The wait is over. On 25 October 2022, ISO published ISO/IEC 27001:2022 — the first major revision to the information security management standard in nearly a decade. If your organisation is currently certified to ISO 27001:2013, or in the middle of pursuing certification, this update affects you directly.

This is not a cosmetic refresh. The 2022 revision introduces structural changes, new controls, and updated language that will require organisations to revisit their ISMS design, their Statement of Applicability, and their risk treatment approach. The good news: you have a transition window. The important thing right now is to understand what has changed — and start planning before the queue at certification bodies gets long.

The Standard Has a New Structure

The most visible change in ISO 27001:2022 is the complete overhaul of Annex A. The 2013 version organised information security controls into 14 control categories containing 114 individual controls. The 2022 version replaces that with 93 controls grouped into four themes:

Fewer controls does not mean less rigour. Many of the 114 controls from 2013 have been merged, consolidated, or renamed. Eleven brand-new controls have been introduced that reflect modern security challenges: threat intelligence, cloud service security, secure coding, data masking, web filtering, and more. These are not optional — they require consideration and a documented justification in your Statement of Applicability if you choose not to implement them.

What Is New — The 11 Controls That Did Not Exist Before

The following controls appear in ISO 27001:2022 for the first time. If your ISMS was designed against the 2013 standard, none of these currently have a home in your documentation:

For organisations that build software, manage cloud infrastructure, or handle sensitive personal data, several of these will be immediately applicable. For those who are not sure, that determination belongs in a formal gap analysis — not a quick internal meeting.

The Transition Timeline: What You Need to Know Right Now

ISO typically grants a three-year transition period when it publishes a new version of a major standard. For ISO 27001:2022, this means organisations have until October 2025 to complete their transition from the 2013 standard.

Three years sounds like a long time. It is not — particularly for organisations that need to schedule surveillance audits, recertification audits, and manage the documentation work alongside day-to-day operations. Certification bodies are also not infinitely scalable. As the transition deadline approaches, audit scheduling windows will tighten.

The organisations that will transition smoothly are the ones that start planning now, while the standard is fresh and the deadlines feel comfortable.

What a Transition Actually Requires

If you are currently certified to ISO 27001:2013, transitioning to the 2022 version is not a re-implementation from scratch. But it is also not a quick document swap. A transition requires:

For organisations pursuing certification for the first time, there is a simpler answer: certify against ISO 27001:2022 now. There is no reason to invest in implementing a standard that will be retired in three years.

Why This Matters Beyond the Certificate

ISO 27001:2022 is not just a compliance milestone. It is a framework that, when properly implemented, makes your organisation genuinely harder to compromise. The new controls — particularly around threat intelligence, cloud security, and secure development — address the attack surfaces that are being actively exploited today.

Organisations that treat this transition as a documentation exercise will end up with a certificate and a fragile ISMS. Organisations that treat it as an opportunity to genuinely modernise their information security posture will end up with both.

At Bitsecura, our ISO 27001 work is delivered by certified Lead Implementers — not junior consultants working from a generic template. Whether you are starting fresh with ISO 27001:2022 or planning your transition from 2013, we will give you a straight assessment of where you stand and what needs to happen next.

If you want to talk through what the 2022 update means for your organisation specifically, get in touch here. No pitch, no obligation.


Bitsecura provides ISO 27001 implementation, internal audit, and ISMS maintenance services. Learn more about our ISO 27001 services.