ISO 27001:2022 is the latest version of the international standard for information security management systems. The update introduces important changes that affect both new implementations and existing certified organisations.
New control structure
The previous control annex (Annex A) with 14 categories and 114 controls has been restructured into 4 themes and 93 controls:
- Organisational controls (37)
- People controls (8)
- Physical controls (14)
- Technological controls (34)
New controls
11 entirely new controls have been added, including:
- Threat intelligence
- Information security for use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Data masking
What does this mean for you?
If you are already certified, you need to update your Statement of Applicability (SoA) and ensure that the new controls are addressed. The transition period expires in October 2025.
If you are planning a new certification, you should base it directly on the 2022 version.
Need support with the transition to ISO 27001:2022? Contact us and we will help you.
More insights
Related articles
Proportionality has an expiry date
Why a correct risk assessment can still become your biggest vulnerability in an AI-driven organisation. The assessment was true the day it was written — the question is how long it stays that way.
Our own software won't solve your problem
We build and sell software for security and compliance. So this might sound strange: the software won't solve your problem. Not by itself. Let us explain what it actually can't do.
Civil cyber resilience is part of total defence
The day Sweden's payment and e-ID services go down for three hours, we feel how thin the digital layer is. Why governance, not technology, decides whether the country holds.