ISO 27001:2022 vs 2013: What Changed in Annex A
Understand the key differences between ISO 27001:2022 and the 2013 version, including the restructured Annex A controls, new control additions, and transition timeline.
Understanding the ISO 27001:2022 Update
The 2022 revision of ISO/IEC 27001 represents the most significant update to the information security management system (ISMS) standard since its 2013 version. While the core ISMS management framework remains largely consistent, the normative Annex A underwent substantial restructuring and modernization.
This guide examines the key changes, their implications, and what organizations need to consider for transition.
Executive Summary of Changes
Management System Clauses (1-10): - Minor editorial refinements - Clause 6.3 added: Planning of changes - Enhanced emphasis on process approach - Updated references to other standards
Annex A (Controls): - Reduced from 114 controls to 93 controls - Restructured from 14 domains to 4 themes - 11 new controls added - 24 controls merged - Control attributes introduced (via ISO 27002:2022)
The Restructured Annex A
From 14 Domains to 4 Themes
ISO 27001:2013 organized 114 controls across 14 domains (A.5 through A.18). ISO 27001:2022 consolidates 93 controls into four thematic categories:
| Theme | Controls | Description | |-------|----------|-------------| | A.5 Organizational | 37 | Policies, governance, asset management, supplier relations | | A.6 People | 8 | Screening, awareness, employment lifecycle | | A.7 Physical | 14 | Perimeters, secure areas, equipment protection | | A.8 Technological | 34 | Access control, cryptography, development, operations |
This restructuring provides: - Clearer categorization by responsibility areas - Reduced overlap between control areas - More logical grouping for implementation teams
The 11 New Controls
ISO 27001:2022 introduces the following new controls reflecting current security practices:
A.5.7 Threat intelligence Gathering and analyzing information about threats relevant to the organization.
A.5.23 Information security for use of cloud services Defining and implementing security processes for cloud service acquisition, use, management, and exit.
A.5.30 ICT readiness for business continuity Ensuring information and communication technology can support business continuity requirements.
A.7.4 Physical security monitoring Monitoring premises for unauthorized physical access.
A.8.9 Configuration management Establishing and maintaining secure configurations for hardware, software, services, and networks.
A.8.10 Information deletion Deleting information when no longer required, as per legal, regulatory, and business requirements.
A.8.11 Data masking Masking data in accordance with policies, legal requirements, and business needs.
A.8.12 Data leakage prevention Applying measures to prevent unauthorized disclosure of sensitive information.
A.8.16 Monitoring activities Monitoring networks, systems, and applications for anomalous behavior.
A.8.23 Web filtering Managing access to external websites to reduce exposure to malicious content.
A.8.28 Secure coding Applying secure coding principles during software development.
Control Mergers and Removals
No controls were truly "removed" - rather, 24 controls were merged into related controls to reduce redundancy:
| Original Controls (2013) | Merged Into (2022) | |-------------------------|-------------------| | A.8.2.3 Handling of assets | A.5.10 Acceptable use | | A.11.2.5 Removal of assets | A.7.10 Storage media | | A.12.4.3 Administrator logs | A.8.15 Logging | | A.12.4.4 Clock synchronization | A.8.17 Clock synchronization | | A.14.2.1 Secure development policy | A.8.25 Secure development lifecycle |
Organizations with existing controls aligned to 2013 requirements should map them to the 2022 structure using the official mapping table in ISO 27002:2022 Annex B.
