ISO 27001:2022

What is ISO 27001-2022?

ISO 27001:2022 is the current international standard for information security management systems, published on 25 October 2022. The alignment with the restructured Annex A themes represents the primary implementation requirement, delivering the proactive risk mitigation and global trust necessary to protect modern digital infrastructure.

What is ISO 27001-2022?

ISO 27001:2022 is the most recent version of the international standard for an information security management systems (ISMS). Published on October 25, 2022, it updates the previous 2013 version to better reflect modern information security practices and emerging threats. The standard provides a framework for organisations to manage the security of their information, including people, processes, and technology.

Key Changes

  • Annex A Controls: The number of controls in Annex A has been reduced from 114 to 93. These controls are now grouped into four themes instead of 14 domains:
    • Organisational Controls (37 controls)
    • People Controls (8 controls)
    • Physical Controls (14 controls)
    • Technological Controls (34 controls)
  • Risk Management: There’s a new emphasis on the context of the organisation and the needs of interested parties.
  • Streamlined Language: The new version uses simpler language to make the standard more accessible and easier to implement.

ISO 27001 Context

The ISO 27001:2022 standard is the core of the ISO/IEC 27000 family of standards. Organisations that were certified to the 2013 version have a three-year transition period to update their ISMS to the 2022 requirements.

How to implement ISO 27001:2022

Implementing the ISO 27001:2022 standard requires a strategic shift from the legacy 2013 framework to the modern, consolidated structure of 93 controls. As a Lead Auditor, I recommend following this 10-step technical roadmap to ensure your Information Security Management System (ISMS) is resilient, audit-ready, and fully aligned with the four new control themes.

Transitioning to or implementing ISO 27001:2022 requires a thorough understanding of the restructured Annex A and the 11 new security controls. This guide provides the technical sequence necessary to achieve certification readiness while hardening your organisational security posture.

1. Provision a Comprehensive Gap Analysis

Conduct a technical review of existing controls against the 93 consolidated controls of the 2022 revision. This identifies specific deficiencies in areas such as threat intelligence and cloud services security. Technical requirements include:

  • Mapping legacy Annex A categories to the new Organisational, People, Physical, and Technological themes.
  • Identifying required technical upgrades for the 11 new mandatory controls.
  • Documenting a transition roadmap with specific milestones for UKAS accreditation.

2. Formalise Leadership and Governance Structures

Establish a Security Steering Committee to ensure senior management oversight and resource allocation for the ISMS. Leadership commitment is a core requirement of Clause 5. Key actions involve:

  • Authoring the high-level Information Security Policy aligned with business objectives.
  • Assigning formal security roles and responsibilities with clear accountability.
  • Establishing an Information Security Steering Committee (ISSC) with citable meeting minutes.

3. Provision a Centralised Asset Register

Establish a primary database to act as the single source of truth for all organisational hardware, software, and data assets. You cannot protect assets that have not been identified and classified. Technical requirements include:

  • Categorising assets by type, such as cloud infrastructure, on-premise servers, and sensitive PII.
  • Assigning technical Asset Owners responsible for data integrity and availability.
  • Implementing a classification system: Public, Internal, Confidential, and Restricted.

4. Formalise the Risk Assessment Methodology

Deploy a systematic risk assessment process to identify vulnerabilities and threats to your identified assets. This ensures that security investments are prioritised based on actual business impact. Requirements include:

  • Defining the criteria for assessing Confidentiality, Integrity, and Availability (CIA) risks.
  • Documenting the Risk Treatment Plan (RTP) to address identified security gaps.
  • Linking risk outcomes directly to the selection of Annex A controls.

5. Author the Statement of Applicability (SoA)

Produce a formal SoA that justifies the inclusion or exclusion of the 93 ISO 27001:2022 controls. This is the primary document used by auditors to verify your security posture. Requirements include:

  • Justifying the selection of the 11 new controls, including Web Filtering and Secure Coding.
  • Linking applicable controls to the specific risks identified in the RTP.
  • Ensuring the document is version-controlled and approved by executive leadership.

