Compliance Briefing — ISO/IEC 27001:2022 Published

Executive briefing: ISO and IEC published ISO/IEC 27001:2022 on 25 October 2022, revising the leading information security management system (ISMS) standard. The update aligns Annex A controls with ISO/IEC 27002:2022, reorganising controls into four themes (Organizational, People, Physical, Technological), adding eleven new controls, and incorporating guidance on cloud services, threat intelligence, and secure configuration. Certified organisations have a three-year transition window—until 31 October 2025—to migrate their ISMS to the new requirements. Certification bodies will begin auditing against the 2022 edition in 2023.

Key changes

• Control restructuring. Annex A now contains 93 controls instead of 114, consolidated and mapped to the four themes. New controls include Threat Intelligence (A.5.7), Information Security for Use of Cloud Services (A.5.23), ICT Readiness for Business Continuity (A.5.30), Configuration Management (A.8.9), Information Deletion (A.8.10), and Data Masking (A.8.11).
• Normative text updates. Clauses 4–10 include clarifications on planning ISMS changes, expanded references to monitoring and measurement, and emphasis on outsourcing arrangements.
• Integration with other standards. The revision aligns terminology with ISO 31000 risk management, ISO 9001 quality management, and ISO 22301 business continuity standards.

Transition timeline

• 31 October 2022: Publication of ISO/IEC 27001:2022.
• 31 October 2023: Certification bodies must transition to auditing new applicants against the 2022 edition.
• 31 October 2025: Deadline for existing certificates to transition. Certificates referencing ISO/IEC 27001:2013 expire after this date.

Implementation steps

• Gap analysis. Map current controls to the new Annex A structure. Identify which of the eleven new controls are not addressed and document rationale for applicability decisions.
• Risk assessment alignment. Update risk assessment methodologies to reflect consolidated controls and new threat intelligence requirements. Ensure risk registers capture cloud service dependencies, configuration baselines, and data lifecycle controls.
• Policy updates. Refresh ISMS policies, Statement of Applicability (SoA), and control catalogs to use 2022 references. Cross-reference procedures (e.g., change management, supplier management) with new control language.
• Training. Deliver awareness sessions for control owners, auditors, and leadership covering new terminology, control themes, and transition deadlines.
• Supplier engagement. Communicate requirements to managed service providers and cloud partners. Update contracts and SLAs to cover new controls like configuration management and data deletion.

Outcome testing and assurance

• Control effectiveness testing. Perform walkthroughs, sample testing, and technical validation for new controls (e.g., simulate cloud service onboarding to test A.5.23, execute data deletion workflows for A.8.10).
• Internal audits. Schedule internal audits focusing on revised clauses and Annex A. Use combined audits to test integrated management systems (ISO 9001/22301) where applicable.
• Metrics. Update KPIs to track transition progress—percentage of controls updated, training completion, remediation closure rates. Report progress to the ISMS steering committee.
• Certification readiness reviews. Conduct mock audits with external consultants before recertification to validate evidence packages and corrective actions.

Strategic considerations

The 2022 revision encourages convergence between information security, privacy, and resilience programmes. Organisations should align ISO/IEC 27001 with ISO/IEC 27701 for privacy management and leverage shared controls for overlapping requirements. The new focus on cloud services and configuration management requires closer collaboration between security, DevOps, and platform engineering teams.

Certification bodies expect documented transition plans, updated Statements of Applicability, and evidence of implemented controls during surveillance audits. Failure to transition by 2025 risks certification lapses, impacting customer trust, regulatory compliance, and contractual obligations.

By acting early, organisations can spread remediation work across audit cycles, demonstrate proactive governance, and gain competitive advantage through updated certification scope.

Tooling and automation

Many organisations rely on governance, risk, and compliance (GRC) platforms to manage ISO/IEC 27001 evidence. Update control libraries, questionnaires, and automated workflows to reflect the 2022 control identifiers. Integrate cloud security posture management (CSPM) tools, infrastructure-as-code scanners, and identity analytics to collect evidence for controls covering cloud services, configuration management, and data masking.

Consider adopting control mapping frameworks such as the Secure Controls Framework or CSA Cloud Controls Matrix to streamline alignment between ISO/IEC 27001 and other regulatory regimes (GDPR, NIST CSF, SOC 2). Maintaining a unified control set reduces duplication during audits and simplifies policy management.

Stakeholder engagement

Communicate transition plans to executive sponsors, data protection officers, and audit committees. Provide quarterly updates on progress, resource requirements, and risks. Engage internal audit early to coordinate combined assurance activities and avoid duplicative testing.

Customers and partners may request evidence of transition progress, especially when ISO certification is contractually mandated. Prepare FAQs, external communication templates, and updated assurance packages (e.g., ISO certificates, SoAs, audit reports) to maintain trust.

Case study scenarios

Consider developing internal case studies illustrating how the new controls apply to different business units—for example, demonstrating how a product engineering team implements configuration management (A.8.9) through automated pipeline checks, or how customer success teams manage data deletion (A.8.10) when accounts close. These narratives help control owners understand expectations and make audits more efficient.

