ISO/IEC 27001:2022 is the current version of the international standard for an information security management system (ISMS). Published in October 2022, it reorganised Annex A into 93 controls under four themes and added 11 new controls. The 2013 version is retired; 2022 is the version organisations now certify against.
What ISO 27001:2022 is
ISO/IEC 27001 is the international standard that specifies the requirements for an information security management system. It sets out how an organisation should identify information security risks, decide what to do about them, and run a system that keeps those decisions current as the business changes. It is the standard buyers most often ask a SaaS company to hold.
The 2022 edition replaced the 2013 edition. The management-system requirements in clauses 4 to 10 stayed broadly the same, but Annex A, the catalogue of security controls, was restructured and updated to reflect how organisations now work: cloud services, remote working, and a wider supply chain. The transition period for existing certificates ran to the end of October 2025, so 2013 certificates are no longer valid and 2022 is the only version in force.
The clause structure: clauses 4 to 10
ISO 27001 is built in two parts. Clauses 4 to 10 are the management-system requirements, and they are what an accredited body certifies you against. Annex A is a reference set of controls you draw on to treat the risks you identify. The clauses are mandatory; the controls are selected based on your risk assessment.
- Clause 4 Context of the organisation: define the scope of the ISMS and the internal and external issues and interested parties that affect it.
- Clause 5 Leadership: top management ownership, the information security policy, and assigned roles and responsibilities.
- Clause 6 Planning: risk assessment, risk treatment, the Statement of Applicability, and information security objectives. The 2022 edition added a sub-clause on planning of changes.
- Clause 7 Support: resources, competence, awareness, communication and documented information.
- Clause 8 Operation: carrying out the risk assessment and treatment in practice and controlling operational changes.
- Clause 9 Performance evaluation: monitoring and measurement, internal audit and management review.
- Clause 10 Improvement: handling nonconformities, corrective action and continual improvement.
You select the controls that treat your risks and record your decisions in a Statement of Applicability, which lists every Annex A control, whether it applies, and why. Building this is the core of an ISO 27001 implementation.
Annex A: the 93 controls and the four themes
The 2013 edition listed 114 controls across 14 domains. The 2022 edition consolidated these into 93 controls, removing duplication and merging overlapping items rather than dropping protection. The controls are now grouped under four themes instead of 14 domains, which makes the catalogue shorter to work through and easier to map to who owns each area.
- Organisational controls (A.5): 37 controls covering policies, roles, supplier relationships, cloud services, incident management and continuity.
- People controls (A.6): 8 controls covering screening, terms of employment, awareness, disciplinary process and remote working.
- Physical controls (A.7): 14 controls covering secure areas, equipment, physical entry and physical security monitoring.
- Technological controls (A.8): 34 controls covering access, cryptography, secure configuration, logging, secure development and data leakage prevention.
Each control in 2022 also carries a set of attributes, such as control type, information security properties and security domains, that let you filter and sort the catalogue. The attributes are an aid to navigation; they are not themselves requirements.
The 11 new controls introduced in 2022
The 2022 edition introduced 11 controls that did not exist in 2013. They address risks that have become routine since the previous revision, particularly cloud adoption, distributed working and software supply chain security.
- A.5.7 Threat intelligence: collecting and analysing information about threats to inform your defences.
- A.5.23 Information security for use of cloud services: security across the cloud lifecycle, from acquisition through use to exit.
- A.5.30 ICT readiness for business continuity: making sure technology can recover and continue during a disruption.
- A.7.4 Physical security monitoring: monitoring premises for unauthorised physical access.
- A.8.9 Configuration management: establishing and maintaining secure configurations for hardware, software and services.
- A.8.10 Information deletion: deleting data when it is no longer needed to reduce exposure.
- A.8.11 Data masking: masking data to limit exposure of sensitive information, including personal data.
- A.8.12 Data leakage prevention: measures to stop sensitive data leaving systems and networks.
- A.8.16 Monitoring activities: monitoring networks and systems for anomalous behaviour.
- A.8.23 Web filtering: managing access to external websites to reduce exposure to malicious content.
- A.8.28 Secure coding: applying secure coding principles so security is built into software from the start.
The remaining controls were carried over from 2013, with some merged and many reworded. If you certified under the 2013 edition in the past, the work of moving to 2022 was largely mapping your existing controls to the new structure and closing the gaps these 11 additions created.
How ISO 27001 certification works
Certification is carried out by an accredited certification body, not by the consultancy that helps you prepare. You run a gap analysis against the standard, build the management system and controls you are missing, then run an internal audit to test that the system works before the external audit. Independent testing at this stage is a requirement, which is why teams use an ISO 27001 internal audit before they invite the certification body in.
The external assessment runs in two stages. Stage 1 reviews your documentation and confirms the ISMS is designed and ready to be audited. Stage 2 tests how the system works in practice, sampling evidence that the controls operate as described. Clear both and the certification body issues your certificate.
An ISO 27001 certificate runs on a three-year cycle. The certificate is valid for three years, with surveillance audits, usually annual, that check the ISMS is still operating and improving. At the end of the three years a recertification audit renews the certificate for a further cycle. Maintaining certification is therefore ongoing work, not a one-off project.
How Atoro helps
Atoro is Europe’s first ISO 42001 certified consultancy, with more than 200 certifications delivered across security and compliance. We run ISO 27001 implementation on a fixed scope and provide independent ISO 27001 internal audits for teams that have built the system and need it tested before certification. If you are weighing ISO 27001 against a SOC 2 report, our guide to ISO 27001 vs SOC 2 sets out how to decide.
ISO 27001:2022 FAQs
When was ISO 27001:2022 published?
ISO/IEC 27001:2022 was published in October 2022. It replaced the 2013 edition. The transition period for organisations holding 2013 certificates ran to the end of October 2025, so 2022 is now the only version in force.
How many controls does ISO 27001:2022 have?
Annex A of ISO 27001:2022 contains 93 controls, down from 114 in the 2013 edition. They are grouped under four themes: organisational, people, physical and technological. You select the applicable controls in a Statement of Applicability based on your risk assessment.
What are the four control themes in ISO 27001:2022?
The four themes are organisational controls (A.5), people controls (A.6), physical controls (A.7) and technological controls (A.8). They replace the 14 domains used in the 2013 edition and make the control set shorter to work through and easier to assign to owners.
What are the 11 new controls in ISO 27001:2022?
They are threat intelligence, information security for use of cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding. They address cloud, remote working and software supply chain risks.
Is ISO 27001:2013 still valid?
No. The transition period ended in October 2025, so ISO 27001:2013 certificates are no longer valid. Any new certification is to the 2022 edition, and organisations that held the 2013 certificate had to transition before the deadline to keep certification.
How does ISO 27001 certification work?
An accredited certification body assesses you in two stages. Stage 1 reviews your documentation to confirm the management system is ready; Stage 2 tests how it works in practice. Pass both and you receive your certificate, maintained by surveillance audits over a three-year cycle.
What is the difference between the clauses and Annex A?
Clauses 4 to 10 are the mandatory management-system requirements an auditor certifies you against. Annex A is a reference catalogue of 93 controls you draw on to treat the risks you identify. You record which controls apply, and why, in a Statement of Applicability.
How long is an ISO 27001 certificate valid?
An ISO 27001 certificate is valid for three years. During that time the certification body runs surveillance audits, usually annual, to confirm the management system is still operating. A recertification audit at the end of the cycle renews the certificate for a further three years.