Written by Dan Wood – Group CISO – Cyberfort
ISO published the ISO 27001 standard to outline an information security management system (ISMS) in 2005. Since then, significant revisions have taken place in 2013 and 2022 to better reflect the evolving climate of cyber security threats and technologies. In this article we cover the most current control requirements as established in ISO 27001:2022 and key differences to ISO 27001:2013.
This article will explain how the 2022 version of ISO has evolved from its 2013 predecessor and the current controls that your organisation can implement to become ISO 27001 compliant.
Why was the standard updated?
ISO 27001:2013 served organisations well for nearly a decade, but the threat environment it was written for has evolved significantly. Cloud computing, remote working, supply chain attacks, and the fact that connected devices are used in work and personal lives everyday have all fundamentally altered how risk presents itself. The 2022 revision was designed to reflect the changing threat landscape, aligning more closely with the broader ISO management system framework and incorporating lessons learned from widespread adoption of the 2013 standard.
Organisations that achieved certification under the 2013 version were given a transition period to move to the new standard, with the deadline for full transition set for October 2025. For any organisation who has not started their ISO 27001:2022 journey, it is now more important than ever before to upgrade to the new certification standards.
What are the current ISO 27001 controls?
ISO 27001 controls form the backbone of the ISMS. They are designed to address risks to information security and ensure that critical data remains confidential, available, and integral. The controls are divided into four categories, or themes, under Annex A: organisational, people, physical, and technological measures.
Annex A in the ISO 27001:2013 standard included 114 controls across 14 domains, including access control, cryptography, and incident management. The 2022 update reorganised and modernised these controls to align with cyber security challenges. Instead of 14 domains, the updated controls are grouped into four broader themes:
People: Addressing human factors in security, such as training and awareness
Organisational: Governance, risk management, and compliance practices
Physical: Protection of physical assets and locations
Technological: Safeguarding IT systems and infrastructure
The update aimed to simplify implementation and improve clarity as new threats emerge.
Key differences between ISO 27001:2022
and ISO 27001:2013
The shift from ISO 27001:2013 to ISO 27001:2022 introduced several notable changes:
Reduction and consolidation of controls
The number of controls has decreased from 114 to 93, with several consolidated to eliminate redundancy. For example, cryptographic policies and key management controls are now grouped under a single, streamlined control.
Introduction of “attributes” for enhanced context
The 2022 version introduces five attributes to help organisations understand the purpose and application of each control:
- Cyber security concepts
- Information security properties
- Operational capabilities
- Security domains
- Control types (preventive, detective, corrective)
These attributes allow for a more flexible and tailored approach to implementing controls based on organisational needs.
New controls to address emerging threats
Fourteen new controls have been added, reflecting advancements in technology and the rise of threats like ransomware and supply chain attacks.
The main controls which have changed and need to be taken care of in the new standards are arguably the most important thing for IT teams to understand. They were added because they reflect security challenges that were either absent or underrepresented in 2013. From our experience at Cyberfort the main changes in the 2022 version which need to be focused on by IT and Cyber Security teams are:
- Threat intelligence (5.7) — Organisations must now demonstrate that they are actively gathering and acting on information about threats relevant to their environment. Ad hoc awareness of the threat landscape is no longer sufficient; there must be a structured process.
- Information security for use of cloud services (5.23) — Given how central cloud infrastructure has become to most organisations, the 2013 standard did not address this directly. The 2022 version requires organisations to establish and manage information security policies and controls specifically for cloud usage, covering acquisition, use, management, and exit from cloud services.
- ICT readiness for business continuity (5.30) — This control formalises the need for ICT continuity planning that is properly integrated into the organisation’s broader business continuity management.
- Physical security monitoring (7.4) — Surveillance and monitoring of physical premises to detect and deter unauthorised access is now an explicit requirement.
- Configuration management (8.9) — Secure configuration of hardware, software, services, and networks must be documented, implemented, monitored, and reviewed. This is a control that many organisations believed they were doing well, until they tried to evidence it formally.
- Information deletion (8.10) — Data deletion requirements, aligned with retention policies and privacy obligations, are now a standalone control rather than embedded within broader data handling guidance.
- Data masking (8.11) — The use of masking, pseudonymisation, and anonymisation to protect sensitive data is now explicitly required where appropriate.
- Data leakage prevention (8.12) — DLP as a formal control is a significant addition, requiring organisations to implement measures to detect and prevent the unauthorised disclosure of information.
- Monitoring activities (8.16) — Continuous monitoring of networks, systems, and applications to detect anomalous behaviour is now a named requirement.
- Web filtering (8.23) — Management of access to external websites to protect systems from malware and to prevent access to unauthorised web resources.