6. Implement Identity and Access Management (IAM)

Provision technical controls to secure access to sensitive systems and data environments. Restricting access reduces the risk of unauthorised modification or exfiltration. Implementation steps involve:

  • Mandating Multi-Factor Authentication (MFA) for all remote and privileged administrative access.
  • Implementing the Principle of Least Privilege (PoLP) across all user IAM roles.
  • Reviewing user access permissions quarterly to identify and revoke unnecessary privileges.

7. Deploy Technical Detection and Monitoring Controls

Deploy monitoring tools to provide early warning signals of unauthorised activity or system failures. ISO 27001:2022 requires proactive detection rather than reactive recovery. Critical tools include:

  • Implementing SIEM (Security Information and Event Management) for log aggregation.
  • Deploying Endpoint Detection and Response (EDR) on all corporate workstations.
  • Configuring automated alerts for unauthorized configuration changes.

8. Formalise Supplier and Supply Chain Security

Establish security requirements for all third-party vendors that handle or provide access to organisational data. Managing the supply chain is critical for mitigating external risks. Requirements include:

  • Mandating security clauses and Right to Audit in all Supplier Agreements.
  • Conducting annual risk assessments for high-criticality service providers.
  • Ensuring suppliers adhere to encryption standards for data in transit.

9. Execute the Internal Audit Programme

Audit the ISMS internally to verify that the implemented 93 controls are operating effectively and meet the 2022 requirements. Internal audits are a mandatory “Check” activity in the PDCA cycle. Audit tasks include:

  • Appointing a competent and independent auditor to review the ISMS.
  • Developing a technical audit checklist based on the Statement of Applicability.
  • Documenting non-conformities and opportunities for improvement in a formal report.

10. Audit Management Review and Remediation

Present the performance of the ISMS to senior leadership to ensure its continued suitability and effectiveness. This final step secures the “Act” phase of the improvement cycle. Necessary actions involve:

  • Reviewing internal audit results and the status of corrective actions.
  • Provisioning budget and resources for identified continual improvement initiatives.
  • Sign-off on the ISMS readiness for the Stage 1 and Stage 2 certification audits.

ISO 27001:2022 FAQ

What is ISO 27001:2022?

ISO 27001:2022 is the current international standard for Information Security Management Systems (ISMS), published on 25 October 2022. It replaced the 2013 version, introducing a consolidated structure of 93 controls to address modern cyber security risks like cloud computing and threat intelligence.

How many controls are in ISO 27001:2022?

ISO 27001:2022 contains exactly 93 security controls, reduced from 114 in the previous version. These controls are categorised into four distinct themes: Organisational (37), People (8), Physical (14), and Technological (34). This thematic reorganisation simplifies the integration of security into business operations.

What are the 11 new controls introduced in the 2022 revision?

The ISO 27001:2022 revision introduced 11 mandatory new controls to address evolving security threats. These additions reflect a 12% increase in the standard’s focus on technical and proactive defence measures. The new controls include:

  • Threat Intelligence (5.7)
  • Information Security for Cloud Services (5.23)
  • ICT Readiness for Business Continuity (5.30)
  • Physical Security Monitoring (7.4)
  • Configuration Management (8.9)
  • Information Deletion (8.10)
  • Data Masking (8.11)
  • Data Leakage Prevention (8.12)
  • Monitoring Activities (8.16)
  • Web Filtering (8.23)
  • Secure Coding (8.28)

When is the deadline to transition to ISO 27001:2022?

The deadline to transition to ISO 27001:2022 is 31 October 2025. Organisations currently certified under the 2013 version must complete their transition audit before this date to maintain 100% compliance validity. Certificates for the legacy version will be revoked after this 3-year transition window.

The Tools We Use.

100% Audit Success. Zero AI Guesswork.

Get the Auditor-Proven Toolkit.
Stuart and Fay High Table

About the author

Stuart Barker
🎓 MSc Security 🛡️ Lead Auditor 30+ Years Exp 🏢 Ex-GE Leader

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Shopping Basket
Scroll to Top