ISO 27001:2022

ISO 27001:2022


The new version of ISO 27001 will be released sometime in the Q4 2022.


Major changes will be:

1. Clauses 4 to 10, are not changing

2. Security controls listed in ISO 27001 Annex A will be updated

3. Number of controls has decreased from 114 to 93

4. Controls are placed in 4 sections instead of previous 14

5. 11 new controls added, while none of the controls were deleted, and many controls were merged.


"ISO/IEC 27001:2022" sections:

ISO 27001:2022
ISO 27001:2013 equivalent
A.5.7 Threat intelligence
A.6.1.4 Contact with special interest groups
A.5.16 Identity management
A.9.2.1 User registration and de-registration
A.5.23 Information security for use of cloud services
A.15.x Supplier relationships
A.5.29 Information security during disruption
A.17.1.x Information security continuity
A.5.30 ICT readiness for business continuity
A.17.1.3 Verify, review and evaluate information security continuity
A.7.4 Physical security monitoring
A.9.2.5 Review of user access rights
A.8.9 Configuration management
A.14.2.5 Secure system engineering principles
A.8.10 Information deletion
A.18.1.3 Protection of records
A.8.11 Data masking
A.14.3.1 Protection of test data
A.8.12 Data leakage prevention
A.12.6.1 Management of technical vulnerabilities
A.8.16 Monitoring activities
A.12.4.x Logging and monitoring
A.8.23 Web filtering
A.13.1.2 Security of network services
A.8.28 Secure coding
A.14.2.1 Secure development policy


  • A.5.7 Threat intelligence - This control requires organizations to collect and analyze information about threats and mitigate them appropriately. Types of information could include data about specific attacks, methods the attackers are using, and types of attacks. Information should be gathered internally, and from external sources such as vendor reports, government bodies, and industry announcements.
  • A.5.23 Information Security for Use of Cloud Services - Requires that security requirements for cloud services are set for the protection of sensitive information in the cloud. Included in this control should be policies on buying, utilizing, managing, and ending the use of cloud services.
  • A.5.30 ICT Readiness for Business Continuity - This control requires that people, processes, and systems are prepared in the event of disruptions so that key information and assets are available when required.
  • A.7.4 Physical Security Monitoring - Sensitive areas must be monitored to ensure only authorized personnel can access them. This could include offices, production facilities, warehouses, and other key physical premises.
  • A.8.9 Configuration Management - This requires the management of device configurations for security in all technologies and systems. The intent is consistency in security levels and control of unauthorized changes.
  • A.8.10 Information Deletion - This addresses deletion of data when no longer needed or when storage times exceed documented retention periods. The intent is to control the potential for leakage of sensitive data and to comply with any relevant privacy and other requirements. Deletions could include data in IT systems, removable media, or cloud services.
  • A.8.11 Data Masking - This control requires that data masking is used in combination with appropriate access controls to reduce the likelihood of exposure of sensitive information. This control is particularly focused on personal data as this is strongly regulated via privacy regulations for example in jurisdictions such as the EU this also applies to other forms of sensitive data as relevant to the organization.
  • A.8.12 Data Leakage Prevention - This control requires the application of Data Leakage Prevention (DLP), measures to avoid unauthorized disclosure of sensitive information This also covers the inclusion of measures for the detection of incidents in a timely manner.
  • A.8.16 Monitoring Activities - This requires the management and monitoring of systems to identify unusual activity and to instigate appropriate incident responses.
  • A.8.23 Web Filtering - The new guidance states that outbound web traffic should be filtered to prevent malware from connecting to command and control servers, as well as to prevent traffic to other malicious websites.
  • A.8.28 Secure Coding - The new guidance states that secure coding principles shall be applied to minimize vulnerabilities in code. The current control set requires rules for the secure development of software and systems, while the new control language is focused on the application and implementation of code security practices.