← Back to all briefings
Compliance 6 min read Published Updated Credibility 89/100

ISO/IEC 27001:2022 Published

The foundational ISMS standard just got its first major update in nearly a decade. ISO 27001:2022 reorganizes controls to match the new 27002:2022 structure and adds 11 new controls for cloud security, threat intelligence, and secure coding. You have got until October 2025 to transition—but start your gap analysis now because recertification audits can sneak up fast.

Kodi C.

Editor & Research Lead

Verified for technical accuracy — Kodi C.

Compliance pillar illustration for Zeph Tech briefings
Compliance controls, audit, and evidence briefings

ISO and IEC published ISO/IEC 27001:2022 on 25 October 2022, revising the leading information security management system (ISMS) standard. The update aligns Annex A controls with ISO/IEC 27002:2022, reorganising controls into four themes (Organizational, People, Physical, Technological), adding eleven new controls, and incorporating guidance on cloud services, threat intelligence, and secure configuration. Certified teams have a three-year transition window—until 31 October 2025—to migrate their ISMS to the new requirements. Certification bodies will begin auditing against the 2022 edition in 2023.

Key changes

  • Control restructuring. Annex A now contains 93 controls instead of 114, consolidated and mapped to the four themes. New controls include Threat Intelligence (A.5.7), Information Security for Use of Cloud Services (A.5.23), ICT Readiness for Business Continuity (A.5.30), Configuration Management (A.8.9), Information Deletion (A.8.10), and Data Masking (A.8.11).
  • Normative text updates. Clauses 4–10 include clarifications on planning ISMS changes, expanded references to monitoring and measurement, and emphasis on outsourcing arrangements.
  • Integration with other standards. The revision aligns terminology with ISO 31000 risk management, ISO 9001 quality management, and ISO 22301 business continuity standards.

Transition timeline

  • 31 October 2022: Publication of ISO/IEC 27001:2022.
  • 31 October 2023: Certification bodies must transition to auditing new applicants against the 2022 edition.
  • 31 October 2025: Deadline for existing certificates to transition. Certificates referencing ISO/IEC 27001:2013 expire after this date.

Implementation steps

  • Gap analysis. Map current controls to the new Annex A structure. Identify which of the eleven new controls are not addressed and document rationale for applicability decisions.
  • Risk assessment alignment. Update risk assessment methodologies to reflect consolidated controls and new threat intelligence requirements. Ensure risk registers capture cloud service dependencies, configuration baselines, and data lifecycle controls.
  • Policy updates. Refresh ISMS policies, Statement of Applicability (SoA), and control catalogs to use 2022 references. Cross-reference procedures (for example, change management, supplier management) with new control language.
  • Training. Deliver awareness sessions for control owners, auditors, and leadership covering new terminology, control themes, and transition deadlines.
  • Supplier engagement. Communicate requirements to managed service providers and cloud partners. Update contracts and SLAs to cover new controls like configuration management and data deletion.

Outcome testing and assurance

  • Control effectiveness testing. Perform walkthroughs, sample testing, and technical validation for new controls (for example, simulate cloud service onboarding to test A.5.23, execute data deletion workflows for A.8.10).
  • Internal audits. Schedule internal audits focusing on revised clauses and Annex A. Use combined audits to test integrated management systems (ISO 9001/22301) where applicable.
  • Metrics. Update KPIs to track transition progress—percentage of controls updated, training completion, remediation closure rates. Report progress to the ISMS steering committee.
  • Certification readiness reviews. Conduct mock audits with external consultants before recertification to validate evidence packages and corrective actions.

Strategic considerations

The 2022 revision encourages convergence between information security, privacy, and resilience programs. Teams should align ISO/IEC 27001 with ISO/IEC 27701 for privacy management and use shared controls for overlapping requirements. The new focus on cloud services and configuration management requires closer collaboration between security, DevOps, and platform engineering teams.

Certification bodies expect documented transition plans, updated Statements of Applicability, and evidence of implemented controls during surveillance audits. Failure to transition by 2025 risks certification lapses, impacting customer trust, regulatory compliance, and contractual obligations.

By acting early, teams can spread remediation work across audit cycles, show forward-looking governance, and gain competitive advantage through updated certification scope.

Tooling and automation

Many teams rely on governance, risk, and compliance (GRC) platforms to manage ISO/IEC 27001 evidence. Update control libraries, questionnaires, and automated workflows to reflect the 2022 control identifiers. Integrate cloud security posture management (CSPM) tools, infrastructure-as-code scanners, and identity analytics to collect evidence for controls covering cloud services, configuration management, and data masking.

