ISO 27001:2022 vs 2013: What Changed

ISO/IEC 27001 was revised in October 2022, reshaping Annex A from 114 controls in 14 domains into 93 controls across four themes, adding 11 new controls and control attributes. The transition from the 2013 edition ended on 31 October 2025, so all certification is now against the 2022 version.

The headline: a 2022 revision that is now the only valid edition

ISO/IEC 27001 — the international standard for an Information Security Management System (ISMS) — was revised and published in October 2022 as ISO/IEC 27001:2022, replacing the 2013 edition. The revision was significant but targeted: the management-system requirements that form the backbone of the standard stayed largely the same, while Annex A, the catalogue of security controls, was substantially restructured and modernized.

The most time-sensitive fact for any organization comes from the transition timeline, not the technical changes. Accredited certification bodies ran a three-year transition window that began when the 2022 edition was published and ended on 31 October 2025. That deadline is now in the past. As of that date, ISO/IEC 27001:2013 certificates are no longer valid, and every certification — new, renewed, or maintained — is assessed against the 2022 edition.

If you hold a certificate today, it is a 2022 certificate. If you are starting your journey, you build to the 2022 edition from day one; the 2013 version is of historical interest only. The rest of this article explains exactly what changed so you can read older guidance critically and understand why current documentation looks the way it does.

Annex A: from 114 controls in 14 domains to 93 in four themes

The biggest structural change is in Annex A. The 2013 edition listed 114 controls organized into 14 domains (numbered A.5 through A.18) — things like access control, cryptography, and supplier relationships, each as its own clause. The 2022 edition reorganizes the control set into 93 controls grouped under just four themes.

Those four themes are Organizational controls (A.5, 37 controls), People controls (A.6, 8 controls), Physical controls (A.7, 14 controls), and Technological controls (A.8, 34 controls). The drop from 114 to 93 does not mean the standard got weaker. Several 2013 controls that overlapped were merged into single, clearer controls, which is the main reason the count fell, and the four-theme structure groups controls by who or what implements them rather than by topic silo.

This matters practically because your Statement of Applicability (SoA) — the document that records, for each Annex A control, whether it applies, why, and its implementation status — must now address all 93 controls under the four themes, not the old 114 across 14 domains. Any SoA, risk treatment plan, or policy mapping written to the 2013 numbering needs to be re-mapped to the 2022 structure.

The 11 new controls, and why they were added

The 2022 edition introduces 11 entirely new controls that reflect how security risk has shifted since 2013 — toward cloud, continuous monitoring, and data-centric protection. Knowing them by name helps you see what auditors now expect to be addressed.

The new controls are: Threat intelligence (A.5.7); Information security for use of cloud services (A.5.23); ICT readiness for business continuity (A.5.30); Physical security monitoring (A.7.4); Configuration management (A.8.9); Information deletion (A.8.10); Data masking (A.8.11); Data leakage prevention (A.8.12); Monitoring activities (A.8.16); Web filtering (A.8.23); and Secure coding (A.8.28).

Alongside the new controls, the supporting standard ISO/IEC 27002:2022 — which gives implementation guidance for the Annex A controls — added five control "attributes" you can use to tag and filter controls: control type (preventive, detective, corrective), information security properties (confidentiality, integrity, availability), cybersecurity concepts (aligned to identify, protect, detect, respond, recover), operational capabilities, and security domains. These attributes are an optional aid for sorting and reporting on controls; they do not add requirements, but many modern toolkits and platforms use them to organize the control set.

What did NOT change much: the management-system clauses

It is just as important to understand what stayed stable. The core requirements of the standard live in clauses 4 through 10 — context of the organization, leadership, planning, support, operation, performance evaluation, and improvement — and these are what an ISMS is actually built on. In the 2022 revision these clauses saw mostly minor alignment edits to harmonize wording with the common structure ISO uses across its management-system standards, with one notable substantive addition: a new clause 6.3, "Planning of changes," which requires changes to the ISMS to be carried out in a planned manner.

That means the fundamentals you already know still hold. You still define your scope and context, demonstrate leadership commitment, run a risk assessment and choose risk treatments, operate the ISMS, and then evaluate it through internal audit and management review (clause 9) before continually improving it (clause 10). The mandatory documented information the standard requires is broadly the same.

One further point of currency: in February 2024, ISO/IEC 27001:2022/Amd 1:2024 added "climate change" considerations to clauses 4.1 and 4.2, so a current ISMS should explicitly consider whether climate change is a relevant issue and whether interested parties have related requirements. The practical implication is reassuring for organizations that built a 2013 ISMS in good faith: the bulk of your management system carries forward. The transition work is concentrated in re-mapping Annex A — updating your SoA, risk treatment, and control-level policies to the new structure and addressing the 11 new controls — rather than rebuilding the system from scratch.