Control Attributes
ISO 27002:2022 introduces five attribute types to help organizations filter and organize controls:
1. Control type - Preventive - Detective - Corrective
2. Information security properties - Confidentiality - Integrity - Availability
3. Cybersecurity concepts (aligned with NIST CSF) - Identify - Protect - Detect - Respond - Recover
4. Operational capabilities - Governance - Asset management - Information protection - Human resource security - Physical security - System and network security - Application security - Secure configuration - Identity and access management - Threat and vulnerability management - Continuity - Supplier relationships security - Legal and compliance - Information security event management - Information security assurance
5. Security domains - Governance and ecosystem - Protection - Defence - Resilience
These attributes are informative (not normative) and can assist with: - Mapping controls to organizational functions - Filtering controls for specific implementation teams - Cross-framework alignment (e.g., with NIST CSF)
Changes to the ISMS Clauses
While Annex A received the most visible changes, the management system clauses (4-10) were also updated:
Clause 4 - Context of the organization: - Minor clarifications on interested party requirements
Clause 5 - Leadership: - Clarification that policy must be "available to interested parties, as appropriate"
Clause 6 - Planning: - New 6.3 "Planning of changes" - changes to the ISMS must be planned - Risk assessment and treatment wording aligned with ISO 31000
Clause 7 - Support: - Clarified "documented information" requirements
Clause 8 - Operation: - Criteria for security processes must be established - Outsourced processes explicitly addressed
Clause 9 - Performance evaluation: - Internal audit and management review requirements refined
Clause 10 - Improvement: - Sequencing changed (continual improvement now 10.1)
Transition Timeline
Organizations certified to ISO 27001:2013 must transition to ISO 27001:2022:
Key dates: - October 2022: ISO 27001:2022 published - October 2023: New certifications should be to ISO 27001:2022 - October 2025: All ISO 27001:2013 certificates expire
Transition approach: 1. Gap analysis comparing current ISMS to 2022 requirements 2. Statement of Applicability update to 2022 control structure 3. Risk treatment plan update for new and merged controls 4. Documentation updates (policies, procedures) 5. Internal audit against 2022 requirements 6. Transition audit by certification body
What This Means for Your Organization
Already Certified (2013)
If you hold ISO 27001:2013 certification:
- Plan your transition audit before October 2025 - Start with an SoA mapping exercise (2013 to 2022 controls) - Address the 11 new controls through your risk treatment process - Update documentation to reflect new control structure - Consider whether new controls represent actual gaps or existing practices requiring documentation
Seeking First Certification
If pursuing initial certification:
- Certify directly to ISO 27001:2022 - Build your SoA using the 2022 control structure - Leverage control attributes for implementation planning - Reference ISO 27002:2022 for implementation guidance
Implications for Multi-Framework Programs
Organizations with multiple certifications should note:
- ISO 27001:2022 aligns better with NIST CSF through cybersecurity concept attributes - New controls (threat intelligence, cloud security, DLP) align with regulatory expectations - Control consolidation may simplify multi-framework mapping
Common Transition Questions
Q: Do we need to rewrite all our documentation? A: Not necessarily. Many organizations update their SoA mapping and control references while maintaining existing procedure content. The control activities often remain the same; only the numbering and grouping changed.
Q: What if we just implemented ISO 27001:2013? A: Recent implementations can often transition quickly. Conduct a gap analysis and address new controls. Your certification body can advise on transition timing.
Q: Are the new controls mandatory? A: Controls are selected based on risk assessment. If a new control addresses an applicable risk, it should be included. If the risk doesn't exist in your environment, exclusion may be justified in your SoA.
Q: Can we transition early? A: Yes. Many organizations are proactively transitioning to avoid the 2025 deadline pressure and to benefit from the updated control structure.
Related Resources
- [ISO 27001 Statement of Applicability (SoA)](/kb/iso-27001-statement-of-applicability-soa) - [ISO 27001 Annex A Controls Overview](/kb/iso-27001-annex-a-controls-overview) - [ISO 27001 Risk Assessment](/kb/iso-27001-risk-assessment) - [ISO 27001 Stage 1 and Stage 2 Audits](/kb/iso-27001-stage-1-and-stage-2-audits)
This article provides general information about ISO 27001:2022 changes. Consult the official ISO/IEC 27001:2022 standard and your certification body for specific transition guidance.
Ready to Transform Your Compliance Practice?
See how GRCTrack can streamline your assessments, improve client collaboration, and reduce time-to-completion.