Home / Articles / Information Security
Information Security

ISO 27001:2022: The New Controls, Explained Simply

The 2022 revision restructured Annex A from 114 controls to 93 and added 11 genuinely new ones. Here's what actually changed and what to do about it.

By Shamir George · 6 min read

If you were certified to ISO 27001:2013, the 2022 revision isn't a rewrite of the management system — clauses 4 to 10 are largely intact. The real change is in Annex A, the control set. It's been restructured, trimmed, and given eleven new controls that reflect how security actually works now.

From 114 controls to 93

The 2013 version listed 114 controls across 14 domains. The 2022 version reorganizes them into 93 controls across just four themes: Organizational, People, Physical, and Technological. Most of the reduction came from merging overlapping controls, not dropping requirements — so don't assume less work.

The eleven new controls

These are the additions worth reading carefully, because they're where auditors will focus:

  • Threat intelligence — actively gathering information about threats relevant to you.
  • Information security for cloud services — explicit cloud lifecycle controls.
  • ICT readiness for business continuity — bridging security and continuity.
  • Physical security monitoring — detecting unauthorized physical access.
  • Configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding.
The new controls aren't surprises — they're the practices mature security teams already run. The standard caught up to reality.

Attributes: the quiet upgrade

Each 2022 control now carries attributes — tags like control type (preventive/detective/corrective), security property (confidentiality/integrity/availability), and cybersecurity concept (identify/protect/detect/respond/recover). These let you slice your control set in ways that map cleanly onto frameworks like the NIST CSF.

What to actually do

  • Map your existing Statement of Applicability onto the new structure — most controls carry over with a new number.
  • Gap-assess against the eleven new controls specifically.
  • Transition before the 2013 certification sunset; certification bodies have firm deadlines.

Master the full standard

My ISO 27001:2022 course walks the whole ISMS — clauses, Annex A, the Statement of Applicability, and the certification path — for people who have to implement it, not just pass.

Browse the courses →

Questions

Do I need to re-certify for 2022?

Organizations certified to 2013 must transition within the window set by the certification scheme. Plan the gap assessment early.

Did the management-system clauses change?

Only lightly. The substantive change is Annex A's restructure and the eleven new controls.

← All articles

Keep reading

Related articles

ISO 9001 · Clause 7.1.6
Quality Management

ISO 9001 Clause 7.1.6: Turning 'Organizational Knowledge' Into Real Advantage

6 min read
ISO 14001
Environment

ISO 14001 Explained: What an Environmental Management System Actually Requires

6 min read
ISO 45001 vs OHSAS 18001
Health & Safety

ISO 45001 vs OHSAS 18001: What Changed When the World Moved On

5 min read