If you’ve been looking at ISO 27001 for a while, you may have noticed references to both “ISO 27001:2013” and “ISO 27001:2022.” These are two versions of the same standard — the 2022 edition is the current version, and it replaced the 2013 edition.
This guide explains the key differences, what the update means for organisations just starting out, and what existing certificate holders need to do.
Background: Why Was the Standard Updated?
So, really, what is the ISO 27001 2022 version? ISO standards are reviewed on a regular cycle — typically every five years — to ensure they remain relevant to the current environment. By 2022, the 2013 edition of ISO 27001 was nearly a decade old. The threat landscape had changed significantly: cloud computing, remote working, and supply chain attacks had all become mainstream concerns rather than edge cases.
The 2022 revision — formally called ISO/IEC 27001:2022 — was published in October 2022. It’s the first major revision since 2013.
There’s also a companion document update: ISO/IEC 27002:2022, which provides implementation guidance for the Annex A controls. The 2022 revision of ISO 27002 came first (February 2022) and the Annex A in ISO 27001:2022 directly mirrors the updated 27002 control set. Read more about the relationship between ISO 27001 and ISO 27002.
What Changed in the Main Clauses (Clauses 4–10)?
The changes to the main body of the standard (the clauses that define the requirements for the management system) were relatively modest. The structure, terminology, and core logic of the standard are largely the same.
ISO 27001:2022 — All 11 Clauses at a Glance
The standard is structured into 11 clauses that follow a logical sequence — from understanding your organisation through to continual improvement. Clauses 1–3 are introductory; the requirements begin at Clause 4.
Notable changes in the clauses include:
Clause 6.2 (Information security objectives): A new requirement was added that information security objectives must be monitored. This is a small but meaningful addition — it pushes organisations to track progress against objectives, not just set them.
Clause 6.3 (Planning of changes): A new sub-clause was added requiring that changes to the ISMS are carried out in a planned manner. This formalises good practice that many organisations already followed.
Clause 8.1 (Operational planning and control): The wording was updated to make clear that processes need to be established and controlled, not just planned.
These are incremental improvements rather than structural changes. If you understand the 2013 version of the clauses, you’ll find the 2022 version immediately familiar.
What Is ISO 27001? The Framework at a Glance
ISO 27001 is an internationally recognised standard for managing information security. It works by combining three pillars inside a risk-driven management system.
People
- Security awareness training
- Roles & responsibilities
- Background screening
- Acceptable use policies
- Management commitment
Processes
- Risk assessment & treatment
- Incident response procedures
- Change management
- Internal audit programme
- Supplier security reviews
Technology
- Access controls & MFA
- Encryption at rest & transit
- Vulnerability management
- Logging & monitoring
- Network security controls
What Changed in Annex A? (The Controls)
This is where the most significant changes occurred. The control set in Annex A was substantially restructured and refreshed.
The number of controls changed
- 2013: 114 controls across 14 control domains
- 2022: 93 controls across 4 control categories (themes)
The reduction from 114 to 93 doesn’t mean controls were removed — many were merged or consolidated. And 11 new controls were added that didn’t exist in 2013.
The 4 new control themes
The 14 control domains from 2013 were replaced with 4 broader categories (called “themes”):
- Organisational controls (37 controls) — policies, roles, responsibilities, supplier management, incident management
- People controls (8 controls) — screening, training, awareness, disciplinary process, offboarding
- Physical controls (14 controls) — physical security perimeters, entry controls, equipment protection
- Technological controls (34 controls) — endpoint devices, access control, cryptography, secure development, monitoring
The 11 new controls in ISO 27001:2022
These are the controls that are genuinely new — they didn’t exist in the 2013 standard:
| Control | Name |
|---|---|
| 5.7 | Threat intelligence |
| 5.23 | Information security for use of cloud services |
| 5.30 | ICT readiness for business continuity |
| 7.4 | Physical security monitoring |
| 8.9 | Configuration management |
| 8.10 | Information deletion |
| 8.11 | Data masking |
| 8.12 | Data leakage prevention |
| 8.16 | Monitoring activities |
| 8.23 | Web filtering |
| 8.28 | Secure coding |
The new controls reflect exactly what you’d expect given the time elapsed since 2013 — cloud security, threat intelligence, data leakage prevention, and secure coding are all very much 21st-century concerns.
Attributes were introduced
The 2022 version also introduced a system of “attributes” for each control — ways to categorise controls by properties such as their type (preventive, detective, corrective), information security properties (confidentiality, integrity, availability), cybersecurity concepts, and more.
These attributes are optional in the sense that the standard doesn’t require you to use them. But they’re useful for organisations that want to map their controls to other frameworks (like NIST or CIS Controls) or filter and analyse their control set.
What Didn’t Change
Despite the restructuring, the fundamental logic of ISO 27001 is unchanged:
- It’s still a risk-based management system standard
- You still need to define scope, conduct a risk assessment, produce a Statement of Applicability, and implement appropriate controls
- The certification process (Stage 1 and Stage 2 audits, surveillance audits, recertification) is unchanged
- The PDCA (Plan-Do-Check-Act) improvement cycle is still central
If you implement ISO 27001:2022, you’re implementing the same framework as before — just with a modernised and consolidated control set.
What About ISO 27001 Amendment 1:2024?
In February 2024, a further update was published: ISO/IEC 27001:2022/AMD 1:2024. This amendment updated Clause 6.2 to add climate change considerations to information security planning — specifically, the requirement to consider whether climate change is a relevant issue for the organisation’s context.
For most organisations, this is a modest addition. It doesn’t introduce new controls or fundamentally change the framework. Read more about Amendment 1:2024.
What Did Existing Certificate Holders Need to Do?
