ISO/IEC 27001:2022 — migrating from the 2013 edition with the 93 controls reorganised into 4 themes
ISO 27001:2013 → 2022 changes: from 114 to 93 controls, the 11 new controls, reorganisation into 4 themes, and a concrete migration path for already certified organisations.
ISO/IEC 27001:2022 — migrating from the 2013 edition with the 93 controls reorganised into 4 themes
ISO/IEC 27001 was updated in October 2022, nine years after the previous edition. The most visible change: the number of controls in Annex A dropped from 114 to 93, and the 14 categories from the 2013 edition were reorganised into 4 themes. For already certified organisations, the IAF transition window closed on 31 October 2025 — all certification bodies began auditing exclusively on the 2022 edition from 1 November 2025.
This article explains the key changes and offers a practical migration path for an existing ISMS.
TL;DR
- ISO 27001:2022 published Oct 2022 + ISO 27002:2022 published Feb 2022.
- 93 controls (vs 114) in 4 themes: organisational, people, physical, technological.
- 11 new controls: threat intel, cloud security, ICT readiness for business continuity, secure coding, etc.
- IAF transition closed on 31 Oct 2025 — all active certifications need an upgrade.
- Typical migration path for a mature ISMS: 4-6 months with one transition audit.
Main changes versus 2013
Number of controls. 114 → 93. The reduction comes from merging similar controls (e.g. security policies were grouped into a single control 5.1) and retiring controls no longer relevant in modern context (e.g. certain controls related to fax and printed media).
Reorganisation by themes. The 14 categories from 2013 were simplified into 4 themes:
- A.5 Organisational (37 controls) — policies, roles, supplier management, incident management.
- A.6 People (8 controls) — screening, training, termination, NDAs, remote work.
- A.7 Physical (14 controls) — perimeter, physical access, equipment.
- A.8 Technological (34 controls) — endpoint, network, cryptography, software development, monitoring, backup.
Control attributes. The 2022 edition introduces an attribute system that allows filtering/reporting of controls along 5 dimensions:
- Control type: preventive, detective, corrective.
- Information security properties: confidentiality, integrity, availability.
- Cybersecurity concepts: identify, protect, detect, respond, recover (NIST CSF mapping).
- Operational capabilities: governance, asset management, IAM, threat & vulnerability management, etc.
- Security domains: governance & ecosystem, protection, defence, resilience.
Attributes are optional but extremely useful for organisations using multiple frameworks (NIST CSF, SOC 2, NIS2). They enable rapid cross-mapping.
Clause 4-10 requirements. Minor changes, mainly to align with Annex SL (the common structure for ISO management systems). Notably: new clause 6.3 on “planning of changes” and extended requirements on organisational context.
The 11 new controls in 2022
| Control | Name | What you must prove |
|---|---|---|
| 5.7 | Threat intelligence | Threat intel collection and analysis processes; application in operational decisions. |
| 5.23 | Information security for use of cloud services | Formal cloud risk assessment processes, CSP contracts, exit plan. |
| 5.30 | ICT readiness for business continuity | Annually tested IT-DR plan, multiple scenarios, documented RTO/RPO. |
| 7.4 | Physical security monitoring | CCTV, alarms, continuous monitoring of critical physical perimeter. |
| 8.9 | Configuration management | Approved configuration baselines, drift detection, remedial action. |
| 8.10 | Information deletion | Retention-aligned deletion policies, proof of execution at EOL. |
| 8.11 | Data masking | Masking techniques for sensitive data in non-production. |
| 8.12 | Data leakage prevention | DLP at endpoint, network, cloud; classification supported. |
| 8.16 | Monitoring activities | Active logging on systems, networks, applications; SIEM integration. |
| 8.23 | Web filtering | URL/category filtering for endpoint and gateway. |
| 8.28 | Secure coding | Written standards (OWASP Top 10, SAMM), dev training, code review. |
For organisations already operating at medium maturity, many of these controls were implemented de facto. With ISO 27001:2022 they become formalised and explicitly audited.
6-month migration path — checklist
Month 1 — gap analysis:
- Compare existing SoA (Statement of Applicability) with Annex A 2022.
- 1:1 mapping of 2013 → 2022 controls (ISO provides a cross-reference table in Annex B of 27001:2022).
- Identify the 11 new controls and current implementation level.
- Update risk assessment with new risk categories (cloud, threat intel).
Month 2 — document update:
- New SoA with 93 controls and exclusion justifications.
- Risk register updated with attribute mapping.
- ISMS scope re-confirmed (clause 4.3).
- Policies and procedures updated for the 11 new controls.
Month 3 — new control implementation:
- 5.7 threat intel — feed subscription, decision integration.
- 5.23 cloud — CSP contract review, exit plan.
- 5.30 ICT BC — written IT-DR plan, scheduled test exercise.
- 8.9 config mgmt — drift detection tool (Wazuh FIM, Tripwire, OSQuery).
- 8.16 monitoring — SIEM covers the scope.
- 8.28 secure coding — training, SAST in pipeline.
Month 4 — internal audit & management review:
- Full internal audit on the 2022 edition with an auditor trained on the changes.
- Management review with documented output — top management approves the changes.
- Corrective action plan for identified gaps.
Month 5 — preparing the transition audit:
- Coordinate with the certification body on the transition audit date (separate or combined with surveillance audit).
- Internal pre-audit checklist completed.
- Evidence repository organised per control.
Month 6 — transition audit:
- On-site or remote audit, 1-3 days depending on organisation.
- Major non-conformity (NCR) responses within 90 days.
- Certificate reissued on the 2022 edition.
Requirements for organisations in regulated industries
For entities operating in regulated sectors, ISO 27001:2022 substantially covers the technical requirements of other frameworks. Typical cross-mapping:
- NIS2 Art. 21 (NIS2 details): the ten minimum measures are covered by approximately 60-70 controls from Annex A.
- DORA ICT Risk (DORA details): the ICT risk management framework can be instantiated as an ISMS compliant with 27001:2022.
- GDPR Art. 32 (security of processing): the required technical and organisational controls are a subset of Annex A.
- EU AI Act Art. 15 (AI Act details): cybersecurity requirements for high-risk AI map to the 8.x technological controls.
- CRA (CRA details): product security requirements for manufacturers are partially covered.
The practical benefit: with a mature 27001:2022 ISMS, audits on other frameworks become a derivative. Roughly 70-80% of evidence is reused.
How Lexnomia helps
Lexnomia includes an ISO 27001:2022 module that:
- SoA generator with 93 controls and pre-filled attribute mapping.
- Risk register integrated with the application and system inventory.
- Automated evidence collection from IdP, SIEM, ITSM, Git.
- Live cross-mapping with NIS2, DORA, GDPR, AI Act, CRA.
- Internal audit checklist and management review templates.
See also our article on the US GRC stack alternative for strategic context.
Related articles
- NIS2 implementation — operational checklist for essential and important entities
- DORA Regulation 2022/2554 — the five pillars for banking, fintech and insurance
- Cyber Resilience Act (Regulation 2024/2847) — obligations for products with digital elements
- Lexnomia vs OneTrust, TrustArc and Drata — the EU alternative
- Pillar Lexnomia — the sovereign EU compliance platform
Next steps
For an ISO 27001:2022 readiness assessment and transition plan, the Lexnomia page holds the ISO module. Or write to contact for a technical discussion.