ISO 27001 was updated for the first time in almost a decade, and many organizations are confused about what actually changed, and what they need to do about it.

Here’s a clear breakdown of the real differences between ISO 27001:2013 and ISO 27001:2022.

The 2022 update is not a complete overhaul. It mainly focuses on:

• Modernizing security controls
• Simplifying structure
• Addressing cloud, remote work, and modern threats
• Reducing redundancy
• Introducing 11 brand-new controls
   

The management system (Clauses 4–10) stays largely the same, with only mild clarifications and wording updates, but these minor wording updates have legal definitions, and processes must address the new language.

• 114 controls
• 14 control groups
• Outdated terminology
• Limited cloud/security modernization
• Heavier emphasis on documentation
   

• 93 controls
• 4 simplified control themes
• Updated terminology
• Modern controls added for cloud, threat intelligence, and monitoring
• Controls combined, reorganized, and streamlined
   

This is because many controls were merged for simplicity.

Examples:

• Logging + monitoring controls consolidated
• Supplier relationship controls merged
• Physical security controls grouped more logically
   

This does not mean less work; it just organizes things more cleanly.

These reflect modern risks most companies face:

New 2022 Controls

1. Threat Intelligence
2. Information Security for Cloud Services
3. ICT Readiness for Business Continuity
4. Physical Security Monitoring
5. Configuration Management
6. Information Deletion
7. Data Masking
8. Data Leakage Prevention
9. Monitoring Activities
10. Web Filtering
11. Secure Coding
     

Most companies already do some of these, but they simply weren’t explicitly required before.

2013’s domains (like A.7, A.8, A.9, etc.) are gone.
2022 uses 4 simplified categories:

1. Organizational Controls (37 controls)
2. People Controls (8 controls)
3. Physical Controls (14 controls)
4. Technological Controls (34 controls)
    

This reduces complexity and makes the structure easier to understand.

No drastic changes; these are mostly wording updates.
Examples:

• Stronger emphasis on documentation alignment
• Clearer guidance for measuring and evaluating control performance
• Better clarity around risk treatment plans
• More flexible language around inventory and context
   

If you already comply with 2013, this won’t require major rework.

If you are certified to ISO 27001:2013, you do not need a new certification.

You need a transition audit, which is far easier than initial certification.
Your auditor simply verifies your updates to:

• Statement of Applicability (SoA)
• Risk treatment plan
• Any added/updated controls
• A small set of documentation changes
   

Most organizations transition in 1–3 months.

For most companies, not hard at all.

Typical transition effort:

• Update SoA → 1–2 days
• Add evidence for new controls → 2–4 weeks (depending on maturity)
• Update documentation → 1–2 weeks
• Internal audit + management review → 1–2 weeks
   

Unless you’re missing a lot of modern security practices, you’re fine.

As of 2025:

• New certifications are ISO 27001:2022 only
• Existing clients must transition to 2022
• 2013 is fully deprecated
   

The 2022 update modernizes ISO 27001 without making it harder.
If you’re compliant with 2013, upgrading is straightforward: update the SoA, document the new controls, tighten monitoring, and you’re done.

If you’re new to ISO 27001, the 2022 version is clearer, simpler, and more aligned with real-world threats.

If you need help updating your SoA, reviewing your new control set, or preparing for a transition audit, I can walk you through the entire process quickly and efficiently. I can also conduct the internal audit required by ISO 27001 before your certifying body comes in for the external audit.