- Secure coding (8.28) — Secure software development principles must be applied to internally developed code, reflecting the growing importance of application security in the overall risk picture.
Taken together, these new controls show a clear picture of where ISO expected organisations to have gaps: cloud security, proactive threat intelligence, data governance, and continuous monitoring. For many IT teams, closing those gaps requires capabilities that are difficult to build in-house.
These changes may appear incremental, but they reflect a push toward greater rigour and demonstrability. Auditors will be looking for evidence of intentional, documented decision-making — not just good outcomes.
The transition challenge for IT and Cyber Security leaders
Understanding the changes is one thing. Managing the transition is another. For most IT and cyber security teams, the path from 2013 to 2022 certification involves several concurrent workstreams: gap analysis against the new controls, updating the Statement of Applicability, revising risk treatment plans, updating policies and procedures, and preparing staff for audit under the new requirements.
At the same time, the day job still needs to be completed. Incidents still happen. Projects still demand attention. Budgets still need defending. The result, for many organisations, is that the transition is delayed or delegated to team members who lack the bandwidth or specialist knowledge to execute it effectively. This is the context in which the value of a specialist MSSP and a platform partner like Vanta becomes clear.
How a specialist MSSP Partner can make the difference in achieving ISO 27001:2022
From our experience at Cyberfort helping 100’s of organisations to achieve the new ISO 27001 standard we have discovered that most internal IT teams, however capable, simply do not have time, skills or expertise to upgrade to the new standard on their own.
For example, at Cyberfort we can provide specialist knowledge across the full control set. The new Annex A controls, particularly threat intelligence, DLP, and continuous monitoring, require both technical capability and process maturity. A specialist MSSP will already have these capabilities deployed for multiple customers, meaning organisations benefit from experience that would take years to develop internally.
Continuous monitoring as a managed service, Control 8.16 requires ongoing monitoring of networks and systems. Building a credible in-house Security Operations Centre is expensive and resource-intensive. An MSSP provides this capability as a service, with 24/7 coverage, threat intelligence feeds, and experienced analysts, at a fraction of the cost of a comparable internal function.
Gap analysis and transition support is needed for ISO 27001:2022. A specialist MSSP can conduct a structured gap analysis against ISO 27001:2022, identifying where current controls fall short and providing a prioritised remediation roadmap. This accelerates the transition and ensures that effort is focused where it matters most for certification.
Documentation and evidence management is one of the areas where many organisations struggle the most. During audits it is important that IT and Cyber Security teams can demonstrate that controls are not just in place but are operating effectively. An experienced MSSP helps build and maintain the evidence base – audit logs, configuration records, incident reports, and review documentation, that auditors expect to see.
Supply chain security has a greater emphasis placed on it in the 2022 standard. An MSSP operating across multiple customer environments has broad visibility of supply chain risk patterns and can bring that intelligence to bear on behalf of individual customers.
Finally, achieving certification is not the end of the journey, maintaining it requires continuous attention. An MSSP provides the ongoing management that keeps controls effective, ensures policies are reviewed and updated, and prepares the organisation for surveillance audits without creating resource peaks that can overwhelm internal teams.
Implementing 27001 controls with Vanta
Implementing ISO 27001 controls can seem daunting as discussed earlier in the article. But there is a way forward. At Cyberfort we have partnered with Vanta to deploy and deliver automated compliance platforms to help organisations map existing controls to the updated standard, identify gaps, and implement changes seamlessly.
From our experience at Cyberfort we have seen first-hand how Vanta’s progress tracking and views of tests and controls overlap with complementary standards like SOC 2 and GDPR, which get you closer to multi-standard compliance for a fraction of the effort. The platform’s control mapping feature simplifies understanding how your current ISMS aligns with the 2022 framework, saving time and reducing complexity. Additionally, the platform’s continuous monitoring capability ensures that new controls like cloud service security are actively maintained, reducing the risk of non-compliance.
Final Thoughts
For IT teams, the move from ISO 27001:2013 to ISO 27001:2022 is not simply a compliance exercise. It is an opportunity to modernise the organisation’s security posture, address genuine gaps in cloud security and data governance, and demonstrate to customers, partners, and regulators that information security is taken seriously at every level.
The organisations that will navigate this transition most successfully are those that approach it strategically, treating the new standard not as a checklist to satisfy, but as a framework for building real resilience. A specialist MSSP, with the right expertise and the right compliance platforms like Vanta, is the partner that makes that outcome achievable.
The transition deadline has already passed. The question for IT teams is no longer whether to act, but how quickly they can get there, and who they choose to make the journey with them.
If you want to learn more about how to implement ISO 27001 controls effectively contact us at [email protected] and one of our experts will be in touch.
