ISO/IEC 27001:2022 and ISO/IEC 27002:2022:
Key Updates and Insights

Learn about the updates to ISO 27001 and how they affect your organisation

The information security management standard ISO 27001 and its companion standard ISO 27002 were updated in 2022.

This page explains the notable changes introduced by ISO 27001:2022 and ISO 27002:2022, and how these changes affect organisations that are certified or planning to certify to ISO 27001.

Below, you can find a range of resources to help ensure your ISMS (information security management system) conforms to the latest best practice, as set out in ISO 27001:2022.

Whatever your level of expertise, we have all the products and services you need to ensure your ISO 27001:2022 project goes smoothly.


Fact sheets

  Fact Sheets

Briefing: Unpacking your ISO 27001:2022 Transition Strategy

In this webinar, produced in association with Perry Johnson Registrars, IT Governance’s CEO Alan Calder explains how to transition your ISMS to conform to ISO 27001:2022.


Steve Watkins is a renowned expert on ISO 27001. In this mini podcast, he discusses the 2022 iteration of the Standard and his book ISO/IEC 27001:2022 – An introduction to information security and the ISMS standard.

The changes of ISO/IEC 27001:2022

ISO 27001:2022 is not significantly different from ISO 27001:2013, but there are some notable changes. However, most of these relate to Annex SL, the high-level structure common to all new ISO management system standards, rather than to information security:

  • Context and scope

    You must now identify the “relevant” requirements of interested parties and determine which requirements will be addressed through the ISMS.

    The ISMS must now explicitly includes the “processes needed and their interactions”.

  • Planning

    Information security objectives must now be monitored and “be available as documented information”.

    There is a new subclause on planning changes to the ISMS. This does not specify any processes that must be included, so you should determine how you can demonstrate that changes to the ISMS have indeed been planned.

  • Support

    The requirements to define who will communicate, and the processes for effecting communication, have been replaced by a requirement to define “how to communicate”.

  • Operation

    The requirement to plan how to achieve information security objectives has been replaced by a requirement to establish criteria for processes to implement actions identified in Clause 6, and to control those processes in line with the criteria.

    Organisations are now required to control “externally provided processes, products or services” relevant to the ISMS rather than just processes.

  • Annex A

    Annex A has been revised to align it with ISO 27002:2022. The Annex A controls are discussed in the section below.

What are the control changes in Annex A?

Several Annex A controls have been merged, while 11 have been added:

  • Even though no controls have been removed, ISO 27001:2022 lists only 93 controls rather than ISO 27001:2013’s 114. This is due to the large number of merged controls (56 into 24).
  • These controls are grouped into 4 ‘themes’ rather than 14 clauses. They are:
    • People (8 controls)
    • Organisational (37 controls)
    • Technological (34 controls)
    • Physical (14 controls)
  • The completely new controls are:
    • Threat intelligence
    • Information security for use of Cloud services
    • ICT readiness for business continuity
    • Physical security monitoring
    • Configuration management
    • Information deletion
    • Data masking
    • Data leakage prevention
    • Monitoring activities
    • Web filtering
    • Secure coding
  • In ISO 27002, the controls also have five types of ‘attribute’ to make them easier to categorise:
    • Control type (preventive, detective, corrective)
    • Information security properties (confidentiality, integrity, availability)
    • Cyber security concepts (identify, protect, detect, respond, recover)
    • Operational capabilities (governance, asset management, etc.)
    • Security domains (governance and ecosystem, protection, defence, resilience)

What’s changed in ISO 27002?

The phrase “code of practice” has been dropped from the title of the updated ISO 27002 standard. This better reflects its purpose as a reference set of information security controls.

The Standard itself is significantly longer than the previous version, and the controls have been reordered and updated, as summarised in the section above.

How will this affect organisations that are already certified to ISO 27001:2013?

If your organisation is already certified to ISO 27001, click here.

Speak to an ISO 27001 expert

For more information about ISO 27001 and how we can help you implement an ISMS – whatever your size, budget or level of expertise – get in touch with one of our experts today.

Contact us

This website uses cookies. View our cookie policy
SAVE 10%