ISO 27001:2022 is the latest version of the international standard for information security management systems. The update introduces important changes that affect both new implementations and existing certified organisations.
New control structure
The previous control annex (Annex A) with 14 categories and 114 controls has been restructured into 4 themes and 93 controls:
- Organisational controls (37)
- People controls (8)
- Physical controls (14)
- Technological controls (34)
New controls
11 entirely new controls have been added, including:
- Threat intelligence
- Information security for use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Data masking
What does this mean for you?
If you are already certified, you need to update your Statement of Applicability (SoA) and ensure that the new controls are addressed. The transition period expires in October 2025.
If you are planning a new certification, you should base it directly on the 2022 version.
Need support with the transition? Contact us and we will help you.
More insights
Related articles
Compliance cost isn't a technology problem. It's governance debt.
European companies spend ~€150 billion a year on regulatory compliance. AI won't speed that up if governance is missing.
Security that isn't communicated is security that doesn't exist
The right risk picture isn't enough if leadership can't act on it. How to reach decisions upward and behaviour downward.