What Changed in ISO 27001:2022
The 2022 update is the first major revision since 2013, reflecting modern cybersecurity challenges. Controls are now organized into 4 themes instead of 14 domains.
Transition Deadline
Organizations must transition by October 2025. New certifications must be to the 2022 version from April 2024.
Transition Roadmap
Implementation Phases
Gap Assessment
Assess current state
Documentation
Update ISMS docs
Implementation
Deploy new controls
Certification
Audit and certify
12-Month Transition Plan
Phase 1: Assessment (M 1-2)
Gap analysis against 2022, updated risk assessment, transition roadmap
Phase 2: Documentation (M 3-4)
Update ISMS documentation, revise SoA, align with new control structure
Phase 3: Implementation (M 5-8)
Implement new controls: threat intel, cloud security, DLP, secure coding
Phase 4: Certification (M 9-12)
Internal audit, management review, Stage 1 and Stage 2 certification audits
Key Structural Changes
- Organizational (37) - Governance, risk, policies
- People (8) - HR security, awareness
- Physical (14) - Physical & environmental
- Technological (34) - Technical controls
11 New Controls
New Control Requirements
Organizational
Technological
Physical
Other Changes
Priority New Controls
Focus first on: Threat Intelligence (5.7), Cloud Security (5.23), DLP (8.12), and Secure Coding (8.28) as these address modern threat landscape.
Good News
Control count reduced from 114 to 93—many were merged and streamlined. Most organizations will find they already meet many new requirements.
Conclusion
ISO 27001:2022 brings welcome updates addressing modern challenges. View this as an opportunity to strengthen your ISMS, not just a compliance exercise.
Tags
Written by
Asfaleia Team
Chief Security Researcher
GRC specialist with extensive experience in ISO 27001 implementations and certifications.