ISO/IEC 27001:2022 represents the latest update to the global Information Security Management System (ISMS). This revised version provides a comprehensive framework for protecting sensitive data and includes several updates from previous iterations.
Published on 25th October 2022 by ISO and the IEC, the updated standard mandates that organisations certified under the previous version must transition by the 31st October 2025. This timeline allows organisations to align their Information Security Management Systems with the new requirements, thereby enhancing their ability to protect information confidentiality, integrity and availability in an ever-changing threat environment.
What’s changed in ISO/IEC 27001:2022?
The structure of ISO 27001’s clauses has not changed, these remain:
- Clause 4 – Context of the organisation
- Clause 5 – Leadership
- Clause 6 – Planning
- Clause 7 – Support
- Clause 8 – Operation
- Clause 9 – Performance evaluation
- Clause 10 – Improvement
However, Annex A has undergone significant changes. The number of controls has been reduced from 114 in ISO/IEC 27001:2013 to 93 in the latest update, now organised into four sections instead of the previous fourteen. These sections are:
- Organisational controls
- People controls
- Physical controls
- Technological controls
Why has ISO 27001 been updated?
The information security landscape has changed significantly in the decade since the previous update. As such, ISO 27001 needed to be updated to reflect the world we live in now.
- Adapting to new threats – The 2022 update incorporates measures to counter the rise of ransomware and advanced persistent threats.
- Technological advancement – Reflecting rapid technological changes since 2013, the update addresses the rise in cloud computing, IoT devices, and remote working, which introduce new security challenges.
- Alignment with other standards – The update improves compatibility with other management system standards, such as ISO 9001 (Quality Management) and ISO 22301 (Business Continuity Management).
- Feedback from users – Revisions are based on feedback from organisations that have implemented the standard, identifying areas for improvement.
- Regulatory requirements – The update aligns with higher data security and privacy standards set by regulations like the EU’s GDPR, aiding organisations in achieving compliance.
- Enhance controls – New and revised controls in Annex A address contemporary security risks more effectively, providing organisations with robust measures to protect their information assets.
With ISO/IEC 27001:2022, ISO aims to provide organisations with a modern and effective framework for managing information security in an increasingly complex environment.
What do you need to do?
As of 31st October 2025, all certificates issued for previous versions of ISO 27001 will no longer be valid, so for those currently certified to ISO/IEC 27001:2013 or ISO/IEC 27001:2017, you will need to transition to the new standard before this date.
We would recommend completing any transition audits by July 2025 to ensure you have sufficient time between the audit and the deadline to close any non-conformances.
How can Ascentor help?
To discuss transitioning to ISO 27001:2022 certification and the associated benefits to your organisation, contact our expert team today.
