ISO 27001
IT-Checklist regularly gets questions about ISO 27001 — especially about the difference between the old and new version of the standard. This page explains it in plain language. Working in a critical sector or healthcare? Also see our pages on NIS2 and NEN 7510.
📋 Deep dive: ISO 27001:2022 with practical tips
Want to know how to actually switch to the new standard? Read our step-by-step plan with practical tips for ISO 27001:2022.
What is ISO 27001?
ISO 27001 is the international standard for information security. It describes how policy, risk analysis and concrete measures help you stay in control of information security within your organisation. You don't need to be certified straight away to use the standard as a framework.
What is the difference between ISO 27001:2013 and ISO 27001:2022?
The older 2013 version had 114 controls, spread across 14 domains (A.5 through A.18). The new 2022 version is more streamlined: 93 controls, grouped into 4 themes — Organisational, People, Physical and Technological. Many controls were merged or updated (topics such as cloud use and threat intelligence, which weren't explicitly named in 2013).
Is my ISO 27001:2013 certificate still valid?
No. Certificates against the old ISO/IEC 27001:2013 standard are no longer valid since 31 October 2025. If you are certified, check with your certification body whether you have moved to the 2022 version.
Does my business have to be certified?
For most SMEs, no. Certification mainly makes sense if customers or partners explicitly ask for it (for example in tenders). Even without certification you can use ISO 27001 as a practical framework: a short security policy, a risk analysis and an annual review already get you a long way.