When ISO 27001:2022 dropped, the headline number got everyone's attention: 114 Annex A controls reduced to 93. A 21‑control drop sounds like a win for organizations already certified. It isn’t. The 2022 revision restructures how those controls work, adds significant new requirements, and forces every certified organization into a transition audit that isn’t optional.
If you're on the 2013 version, you have until October 31, 2025 to transition. That deadline has passed. If you're not certified yet, you're studying the 2022 standard. Either way, the specifics matter.
The 114 to 93: What the Numbers Actually Mean
The reduction from 114 to 93 controls isn’t a simplification. It’s a structural reorganization. The old ISO 27001:2013 Annex A organized controls into 14 domains. The 2022 revision collapses these into four themes aligned with ISO 27002:2022:
- Organizational — Governance, risk management, and operational structure
- People — Human resource security and workforce management
- Physical — Physical and environmental security
- Technological — Technical controls, cloud security, and data handling
This isn’t cosmetic. The four‑theme structure directly mirrors ISO 27002:2022, which is the implementation guide organizations use to apply controls in practice. Previously, ISO 27001 specified requirements and ISO 27002 provided guidance — they shared Annex A but had structural inconsistencies. The 2022 revision synchronizes them.
| Control Count | ISO 27001:2013 | ISO 27001:2022 |
|---|---|---|
| Total Annex A controls | 114 | 93 |
| Structural domains | 14 | 4 themes |
| New controls added | — | 11 |
| Controls merged/consolidated | — | 24 |
| Controls removed | — | 57 |
The 57 removed controls weren’t deleted — they were merged into other controls, consolidated, or absorbed into the main Clause 6–10 requirements. This means your gap assessment needs to account for requirements that now live in the main body of the standard rather than Annex A.
What the Main Clause Changes Mean
Most ISO 27001 attention goes to Annex A, but the most significant changes for certified organizations are in Clauses 4–10.
Clause 6.1.2: Risk Identification Gets More Specific
The 2022 standard adds specificity to how organizations identify information security risks. The 2013 version required a “risk identification” process but didn’t prescribe inputs. The 2022 standard requires consideration of the organization’s context, interested‑party requirements, and an asset‑based risk assessment — the same rigor expected in ISO 31000 risk‑management principles.
If your existing risk‑assessment methodology was built for speed rather than comprehensiveness, the updated Clause 6.1.2 requirements will surface gaps.
Clause 4–10 Structure Changes
The 2022 revision reorganized the management‑system clauses to align with the ISO High‑Level Structure (HLS) used by other management standards. This matters if your organization holds multiple ISO certifications (9001, 14001, 45001) because the shared HLS structure makes integrated audits simpler. For organizations holding only ISO 27001, the structural change is administrative — but transition auditors will check it.
New Documented‑Information Requirements
Several clauses in the 2022 revision require new or expanded documented information that wasn’t explicitly required in 2013. Organizations that built minimal documentation to pass their 2013 audit will face corrective actions if they don’t expand their documented information before the transition.
The 11 New Controls You Need to Know About
The 2022 revision introduced 11 new controls that didn’t exist in the 2013 Annex A. These are where certified organizations face the steepest learning curves.
Threat Intelligence (A.5.7)
Threat intelligence is the only purely new control in the 2022 revision. It requires organizations to collect and analyze information about current and emerging information‑security threats. This isn’t just about reading industry newsletters — the control requires documented threat intelligence that feeds into risk assessment and control selection.
Most organizations had no equivalent in their 2013 ISMS. Building threat‑intelligence capability from scratch takes 3–6 months of structured effort.
ICT Readiness for Business Continuity (A.5.30)
This is the most operationally demanding new control. It requires organizations to plan and implement ICT readiness for business continuity (ICT4BCR) — essentially, the technical and procedural capability to maintain information security during disruptions. The control requires:
- Business impact analysis for information‑security requirements
- Defined RTOs (Recovery Time Objectives) and RPOs (Recovery Point Objectives) for critical systems
- Tested restoration procedures
Organizations that already have disaster‑recovery and BCP procedures built under Annex A.17 (Business Continuity) may find ICT4BCR partially overlaps — but the control adds specificity to technical recovery objectives that general BCP doesn’t cover.