What the change means for getting (or staying) certified now

Because the transition period has ended, there is no longer a choice between editions. New certifications are issued only against ISO/IEC 27001:2022, and organizations that held 2013 certificates needed to complete a transition audit before 31 October 2025 to keep continuous certification. Any 2013 certificate that was not transitioned is now invalid, which in practice can mean failing a customer's security due-diligence check or a contractual requirement that asks for valid ISO 27001 certification.

If you let a certificate lapse, the path back depends on your certification body, but it generally means undergoing assessment against the 2022 edition rather than a lighter transition audit — so the cost of having missed the deadline is real. If you are still operating documentation written to the 2013 numbering, treat re-mapping to the 2022 four-theme structure as the priority, because that is the artifact an auditor examines first.

A quick note on honesty that applies to every edition: certification is never something you buy or self-declare. It is issued by an accredited certification body only after it audits a working ISMS and confirms your controls genuinely operate. The edition you build to is fixed — 2022 — but the work of operating the controls and generating evidence is the same as it has always been.

Building to the 2022 edition without starting from a blank page

For a small business, startup, MSP, or regulated practice getting audit-ready today, the goal is simple: build everything to the 2022 edition the first time. That means a documentation set whose Statement of Applicability covers all 93 controls under the four themes, whose policies address the 11 new controls where they apply to you, and whose risk treatment plan references the current control numbering. Writing all of that from scratch is the single most time-consuming part of the project.

This is where an editable documentation layer earns its place. The ComplianceDocs ISO 27001 Policy Pack — Core and ISO 27001 Complete Toolkit are written to the ISO/IEC 27001:2022 edition, giving you the policies, procedures, risk register, and a Statement of Applicability already structured to the 93 controls and four themes, with placeholders you tailor to your organization. That turns weeks of re-mapping and drafting into days of editing.

Be clear-eyed about what that does and does not do. A toolkit is the documentation layer; it gives auditors the artifacts they expect and removes the slowest part of readiness. It does not, on its own, make you compliant or certified — you still run a real risk assessment against your environment, implement and operate the selected controls, generate evidence over time, and pass an accredited audit. Used that way, building to the 2022 edition is straightforward; any cost or timeline figures you read should be treated as illustrative estimates, not quotes, since they vary widely with your scope. Confirm current details against the published standard at iso.org and with your chosen certification body.

Frequently asked questions

When was ISO 27001:2022 published, and is the 2013 version still usable?

ISO/IEC 27001:2022 was published in October 2022. A three-year transition window followed and ended on 31 October 2025, which is now in the past. As of that date, ISO/IEC 27001:2013 certificates are no longer valid, and all certification — new or maintained — is assessed against the 2022 edition. The 2013 version is effectively historical now; if you are building or renewing, you work to the 2022 edition.

How many controls does ISO 27001:2022 have, and how is Annex A structured?

ISO 27001:2022 Annex A has 93 controls organized into four themes: Organizational (A.5, 37 controls), People (A.6, 8 controls), Physical (A.7, 14 controls), and Technological (A.8, 34 controls). The 2013 edition had 114 controls across 14 domains. The count dropped mainly because overlapping controls were merged, not because the standard became weaker; the four-theme structure also groups controls by who or what implements them.

What are the 11 new controls in ISO 27001:2022?

They are: Threat intelligence (A.5.7), Information security for use of cloud services (A.5.23), ICT readiness for business continuity (A.5.30), Physical security monitoring (A.7.4), Configuration management (A.8.9), Information deletion (A.8.10), Data masking (A.8.11), Data leakage prevention (A.8.12), Monitoring activities (A.8.16), Web filtering (A.8.23), and Secure coding (A.8.28). They reflect the shift toward cloud, continuous monitoring, and data-centric protection since 2013.

Did the main requirements (clauses 4 to 10) change in the 2022 revision?

Mostly minimally. Clauses 4 through 10 — context, leadership, planning, support, operation, performance evaluation, and improvement — saw mainly alignment edits to harmonize wording with ISO's common management-system structure, with one substantive addition: a new clause 6.3, "Planning of changes." The bulk of the revision is still in Annex A. Separately, Amendment 1:2024 added climate-change considerations to clauses 4.1 and 4.2. So an existing ISMS built in good faith largely carries forward, with the real transition work concentrated in re-mapping the Statement of Applicability and control-level policies.

Do the ComplianceDocs ISO 27001 toolkits use the 2022 edition, and will they make us certified?

Yes — the ISO 27001 Policy Pack — Core and the ISO 27001 Complete Toolkit are written to the ISO/IEC 27001:2022 edition, with a Statement of Applicability structured to the 93 controls and four themes and policies addressing the 11 new controls. They are the documentation layer that gives you an editable starting point and removes the slowest part of readiness. They do not make you compliant or certified on their own: certification comes only from an accredited body after it audits a working ISMS, so you still run the risk assessment, operate the controls, and generate evidence.

Related guides: ISO/IEC 27001

Toolkits that help

← All articles