Detailed analysis of differences between ISO 27001:2013 and ISO 27001:2022. Annex A restructuring, new controls, transition deadlines, and migration strategy.
The transition from ISO 27001:2013 to the 2022 version represents the most significant update in a decade. Although the main body requirements (clauses 4-10) underwent minor changes, Annex A was completely restructured: from 114 controls in 14 domains to 93 controls in 4 thematic categories. Organizations certified under the 2013 version had to complete the transition by October 2025.
| Aspect | ISO 27001:2013 | ISO 27001:2022 |
|---|---|---|
| Annex A structure | 114 controls organized in 14 domains (A.5 to A.18): security policies, organization, human resources, asset management, access control, cryptography, physical security, operations, communications, development, suppliers, incidents, continuity, and compliance. | 93 controls reorganized into 4 thematic categories: organizational (37), people (8), physical (14), and technological (34). The restructuring eliminated redundancies, consolidated related controls, and added 11 new controls reflecting current threats. |
| New controls | Not applicable. The 2013 version was the standard in force for nearly a decade without control updates. | 11 new controls: threat intelligence (A.5.7), cloud security (A.5.23), ICT readiness for continuity (A.5.30), physical security monitoring (A.7.4), configuration management (A.8.9), information deletion (A.8.10), data masking (A.8.11), data leakage prevention (A.8.12), monitoring activities (A.8.16), web filtering (A.8.23), and secure coding (A.8.28). |
| Control attributes | Controls did not include metadata or categorization beyond their domain. Each control's assessment was based solely on its description and the ISO 27002:2013 implementation guidance. | Each control includes 5 classification attributes: type (preventive, detective, corrective), security property (CIA), cybersecurity concept (NIST), operational capability, and security domain. This facilitates filtering and prioritization based on organizational context. |
| Main clause changes | Clauses 4 to 10 established the original management system requirements: context, leadership, planning, support, operation, performance evaluation, and improvement. | Minor but significant changes: clause 4.2 requires explicitly analyzing which interested party requirements will be addressed via the ISMS. Clause 6.3 introduces planned change management for the ISMS. Clause 8.1 reinforces operational planning of controls for external processes, products, and services. |
| Transition deadline | ISO 27001:2013 certifications became invalid on October 31, 2025. Organizations that did not complete the transition lost their certification and must restart the process under the 2022 version. | All new certifications and recertifications are conducted exclusively under ISO 27001:2022. Certification bodies have been auditing the 2022 version since April 2024. |
The 2022 version is not a radical change but a necessary evolution. The 11 new controls reflect threats that did not exist or were not prevalent in 2013: cloud security, threat intelligence, data leakage prevention, and secure coding. For organizations with the 2013 version, transition required updating the SoA, evaluating new controls, and adjusting documentation. For new implementations, the 2022 version offers a more logical structure aligned with the current threat landscape.
Since November 2025, 2013 certifications are no longer valid. A certification process under ISO 27001:2022 must be initiated. However, experience and documentation from the previous ISMS are leverageable: migration is significantly faster than implementation from scratch.
No. As in the 2013 version, the organization selects applicable controls through the Statement of Applicability (SoA). Each exclusion must be justified based on the risk assessment. However, controls like threat intelligence and cloud security are difficult to exclude for most modern organizations.
For organizations with a mature ISMS, the technical transition can be completed in 3-6 months. The process includes: gap analysis against the 2022 version, SoA update with the 11 new controls, documentation adjustment, and transition audit by the certification body.
Assessment within 72 business hours. ISO methodology. No ties to certification bodies.
Request diagnosis