ISO/IEC 27001:2022

• Annex A restructured from 114 controls in 14 clauses to 93 controls in 4 themes (Organisational, People, Physical, Technological).
• 11 new controls introduced (see list below).
• 24 controls merged from 56 of the 2013 controls.
• 58 controls updated; 1 control split.
• Each control now carries five attributes (Control type, Information security properties, Cybersecurity concepts, Operational capabilities, Security domains) to support filtering and reporting.
• Management-system clauses (4–10) aligned with the latest Harmonised Structure used across ISO management-system standards (ISO 9001, 13485, 14001 alignment).
• Amendment 1 (Feb 2024) added climate-change consideration to clauses 4.1 and 4.2.

1. A.5.7 — Threat intelligence
2. A.5.23 — Information security for use of cloud services
3. A.5.30 — ICT readiness for business continuity
4. A.7.4 — Physical security monitoring
5. A.8.9 — Configuration management
6. A.8.10 — Information deletion
7. A.8.11 — Data masking
8. A.8.12 — Data leakage prevention
9. A.8.16 — Monitoring activities
10. A.8.23 — Web filtering
11. A.8.28 — Secure coding

IAF MD 26 set the transition window. Certification bodies could perform 2022-edition certification or transition audits from October 2023 onward. The hard cut-off is 31 October 2025: certificates issued under ISO/IEC 27001:2013 expire or are withdrawn on that date regardless of their original validity period. Organisations that have not transitioned by then lose certified status.

• Transition audit may be combined with a planned surveillance or recertification audit, with additional audit time (typically 0.5 day per major site for small organisations, more for complex scopes).
• Statement of Applicability (SoA) must be updated to reference Annex A of the 2022 edition.
• Risk treatment plan must address the 11 new controls — either applying them, or providing a documented exclusion justification.
• Internal audit and management review records since the last surveillance should cover the transitioned scope.
• Amendment 1 (climate change) applies from the date of the next surveillance audit; the SoA need not separately reference Amd 1 — the change is in clauses 4.1 and 4.2.

The SoA is the spine of the ISMS. The 2022 transition is an opportunity to rebuild it deliberately rather than mechanically remapping the old controls. A clean approach:

1. Start from the risk register, not the Annex. Identify the risks that matter to the business and the controls that treat them.
2. Map those controls to the 2022 Annex A reference set. Use the 5 attributes to slice the controls by capability or domain when reviewing coverage.
3. Identify Annex A controls not currently covered. Decide: apply, apply partially, or exclude with justification. The 11 new controls deserve explicit treatment decisions even if existing implementations already satisfy them.
4. Document the source of each implemented control (policy, system, configuration, contract, training). This is what the certification body samples.
5. Confirm management responsibility for the SoA's contents (who signs off on inclusions and exclusions).

Amd 1:2024 (published February 2024) inserted into clause 4.1 the requirement to determine whether climate change is a relevant issue for the ISMS, and into clause 4.2 the obligation to consider whether interested parties have climate-change-related requirements. The amendment applies across the entire ISO management-system family (9001, 13485, 14001, 27001, etc.). For most organisations, the operational change is small: document the consideration, even if the conclusion is that climate change does not materially affect information-security objectives.

27001 is not a GxP standard, but it is increasingly the baseline expectation for any cloud or SaaS provider serving GxP, HIPAA, GDPR or financial-services customers. Customer audits, RFP responses, vendor-risk questionnaires (SIG, CAIQ) and DPA negotiations all reference 27001 controls. A current 2022-edition certificate is the operational shortcut that avoids per-customer bespoke assurance work.

• GxP cloud providers — 27001 + SOC 2 Type II is the de facto floor; pharma customers expect both.
• Medical device manufacturers building SaMD with cloud back-ends — 27001 underpins the cloud-security responsibility split.
• Food and supplement manufacturers running ERP/MES/QMS in SaaS — 27001 underpins the supplier qualification of those vendors.
• HIPAA covered entities and business associates — 27001 controls overlap heavily with the HIPAA Security Rule.
• GDPR data processors — 27001 is one route to demonstrating Article 32 'appropriate technical and organisational measures'.

• Mechanical control remap with no rethink of the underlying risks.
• Treating exclusions as the default for the 11 new controls; certification bodies will scrutinise blanket exclusions.
• Forgetting to update internal audit programme scope to the 2022 reference set before the transition audit.
• Missing the 31 October 2025 cut-off and finding the certificate withdrawn rather than transitioned.
• Treating Amendment 1 (climate change) as a documentation tick-box without considering whether climate-related physical or transition risks actually affect the ISMS scope (data-centre location risk, supply-chain disruption).