If your business is already certified to ISO 27001:2013, you may have heard about the updated 2022 version and wondered what it actually means in practice. The good news is that this is not a complete overhaul. Instead, it is more of a refinement, designed to reflect how businesses work today and the evolving nature of information security risks.
In this guide, we break down the transition in simple terms and explain what really matters when moving from the 2013 controls to the 2022 update.
Why was ISO 27001 updated?
Since 2013, the way organisations handle data has changed significantly. Cloud computing, remote working, and increased cyber threats have all reshaped the security landscape.
The 2022 update was introduced to keep the standard relevant and practical. It aims to simplify the structure, remove duplication, and better reflect modern risks without changing the overall purpose of ISO 27001.
What has actually changed?
One of the main updates is the structure of Annex A, which contains the security controls organisations use to manage risk.
Under ISO 27001:2013, there were 114 controls. In the 2022 version, this has been streamlined to 93 controls. While this may sound like a reduction, it does not mean less security. Many controls have been merged, updated, or clarified to make them easier to understand and apply.
The controls are now grouped into four key themes:
- Organisational
- People
- Physical
- Technological
This new structure is more intuitive and reflects how businesses typically operate.
New controls to be aware of
The 2022 update also introduces several new controls that focus on modern risks. These include areas such as:
- Threat intelligence
- Information security for cloud services
- Data masking
- Monitoring activities
- Secure coding
In simple terms, these additions recognise that businesses are increasingly digital and need to take a more proactive approach to identifying and managing threats.
What has stayed the same?
It is important to note that the core principles of ISO 27001 have not changed. You still need to:
- Identify risks to your information
- Put controls in place to manage those risks
- Document your processes
- Continually review and improve your system
If you already have a well-functioning Information Security Management System in place, you are likely already covering much of what is required.
What does the transition involve?
Moving from ISO 27001:2013 to 2022 is more about reviewing and updating than starting again.
In practical terms, this means:
- Mapping your existing controls against the new structure
- Identifying any gaps, particularly around the new controls
- Updating your documentation and policies where needed
- Ensuring your risk assessment reflects current threats
- Training staff on any relevant changes
For many organisations, this process is straightforward, especially with the right support.
Breaking it down in simple terms
If you think of ISO 27001:2013 as a well-organised filing system, the 2022 update is like reorganising those files into clearer categories, removing duplicates, and adding a few new folders for things that did not exist before.
You are not throwing everything away. You are simply making it more efficient and better suited to how your business operates today.
Why the transition matters
Updating to ISO 27001:2022 is not just about maintaining certification. It is about ensuring your approach to information security keeps pace with real-world risks.
Cyber threats continue to evolve, and businesses need to be proactive in how they respond. The updated standard helps you do this in a structured and practical way.
It also demonstrates to clients, partners, and stakeholders that you are committed to keeping your systems up to date and your data secure.
Making the process manageable
For many businesses, the idea of transitioning to a new version of a standard can feel daunting. However, this update has been designed to be manageable, particularly for organisations that are already certified.
Taking a step-by-step approach, reviewing your current setup, and focusing on the areas that have changed will help keep the process clear and achievable.
Moving forward with confidence
The move from ISO 27001:2013 to 2022 is an opportunity rather than a challenge. It allows you to refine your processes, address modern risks, and strengthen your overall approach to information security.
With the right understanding and support, the transition can be smooth, practical, and beneficial for your business in the long term.
Request Call Back.
If you need to speak to us about a general query fill in the form below and we will call you back within the same working day.