed significantly. Cloud computing became the norm, AI systems entered the enterprise, and supply chain attacks escalated. The 2022 revision addressed all of this.

What changed: from 114 controls to 93

The 2013 standard organised its Annex A controls into 14 domains — things like Access Control, Cryptography, and Physical and Environmental Security. The total count was 114 controls. The 2022 revision consolidated these into four themes:

• Organisational controls (Clause 5) — 37 controls covering policies, roles, threat intelligence, and supplier relationships
• People controls (Clause 6) — 8 controls covering screening, training, and remote working
• Physical controls (Clause 7) — 14 controls covering physical security and clear desk/screen
• Technological controls (Clause 8) — 34 controls covering endpoint security, encryption, and monitoring

The consolidation means 58 controls were revised, 24 controls were merged from multiple 2013 controls, and 11 genuinely new controls were added. No controls were removed entirely — they were either merged or restructured.

The 11 new controls

These are additions with no direct 2013 equivalent. Each addresses a gap that became evident in the nine years since the previous revision:

• 5.7 Threat intelligence — Organisations must collect, analyse, and act on information about threats relevant to their context. This is not passive — it requires a defined process for consuming threat feeds and relating them to controls.
• 5.23 Information security for use of cloud services — Cloud services must be subject to a lifecycle process: selection criteria, contractual requirements, monitoring, and exit planning. Relying on a cloud provider's certifications alone is not sufficient.
• 5.30 ICT readiness for business continuity — Business continuity planning must explicitly include ICT readiness — availability targets, recovery objectives, and testing of technical restoration procedures.
• 7.4 Physical security monitoring — Premises must be continuously monitored for unauthorised physical access. CCTV and intrusion detection systems need to be documented and reviewed.
• 8.9 Configuration management — Configurations of hardware, software, and services must be documented, implemented, monitored, and reviewed. Hardening standards and baselines are now explicitly required.
• 8.10 Information deletion — Data that is no longer required must be securely deleted in accordance with retention schedules. This aligns directly with GDPR Article 5(1)(e) and requires documented procedures.
• 8.11 Data masking — Personal data and sensitive information should be masked in non-production environments. Test environments using real production data without masking now represent a control gap.
• 8.12 Data leakage prevention — Technical measures must be applied to detect and prevent unauthorised disclosure of sensitive information. DLP tooling or equivalent controls are now explicitly in scope.
• 8.16 Monitoring activities — Anomalous activity must be detected through network, system, and application monitoring. Log collection, alerting, and review procedures are required.
• 8.23 Web filtering — Access to external websites must be managed to reduce exposure to malicious content. This covers both corporate-managed devices and bring-your-own-device scenarios.
• 8.28 Secure coding — Secure coding principles must be applied to software development. This includes code review, static analysis, dependency scanning, and training for developers.

Impact on your Statement of Applicability

The Statement of Applicability (SoA) is one of the most scrutinised documents in any ISO 27001 audit. It lists every Annex A control, states whether each is applicable or excluded, and provides a justification for excluded controls.

Every organisation that certified to ISO 27001:2013 needed to update their SoA to reflect the 2022 controls before their transition deadline.

For existing ISMS programmes, the SoA update requires mapping your current 2013 controls to their 2022 equivalents, adding applicability decisions and justifications for the 11 new controls, and updating internal references throughout your policy suite.

A common mistake is treating the SoA as a static document. Under 2022, it needs to be a living record — reviewed annually and updated whenever your risk treatment plan changes.

The transition deadline: October 2025

The International Accreditation Forum (IAF) mandated that all ISO 27001 certificates must reference the 2022 standard by 31 October 2025. Certificates still issued to the 2013 standard after that date are no longer valid. If your organisation certified before 2022 and has not yet transitioned, your certificate has lapsed — you will need a full certification audit to the 2022 standard.

For organisations that transitioned before the deadline, the next surveillance or recertification audit will be conducted entirely against the 2022 standard.

Practical checklist for updating your ISMS

• Update your SoA to reference all 93 Annex A 2022 controls with applicability decisions
• Review and update your risk assessment methodology documentation — the 2022 standard still requires a documented methodology, and the updated control set may affect your risk treatment options
• Assign owners to the 11 new controls and complete an initial implementation assessment
• Update your policy suite to reference the new control numbers (e.g., policies referencing A.12.4.1 should now reference 8.15)
• Add the new controls to your internal audit programme — they must be audited during your next internal audit cycle
• Brief your management review team on the changes — they need to understand the scope of the revision for their next management review
• If you use a GRC tool, ensure your control library has been updated to the 2022 mapping
• Check your supplier and cloud provider contracts against 5.23 requirements — information security clauses may need updating

The bottom line

The 2022 revision is not a radical departure — organisations with a mature ISMS will find that most of their controls already address the intent of the new requirements. The main work is administrative: updating documentation, renumbering references, and formally addressing the 11 new controls.

The new controls that are most likely to require real implementation effort are 5.7 (threat intelligence), 5.23 (cloud services), 8.9 (configuration management), and 8.28 (secure coding). If your programme did not explicitly cover these before, now is the time to build them in.