ISO 27001:2022 — the new standard, with practical tips
Our ISO 27001 page explains the difference between the 2013 and 2022 versions of the standard. Here we go a step further: a practical step-by-step plan and concrete tips for IT-Checklist visitors preparing for certification or the switch to the new standard.
Step-by-step plan for the transition
- Gap analysis: compare your current measures against the 93 controls in the 2022 version and map the differences.
- Update your Statement of Applicability: adapt your SoA to the new structure (Organisational, People, Physical, Technological) and justify which controls apply.
- Update policy and risk analysis: new topics such as cloud use, threat intelligence and data minimisation need to be explicitly addressed.
- Internal audit: check yourself (or with an independent internal auditor) whether you meet the updated requirements before the external audit.
- Management review: have leadership formally review and document the outcomes and action items.
- Schedule the transition audit: contact your certification body in good time.
All 93 ISO 27001:2022 controls at a glance
The Annex A controls were reduced in 2022 from 114 (across 14 domains) to 93 controls, grouped into 4 themes:
- A.5 Organisational — 37 controls
- A.6 People — 8 controls
- A.7 Physical — 14 controls
- A.8 Technological — 34 controls
24 controls were merged and 58 were substantively updated. Eleven controls are entirely new compared to the 2013 version:
- A.5.7 Threat intelligence
- A.5.23 Information security for use of cloud services
- A.5.30 ICT readiness for business continuity
- A.7.4 Physical security monitoring
- A.8.9 Configuration management
- A.8.10 Information deletion
- A.8.11 Data masking
- A.8.12 Data leakage prevention
- A.8.16 Monitoring activities
- A.8.23 Web filtering
- A.8.28 Secure coding
Practical tips per theme
- Organisational: keep an up-to-date supplier overview — the 2022 version pays more attention to supplier risk and the supply chain.
- People: document awareness training and screening arrangements, including for temporary staff and freelancers.
- Physical: check whether your physical access controls (office, server room, home workspaces) still match how you actually work.
- Technological:explicitly address cloud configuration, data leak detection, and the new ‘threat intelligence’ control — something the 2013 version lacked.
Do I need to get certified from scratch?
No. If you were already ISO 27001:2013 certified, you move to the 2022 version via a transition audit — not a completely new process, but more work than a routine recertification because your Statement of Applicability and risk analysis need updating.
Can I prepare myself without a consultant?
For a small, well-organised business, that's very doable: the standard itself, the accompanying Annex A controls and a clear gap analysis already give you a lot to work with. For more complex environments (multiple locations, many suppliers, sensitive data), guidance often pays for itself faster than figuring it out alone.
What if my certification body hasn't transitioned yet?
Certificates against the old ISO/IEC 27001:2013 standard have not been valid since 31 October 2025. Contact your certification body (CB) to schedule the transition audit — don't wait too long, as CBs often have limited capacity as the deadline approaches.
Further reading
Working in a critical sector? Also see NIS2 / the Cybersecurity Act and, specifically for healthcare, NEN 7510. Need help preparing for certification? Get in touch.