When the 2022 standard was published, organisations that were already certified to ISO 27001:2013 were given a transition period to move to the new version. IAF (International Accreditation Forum) set the transition deadline as 31 October 2025.
This means all certified organisations should now be certified to ISO 27001:2022. If your certificate says 2013, it should have been upgraded at your last surveillance or recertification audit.
The main transition tasks for existing certificate holders were:
- Review the new Annex A controls and update the Statement of Applicability
- Assess the 11 new controls and decide whether they apply
- Map existing 2013 controls to their 2022 equivalents
- Update documentation to reference the new control numbers and categories
What If You’re Starting from Scratch?
If you’re just starting your ISO 27001 journey, you should implement ISO/IEC 27001:2022 from the outset. The 2013 version is no longer the current standard, and no certification body should be certifying against it.
The ISO 27001 toolkit and all content on this site are aligned to the 2022 version. When you see control numbers like 5.1, 6.3, or 8.12, those are the 2022 control references.
The ISO 27001 Certification Journey
From scoping to certificate in hand — here's what the typical path to ISO 27001 certification looks like, and how long each phase takes.
Summary of Key Changes
| Aspect | 2013 | 2022 |
|---|---|---|
| Controls | 114 across 14 domains | 93 across 4 themes |
| New controls | — | 11 new controls |
| Monitoring of objectives | Not explicit | Explicitly required |
| Planning of ISMS changes | Not explicit | New Clause 6.3 |
| Cloud security | Limited | Control 5.23 specifically addresses it |
| Threat intelligence | Not addressed | Control 5.7 |
| Attributes | Not present | Optional attributes system added |
Useful Next Steps
- Full breakdown of the ISO 27001 Annex A controls
- ISO 27001 vs ISO 27002 — understanding the companion standard
- ISO 27001 Amendment 1:2024 explained
- Start implementing ISO 27001:2022
ISO 27001 Consultancy
Get ISO 27001 certified in 90 days.
I’ll coach you through every step.
Fully remote. Fixed fee. Working with SMEs across the UK, EU and USA.
✔ Audit-ready plan with structured checkpoints
✔ Full toolkit + templates included
✔ Expert support throughout
Cancel any time
Pro-rata refund on unused sessions
✔ Defined scope, SoA and risk treatment
✔ Plain-English — no jargon
✔ Trusted auditor recommendations
First-pass guarantee
If you don’t pass, I fix it for free
“..no-nonsense help in achieving our UKAS-accredited ISO 27001 certification…”
– Periculum Security Group (UK)
ISO 27001 Online Course + Full Toolkit
Stop guessing. Follow a proven step-by-step process.
“Highly recommended for anyone looking to understand ISO 27001, whether attempting it on your own or even using a consultant.“
Verified Trust.me Review
✓ Full toolkit included
✓ Learn as you build
✓ 12-month access
✓ 6 hours of video
✓ Email consultancy
✓ 30-day upgrade credit to consultancy
£285
Instant access
FAQs
What does the “:2022” mean — is my existing ISO 27001 certification still valid?
The “:2022” refers to the year the current version of the standard was published. ISO 27001 was previously ISO 27001:2013, and the 2022 update introduced significant changes — most notably a restructured Annex A reducing from 114 controls across 14 domains to 93 controls across 4 themes, and 11 new controls added to address modern threats like cloud security and threat intelligence. If you were certified to the 2013 version, certification bodies required transition to the 2022 standard by October 2025. New certifications are issued against ISO 27001:2022 only.
What’s the difference between ISO 27001 and Cyber Essentials?
Cyber Essentials is a UK government-backed scheme focused on a specific set of technical controls — firewalls, secure configuration, access control, malware protection, and patch management. It’s relatively quick and inexpensive to achieve. ISO 27001 is a comprehensive management system standard that covers people, processes, and technology across your entire organisation, with a risk-based approach rather than a fixed control checklist. Many organisations hold both: Cyber Essentials provides a technical baseline; ISO 27001 demonstrates broader security governance maturity. Government contracts often require Cyber Essentials as a minimum, with ISO 27001 for higher-risk suppliers.
What is the Statement of Applicability and why does it matter?
The Statement of Applicability (SoA) is one of the most important documents in your ISMS. It lists all 93 Annex A controls, states whether each one is applicable to your organisation, and — critically — provides a justification for any controls you’ve excluded. Auditors pay close attention to the SoA because it demonstrates that you’ve thought carefully about your risks and made deliberate, documented decisions about your control set. An SoA that simply marks everything as applicable without justification, or excludes controls without explanation, is a common source of audit findings.
Does ISO 27001 cover GDPR compliance?
ISO 27001 and GDPR overlap significantly but are not the same thing. ISO 27001 addresses the security side of data protection — how you protect information assets from threats. GDPR also covers lawful basis for processing, data subject rights, privacy notices, data minimisation, and retention — none of which are part of ISO 27001. Achieving ISO 27001 will help demonstrate that you have appropriate technical and organisational measures in place (a key GDPR requirement under Article 32), but it doesn’t make you GDPR compliant on its own. The two frameworks are complementary and are typically pursued together.
Who issues ISO 27001 certificates and how do I know if one is legitimate?
ISO 27001 certificates are issued by accredited certification bodies — organisations that have been independently assessed and approved to conduct ISO 27001 audits. In the UK, accreditation is granted by UKAS (United Kingdom Accreditation Service). Certificates issued by non-accredited bodies may look identical but carry significantly less weight with enterprise buyers and regulators who understand the difference. To verify a certificate is legitimate, check that the certification body is UKAS-accredited (or accredited by the equivalent national body in other countries) and look for the IAF mark on the certificate. Many accredited bodies also maintain public registers where certificates can be verified.