Configuration Management (A.8.9)
Split into three sub‑controls, configuration management now explicitly requires hardware and software configuration baselines, documented baseline configurations, and change‑management processes that verify configuration integrity before deployment. If you already have change management under your 2013 ISMS, the 2022 requirements will feel familiar — but auditors will expect documented configuration standards, not just change logs.
Data Masking, Data Leakage Prevention, and Monitoring (A.8.11, A.8.12, A.8.16)
Three technology‑specific controls — data masking (A.8.11), data leakage prevention (A.8.12), and monitoring activities (A.8.16) — were either absent or loosely addressed in the 2013 standard. These controls reflect how cloud infrastructure, SaaS applications, and distributed workforces have changed the information‑security landscape since 2013.
| New Control | Clause | Key Requirement |
|---|---|---|
| Threat intelligence | A.5.7 | Collect and analyze threat data; feed into risk assessment |
| ICT readiness for business continuity | A.5.30 | Documented RTOs, RPOs, and tested recovery procedures |
| Configuration management | A.8.9 | Hardware/software baselines, integrity verification |
| Data masking | A.8.11 | Minimize exposure of sensitive data in non‑production |
| Data leakage prevention | A.8.12 | Technical controls to detect and prevent exfiltration |
| Monitoring activities | A.8.16 | Continuous monitoring; anomaly detection; log analysis |
| Web filtering | A.8.15 | Manage access to websites to reduce exposure to malicious content |
| Secure coding | A.8.28 | Security requirements in software development lifecycle |
What Changed in Existing Controls
Beyond the new additions, the 2022 revision significantly updated several existing controls. Three deserve particular attention.
Access Control (A.5.15, A.5.17)
The 2013 access‑control requirements were spread across multiple domains. The 2022 revision consolidates and strengthens them. A.5.15 (Access Control) now explicitly requires privileged‑access restrictions, access‑rights reviews at planned intervals, and removal of access rights upon role change or termination. A.5.17 (Authentication Information) requires password‑management policies aligned with current NIST guidance — specifically, length‑based password requirements over complexity‑based ones, and prohibition of knowledge‑based authentication for high‑risk systems.
Information Security for Use of Cloud Services (A.5.23)
Cloud‑specific controls were absent from the 2013 standard — they were addressed via generic access‑control and vendor‑management clauses. The 2022 revision adds A.5.23 (Information Security for Use of Cloud Services), which requires documented cloud‑service acquisition, onboarding processes, contractual security obligations, and ongoing monitoring of cloud service providers. If your 2013 ISMS manages cloud vendors under generic vendor management, the 2022 requirement is significantly more specific.
Physical Security Perimeter Changes
Annex A.8 (Physical and environmental security) in 2013 required defined security perimeters. The 2022 revision adds requirements for office, facility, and storage‑space security — particularly around information‑processing facilities. Organizations that have expanded their physical footprint since 2013 (remote offices, co‑location, hybrid work) may find their physical‑security controls weren’t originally designed for their current configuration.
The Transition Process: What to Expect
ISO 27001:2022 transition is not a formality. Certification bodies conduct a structured transition assessment, and organizations found non‑conformant face a corrective‑action process that can delay recertification.
Typical Transition Timeline
| Phase | Duration | Activities |
|---|---|---|
| Gap assessment | 4–8 weeks | Map current controls to 2022 structure; identify new requirements |
| Remediation | 8–16 weeks | Update policies, procedures, documented information |
| Internal audit | 2–4 weeks | Full ISMS audit against 2022 standard |
| Management review | 2 weeks | Leadership sign‑off on updated risk assessment and controls |
| External transition audit | 1–3 days | Certification‑body assessment |
Organizations that started their transition early have completed the process in 4–6 months. Organizations that waited until 2025 faced auditor‑availability constraints and compressed timelines that increased costs significantly.
