ISO27001:2022 | What You Need to Know

The Vertical Structure team explore the changes presented by the latest 2022 revision

Written by: David Henderson on Nov 24, 2022

If you are familiar with ISO27001, whether having been previously through the certification process or are looking to implement the standard, you may be aware of a recent revision that was introduced on 25th October 2022 - ISO27001:2022.

It is the first update in over 9 years and although the changes are seen by many of us as moderate, it raises many questions and is important to understand how the changes will affect your business.

As an ISO27001 implementer, our experienced and certified team are well versed in the updated standard and we’ve summarised some of the more important changes to help you understand what it really means.

Andrew neel cckf4 Ts H Auw unsplash


ISO 27001 is an international standard that delivers a framework for Information Security Management Systems (ISMS). In summary, it’s designed to protect an organisation's most valuable assets, namely the data it holds on its customers and employees.

Through the implementation process and policy implementation, it demonstrates an organisation's commitment to handling sensitive data with the utmost care.

ISO27001:2022 - The Key Changes

It has been 9 years since the last update that formed the ISO27001:2013 standard. In summary, here is what has changed for ISO27001:2022:

  • 11 new controls have been added
  • 93 controls in total (down from 114 in ISO 27002:2013)
  • Controls are now grouped into 4 themes (rather than 14 categories)
  • 16 controls have newly added requirements
  • Organisations have 3 years to transition from :2013 to :2022

The single largest change is the addition of 11 new controls. These include:

  • A.5.7 Threat intelligence
  • A.5.23 Information security for use of cloud services
  • A.5.30 ICT readiness for business continuity
  • A.7.4 Physical security monitoring
  • A.8.9 Configuration management
  • A.8.10 Information deletion
  • A.8.11 Data masking
  • A.8.12 Data leakage prevention
  • A.8.16 Monitoring activities
  • A.8.23 Web filtering
  • A.8.28 Secure coding

How Vertical Structure Can Help You

Our team of expert ISO consultants are on hand to answer any questions you may have. If you are ready to implement ISO27001, or wish to start the process of transitioning to the :2022 standard, please feel free to reach out.

What Do The Changes Actually Mean?

The good news is that the changes are relatively small, making the transition from :2013 to :2022 much easier than could be expected from initial reading, many of the changes were already included but have been separated or clarified. To help you understand the changes, here are the most commonly asked questions from customers whom we’ve previously helped in the implementation of ISO27001.

I’m in the process of obtaining ISO27001 under the :2013 standard - does this affect me?

If you have signed up with a certification body to be certified to :2013 you will be certified to that version of the standard. If you haven’t yet engaged and would like to be certified to :2022 you should speak to certification bodies regarding their timelines for implementation.

The certification bodies are currently transitioning to the new version of the standard themselves, which includes training for their own auditors. So, depending on the certification body the lead time could vary.

My ISO27001:2013 accreditation renews in the next 6/12/24 months - does this affect me?

There is a lead time for certification bodies to be able to certify to this new standard, all certification bodies should be ready to audit and certify to :2022 by at the very latest, the end of Q3 2023.

What this means for those due to be re-certified in the earlier part of 2023 may have to re-certify against the 2013 standard if their certification body isn’t ready. the best advice we can give is for you to get in contact with your certification body sooner rather than later to establish their internal timeline and what this means for you.

What if we're not ready for recertification to :2022 by 2023

You have 2 options in this scenario,:

  1. The first is that there is a transition period of up to 3 years to move to 2022, so you can re-certify to 2013 and plan a transition over the coming years when you’re ready.
  1. Our preferred scenario is to start getting ready now by identifying what the changes are and what you need to do to meet these controls. This will prepare you ahead of time and help to avoid a ‘big bang’ approach when you come to transition.

What are there benefits of the :2022 revisions?

The :2022 revision merges several controls that cut down duplication and introduces more modern requirements that are suitable for how businesses use cloud-based services in today's world.

The controls have been reduced from 114 (in :2013) to 93 (in :2022) and are now contained in 4 main categories - people, physical, technological and operational.

Why is ISO27001 useful to me?

The most obvious reason to certify to ISO 27001 is that it will help reduce the likelihood of significant and costly information security threats. This includes helping you to implement controls to help limit the damage from both cyber criminals breaking into your organisation and data breaches caused by internal actors making mistakes.

I have Cyber Essentials, why should I be looking at ISO as well?

You should implement ISO as part of a wider business decision. It’s not for everyone, but if you're looking to develop your cyber maturity and grow your business with security at its heart, then now is the perfect time to get started.

ISO27001 2022 Infographic

Need help?

Email Us
email hidden; JavaScript is required

Or send us a quick message

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.