ISO 27001 Content Hub
ISO 27001:2022 Update: The 11 New Controls and the Path from 2013
The key changes of the ISO 27001 revision: 11 new controls, 4 categories instead of 14, threat intelligence, cloud services, and a practical mapping from 2013 to 2022.
ISO 27001:2022 was published in October 2022 and replaces the 2013 version. The transition period for existing 2013 certificates ran until 31 October 2025. This article covers the core changes of the revision, the eleven completely new controls, and a practical mapping of the most important control numbers from 2013 to 2022 so you understand exactly what changes for your ISMS.
Key Changes at a Glance
Annex A (reference control objectives) was fundamentally restructured. The number of controls shrank from 114 (in 2013) to 93 (in 2022), distributed across 4 thematic categories instead of 14 sections. In the process, 24 controls were consolidated (merged), 58 controls were carried over without substantive change (renumbering only), and 11 controls are entirely new. The main standard (Clauses 4 to 10) changed only marginally, with Clause 6.3 adding requirements for planning changes.
The core message of the revision: ISO 27001:2022 explicitly addresses the modern risks of the cloud era and interconnected supply chains. The eleven new controls are not an academic exercise but a direct response to threats that did not exist at scale in 2013.
The 4 New Control Categories
Instead of the old 14 sections (A.5 to A.18), there are now four thematic categories with a total of 93 controls:
- •A.5 Organisational controls: 37 controls covering policies, roles, risk management, supplier relationships, incident management, and business continuity.
- •A.6 People controls: 8 controls covering pre-employment screening, terms of employment, disciplinary processes, remote working, and incident reporting.
- •A.7 Physical controls: 14 controls covering physical security, office and operations security, physical security monitoring, secure working areas, and clear-desk policy.
- •A.8 Technological controls: 34 controls covering endpoints, privileged access rights, cryptography, vulnerability management, network security, secure development, and monitoring.
The 11 New Controls in Detail
These eleven controls did not exist in ISO 27001:2013. For any first-time certification or recertification under the 2022 standard, they must be addressed in the Statement of Applicability and, where applicable, implemented.
| Control | Title | Description |
|---|---|---|
| A.5.7 | Threat intelligence | A systematic process for collecting, analysing, and using threat information. Organisations must understand current attacker tactics and incorporate them into their risk analysis. |
| A.5.23 | Information security for use of cloud services | Clear security management for cloud services: selection, configuration, monitoring, and termination of cloud usage agreements, taking shared responsibility models into account. |
| A.5.30 | ICT readiness for business continuity | Specific preparation of ICT infrastructure for business continuity scenarios: recovery objectives (RTO/RPO) for critical systems must be defined and regularly tested. |
| A.7.4 | Physical security monitoring | Continuous monitoring of physical zones and sensitive areas, for example through access logs, CCTV, or alarm systems with defined escalation paths. |
| A.8.9 | Configuration management | Documented baseline configurations (hardening) for all IT systems: servers, network devices, endpoints. Deviations from the baseline must be detected and justified. |
| A.8.10 | Information deletion | Defined deletion procedures on expiry of retention periods: secure erasure methods for storage media, cloud storage, and endpoints in compliance with legal requirements. |
| A.8.11 | Data masking | Anonymisation and pseudonymisation techniques for personal data in development, test, and analytics environments to minimise exposure risk. |
| A.8.12 | Data leakage prevention | DLP controls to prevent unauthorised exfiltration of sensitive data: technical measures such as email scanning, endpoint DLP, and cloud access security brokers. |
| A.8.16 | Monitoring activities | Systematic log analysis and anomaly detection across all critical systems: SIEM integration, alert rules, defined review cycles, and escalation paths for anomalies. |
| A.8.23 | Web filtering | URL- and DNS-based filtering of web access to protect against malware and phishing: category blocking, allow/deny lists, and logging of all filter events. |
| A.8.28 | Secure coding | Documented secure coding guidelines for software development: OWASP Top 10, code reviews, static application security testing (SAST), dependency scanning, and developer training. |
2013 to 2022: Mapping Key Control Areas
The following table shows how important control areas from ISO 27001:2013 were carried over into the new 2022 structure. It does not claim to be exhaustive but shows the most practically relevant examples for the transition.
| ISO 27001:2013 | ISO 27001:2022 | Change |
|---|---|---|
| A.6.1.1 | A.5.2 | Renamed (roles and responsibilities) |
| A.9 (Access control) | A.5.15-A.5.18, A.8.2-A.8.5 | Split across organisational and technical categories |
| A.11 (Physical) | A.7 | New category A.7 Physical controls |
| A.16 (Incident) | A.5.24-A.5.28 | Consolidated into organisational category A.5 |
| A.18 (Compliance) | A.5.31-A.5.37 | Renumbered into organisational category A.5 |
What Does This Mean for Existing Certificates?
The transition deadline was 31 October 2025. ISO/IEC 27001:2013 certificates that were not transitioned to the 2022 version by then are no longer valid. Certification audits have been conducted exclusively under ISO/IEC 27001:2022 since 1 November 2022. This applies to both recertifications and surveillance audits. If you had a 2013 certificate and missed the transition, you need to complete a full recertification under the 2022 standard.
New Certifications Since 2022
Since publication in October 2022, all first-time certifications run directly under ISO/IEC 27001:2022. The standard was published in Germany as DIN EN ISO/IEC 27001:2024 and is internationally valid. If you are starting a certification today, you work exclusively with the 2022 structure: 93 controls in 4 categories, including the eleven new controls.
Practical Implications for Your ISMS
For organisations working under or transitioning to 2022, there are concrete to-dos:
- 1.Update the Statement of Applicability: The SoA must be restructured to cover 93 controls under the 2022 structure. All eleven new controls must be explicitly addressed, either with a concrete implementation or a reasoned exclusion.
- 2.Review the risk register: Cloud risks (A.5.23) and threat intelligence (A.5.7) were under-represented in many 2013 ISMS projects. These gaps must be explicitly captured and assessed in the risk register.
- 3.Add a secure coding policy: A.8.28 requires documented secure coding guidelines. If you develop or commission software, your organisation needs a corresponding policy with concrete requirements (e.g., OWASP Top 10 as a minimum standard).
- 4.Define a DLP strategy: A.8.12 requires concrete data leakage prevention measures. This can range from technical solutions to organisational controls, but must be documented and addressed in the SoA.
The interactive control explorer shows you all 93 controls of the 2022 structure with cross-mappings to NIS2, TISAX, GDPR, and BSI IT-Grundschutz. This lets you instantly see where the new controls overlap with other regulatory requirements.
Next Step
If you want to update your ISMS to ISO 27001:2022 or certify for the first time, the control explorer and the SoA template are your practical entry points. Both are freely available.
More ISO 27001 Topics
Certification
Industry Applications
Framework Mapping
Let's talk about your ISO 27001 implementation
Free & non-binding