Audit Finding Comparison: 2013 vs 2022
| Audit Area | 2013 Findings | 2022 Findings |
|---|---|---|
| Risk‑assessment methodology | Moderate findings | Higher scrutiny on Clause 6.1.2 specificity |
| Annex A coverage | Moderate | Higher — 11 new controls create gaps |
| Configuration management | Low | Higher — explicit baselines required |
| Cloud vendor management | Moderate | Higher — dedicated control, not generic |
| Documented information | Moderate | Higher — expanded requirements throughout |
| Threat intelligence | Low (not required) | High (new requirement) |
How Truvara Supports Your ISO 27001:2022 Transition
Transitioning from the 2013 to the 2022 standard means reorganizing 93 controls into four themes, addressing 11 new requirements, and proving your documented information meets expanded Clause 6.1.2 expectations. Truvara’s ISO 27001:2022 control library ships with all 93 Annex A controls pre‑mapped to the four themes, with crosswalks to NIST CSF 2.0 and SOC 2 Trust Services Criteria built in. Automated evidence collection tracks configuration baselines (A.8.9), threat‑intelligence feeds (A.5.7), and cloud‑service security (A.5.23) — the three controls where transition audits most frequently find gaps. Real‑time compliance dashboards show which controls have current evidence, which need attention, and which new 2022 requirements still need to be assessed for applicability.
FAQ
Is the transition from ISO 27001:2013 to 2022 mandatory?
Yes. The International Accreditation Forum (IAF) mandated that all ISO 27001:2013 certificates expired on October 31, 2025. Any organization still operating under a 2013 certificate is technically non‑compliant. If your organization is currently certified on 2013, you need to complete transition immediately.
How long does ISO 27001:2022 transition take?
The average organization completes transition in 4–6 months from gap assessment to external audit. Organizations with mature ISMS and limited cloud/physical infrastructure can move faster. Organizations with complex multi‑site environments or significant new‑control gaps should budget 6–9 months.
What’s the cost impact of the new controls?
Costs vary widely, but most firms see a 10‑20 % increase in audit and remediation expenses, largely driven by the need for new tooling (e.g., threat‑intelligence platforms) and additional documentation effort. Leveraging an integrated GRC platform like Truvara can reduce manual effort by up to 30 %.
Do I need to redo my entire risk register?
Not necessarily. You’ll need to enrich existing entries with the additional context required by Clause 6.1.2 (e.g., asset‑level impact, interested‑party expectations). In many cases, it’s an extension rather than a complete rewrite.
Can I stay on ISO 27001:2013 if I’m only certified in a niche industry?
No. The IAF’s sunset policy applies universally, regardless of industry. Even niche sectors must transition or obtain a new certification based on the 2022 standard.
Key Takeaways
- Don’t treat the 114→93 reduction as a simplification – it’s a re‑architecture that moves many requirements into the main clauses.
- Prioritize the 11 new controls (especially Threat Intelligence, ICT readiness for BC, and Cloud‑service security) because auditors focus heavily on them.
- Update Clause 6.1.2 risk identification to include context, interested parties, and asset‑based assessments; this is a common source of non‑conformities.
- Map your existing documentation to the four new themes (Organizational, People, Physical, Technological) to streamline internal audits.
- Leverage an integrated GRC tool (e.g., Truvara) to automate evidence collection and maintain a live control dashboard throughout the transition.
- Set a realistic timeline: 4–6 months for well‑prepared firms, 6–9 months if you have extensive cloud or multi‑site footprints.
- Schedule a formal gap assessment now; the longer you wait, the tighter the auditor windows and the higher the cost.
Conclusion
The shift from ISO 27001:2013 to ISO 27001:2022 is more than a numbers game. It forces organizations to rethink how they structure, document, and prove their security controls. By understanding the four‑theme model, addressing the 11 new controls, and tightening risk‑identification processes, you can turn what looks like a daunting audit into an opportunity to modernize your ISMS. Start with a thorough gap analysis, update policies and evidence collection with a tool like Truvara, and set clear milestones for remediation and internal audit. With a disciplined approach, the transition can be completed efficiently, keeping your certification current and your security posture stronger than ever.