Consider adopting control mapping frameworks such as the Secure Controls Framework or CSA Cloud Controls Matrix to simplify alignment between ISO/IEC 27001 and other regulatory regimes (GDPR, NIST CSF, SOC 2). Maintaining a unified control set reduces duplication during audits and simplifies policy management.

Engaging stakeholders

Communicate transition plans to executive sponsors, data protection officers, and audit committees. Provide quarterly updates on progress, resource requirements, and risks. Engage internal audit early to coordinate combined assurance activities and avoid duplicative testing.

Customers and partners may request evidence of transition progress, especially when ISO certification is contractually mandated. Prepare FAQs, external communication templates, and updated assurance packages (for example, ISO certificates, SoAs, audit reports) to maintain trust.

Case study scenarios

Consider developing internal case studies illustrating how the new controls apply to different business units—for example, demonstrating how a product engineering team implements configuration management (A.8.9) through automated pipeline checks, or how customer success teams manage data deletion (A.8.10) when accounts close. These narratives help control owners understand expectations and make audits more efficient.

Use tabletop exercises to validate readiness for emerging threats. Simulate a cloud service provider outage to test ICT Readiness for Business Continuity (A.5.30) or run a drill involving leaked API keys to validate Threat Intelligence (A.5.7) response procedures. Document observations and feed them into continuous improvement plans.

Transition programs should include budget planning for control improvements, tooling licenses, and potential external consultancy. Establish financial trackers to monitor spend against forecasts and show efficient use of resources.

Where teams operate globally, align ISO/IEC 27001:2022 transition with regional data protection requirements (GDPR, LGPD, CCPA) to ensure policies remain consistent and avoid conflicting obligations.

Teams pursuing integrated audits (ISO/IEC 27001 with SOC 2, HITRUST, or PCI) should coordinate audit calendars early to align evidence collection, reduce fatigue, and negotiate combined site visits with certification bodies. Maintaining a single source of truth for controls prevents inconsistencies during multi-standard assessments.

Schedule leadership briefings to align transition objectives with business strategy, highlighting how refreshed controls enable secure cloud adoption, data monetization initiatives, and privacy-by-design programs. Demonstrating tangible business value can enable funding and executive sponsorship.

Establish knowledge-sharing forums where control owners can discuss setup challenges, tooling tips, and audit feedback. Recording these sessions creates reusable assets for new team members and accelerates remediation.

Coordinate with human resources and legal teams to ensure employment agreements, confidentiality clauses, and disciplinary policies reference updated information security expectations. Reinforcing governance at the contractual level helps embed ISO/IEC 27001 requirements across the organization.

Transition execution and external assurance

To meet the International Accreditation Forum’s three-year transition window, certified teams should build a project plan that sequences gap analysis, control redesign, internal audit, and certification-body engagement. Map legacy Annex A controls to the 93 control statements in ISO/IEC 27002:2022, paying particular attention to the new themes (organizational, people, physical, technological). Control owners must update policies, procedures, and automated guardrails to align with the revised structure—for example, integrating A.5.23 Information security for use of cloud services into cloud procurement checklists and A.8.28 Secure coding into software development life cycles.

Internal audit teams should schedule readiness assessments that test control effectiveness under the new requirements. Document sample selections, test scripts, and remediation actions. The Statement of Applicability (SoA) must be refreshed to show control adoption decisions, rationale, and evidence repositories. For controls that rely on automation (such as continuous vulnerability management or data leakage prevention), capture dashboards demonstrating coverage, false-positive handling, and incident response workflows.

Finally, coordinate with external certification bodies early. Share the transition plan, updated risk assessment, and internal audit results to secure audit slots before the deadline. Maintain minutes from management reviews that evaluate ISMS performance, highlight residual risks, and approve resource requests for the transition. This disciplined approach will help teams avoid a lapse in certification and provide teams with confidence that the refreshed control environment delivers the intended security outcomes.

See also

Selected articles on related subjects.

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Third-Party Risk Oversight Playbook

    Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

  • Compliance Operations Control Room

    Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

  • ESG Assurance Operating Guide

    Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.

Coverage intelligence

Published
Coverage pillar
Compliance
Source credibility
89/100 — high confidence
Topics
ISO 27001 · Information security management · Control frameworks · Audit readiness · Certification transition
Sources cited
3 sources (iso.org, ukas.com)
Reading time
6 min

Cited sources

  1. ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — International Organization for Standardization
  2. ISO/IEC 27001:2022 transition guidance — International Organization for Standardization
  3. UKAS bulletin on ISO/IEC 27001:2022 transition — United Kingdom Accreditation Service
  • ISO 27001
  • Information security management
  • Control frameworks
  • Audit readiness
  • Certification transition
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.