Use tabletop exercises to validate readiness for emerging threats. Simulate a cloud service provider outage to test ICT Readiness for Business Continuity (A.5.30) or run a drill involving leaked API keys to validate Threat Intelligence (A.5.7) response procedures. Document observations and feed them into continuous improvement plans.

Transition programmes should include budget planning for control enhancements, tooling licenses, and potential external consultancy. Establish financial trackers to monitor spend against forecasts and demonstrate efficient use of resources.

Where organisations operate globally, align ISO/IEC 27001:2022 transition with regional data protection requirements (GDPR, LGPD, CCPA) to ensure policies remain consistent and avoid conflicting obligations.

Organisations pursuing integrated audits (ISO/IEC 27001 with SOC 2, HITRUST, or PCI) should coordinate audit calendars early to align evidence collection, reduce fatigue, and negotiate combined site visits with certification bodies. Maintaining a single source of truth for controls prevents inconsistencies during multi-standard assessments.

Schedule leadership briefings to align transition objectives with business strategy, highlighting how refreshed controls enable secure cloud adoption, data monetisation initiatives, and privacy-by-design programmes. Demonstrating tangible business value can unlock funding and executive sponsorship.

Establish knowledge-sharing forums where control owners can discuss implementation challenges, tooling tips, and audit feedback. Recording these sessions creates reusable assets for new team members and accelerates remediation.

Coordinate with human resources and legal teams to ensure employment agreements, confidentiality clauses, and disciplinary policies reference updated information security expectations. Reinforcing governance at the contractual level helps embed ISO/IEC 27001 requirements across the organisation.

Transition execution and external assurance

To meet the International Accreditation Forum’s three-year transition window, certified organisations should build a project plan that sequences gap analysis, control redesign, internal audit, and certification-body engagement. Map legacy Annex A controls to the 93 control statements in ISO/IEC 27002:2022, paying particular attention to the new themes (organisational, people, physical, technological). Control owners must update policies, procedures, and automated guardrails to align with the revised structure—for example, integrating A.5.23 Information security for use of cloud services into cloud procurement checklists and A.8.28 Secure coding into software development life cycles.

Internal audit teams should schedule readiness assessments that test control effectiveness under the new requirements. Document sample selections, test scripts, and remediation actions. The Statement of Applicability (SoA) must be refreshed to show control adoption decisions, rationale, and evidence repositories. For controls that rely on automation (such as continuous vulnerability management or data leakage prevention), capture dashboards demonstrating coverage, false-positive handling, and incident response workflows.

Finally, coordinate with external certification bodies early. Share the transition plan, updated risk assessment, and internal audit results to secure audit slots before the deadline. Maintain minutes from management reviews that evaluate ISMS performance, highlight residual risks, and approve resource requests for the transition. This disciplined approach will help organisations avoid a lapse in certification and provide stakeholders with confidence that the refreshed control environment delivers the intended security outcomes.

Related briefings

Curated signals from the same pillar or overlapping topics.

Compliance · Credibility 91/100 · October 31, 2025

Compliance Briefing — ISO/IEC 27001:2013 certificates expire at transition deadline

The three-year transition window to move from ISO/IEC 27001:2013 to ISO/IEC 27001:2022 closes on 31 October 2025 under IAF MD 26, ending recognition of legacy certificates.

Compliance · Credibility 40/100 · November 1, 2022

Compliance Briefing — EU Digital Markets Act Enters Into Force

The EU Digital Markets Act took legal effect on 1 November 2022, starting the countdown to gatekeeper designations and the mid-2023 compliance obligations for large online platforms.

Compliance · Credibility 91/100 · November 4, 2022

SEC Investment Adviser Marketing Rule — Compliance Program Roadmap

The SEC’s modernized Marketing Rule, effective 4 November 2022, expands advertising, testimonial, and performance requirements, compelling advisers to overhaul policies, Form ADV reporting, testing, and promoter…

Compliance · Credibility 40/100 · October 7, 2022

Compliance Briefing — EO 14086 implements EU-U.S. Data Privacy Framework safeguards

On 7 October 2022 President Biden signed Executive Order 14086, establishing new U.S. intelligence safeguards and redress mechanisms underpinning the EU-U.S. Data Privacy Framework.

Compliance · Credibility 89/100 · November 14, 2022

UAE Corporate Tax Law — Implementation and Control Framework

UAE Federal Decree-Law No. 47 of 2022 establishes a 9% corporate tax regime from June 2023, requiring entity impact assessments, transfer-pricing evidence, and controls aligned with OECD standards and free-zone…

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Third-Party Risk Oversight Playbook — Zeph Tech

  Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

• Compliance Operations Control Room — Zeph Tech

  Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

• SOX Modernization Control Playbook — Zeph Tech

  Modernize Sarbanes-Oxley (SOX) compliance by aligning PCAOB AS 2201, SEC management guidance, and COSO 2013 controls with data-driven testing, automation, and board reporting.