← Back to all briefings

Compliance · Credibility 89/100 · · 1 min read

Compliance Briefing — ISO/IEC 27001:2022 Published

ISO and IEC published the ISO/IEC 27001:2022 information security management standard on October 25, 2022, revising Annex A controls, aligning with ISO/IEC 27002:2022, and introducing organizational resilience requirements for certified programs.

Executive briefing: On , ISO and IEC released ISO/IEC 27001:2022. The update aligns Annex A controls with ISO/IEC 27002:2022, adds organizational resilience expectations, and modernizes terminology for cloud services and threat intelligence.

Key changes

  • Control restructuring. Annex A now contains 93 controls grouped into four themes (Organizational, People, Physical, Technological).
  • New control topics. Additions include threat intelligence, cloud services usage, ICT readiness for business continuity, and data leakage prevention.
  • Terminology updates. Definitions reference digital identities, configuration management, and monitoring enhancements relevant to DevSecOps.
  • Transition timelines. Certification bodies established a three-year migration window from ISO/IEC 27001:2013.

Implementation guidance

  • Perform a gap assessment mapping existing Statement of Applicability controls to the 2022 annex structure.
  • Update ISMS risk treatment plans to incorporate new cloud, threat intelligence, and resilience requirements.
  • Coordinate with certification partners on surveillance audit schedules and evidence updates for the revised clauses.
  • ISO/IEC 27001:2022
  • Information security management
  • Annex A controls
  • Compliance transitions
Back to curated briefings