ISO/IEC 27001:2022, Transition From 2013 and What Must Happen by October 2026

The international standard for information security management systems, ISO/IEC 27001, was re-published in a fundamentally revised edition in October 2022. The International Accreditation Forum (IAF) set a three-year transition window in its mandatory document IAF MD 26: certifications against the predecessor ISO/IEC 27001:2013 lost their validity on 31 October 2025. That window has now closed, any organisation that has not migrated to the 2022 edition and passed a transition audit by then is operating without a valid certificate, even if the printed certificate is still pinned to the wall.

What changed in the 2022 edition

The main body of the standard (clauses 4 to 10) was only editorially revised, the core structure of a risk-based information security management system (ISMS) remains unchanged. The real rework happened in Annex A, the catalogue of controls organisations draw from in their Statement of Applicability (SoA).

From 114 to 93 controls

Annex A now lists 93 controls instead of 114. The reduction is not a simplification but the result of consolidation: 24 controls from the old edition were merged, 58 revised, 35 renamed and 11 are entirely new. At the same time, the old 14 theme areas have been restructured into four:

The 11 new controls

The newly introduced controls reflect the risk reality of recent years, cloud adoption, the evolving threat landscape and data handling:

• A.5.7 Threat intelligence, structured collection, analysis and use of threat information.
• A.5.23 Information security for use of cloud services, risk and contract management for cloud services.
• A.5.30 ICT readiness for business continuity, ICT readiness as part of business continuity management.
• A.7.4 Physical security monitoring, monitoring of physical areas (alarm systems, video surveillance).
• A.8.9 Configuration management, secure configuration of hardware, software, services and networks.
• A.8.10 Information deletion, documented deletion of information no longer required.
• A.8.11 Data masking, masking of personal and sensitive data.
• A.8.12 Data leakage prevention, technical and organisational measures to prevent data leakage.
• A.8.16 Monitoring activities, continuous monitoring of networks, systems and applications.
• A.8.23 Web filtering, controlling access to external websites to reduce malware exposure.
• A.8.28 Secure coding, principles of secure software development.

Four new attributes per control

Each control in Annex A now carries four attributes that can be used in filters and reporting:

• Control type: preventive, detective, corrective
• Information security properties: confidentiality, integrity, availability
• Cybersecurity concepts: identify, protect, detect, respond, recover (aligned to the NIST CSF)
• Operational capabilities: governance, asset_management, identity_and_access_management etc. (15 in total)
• Security domains: governance_and_ecosystem, protection, defence, resilience

These attributes are not an additional requirement, but they are a meaningful tool in practice: they simplify mapping to other frameworks (NIST CSF, TISAX, SOC 2) and the presentation of controls to customers or supervisory authorities.

On the management system (clauses 4–10)

The core duties remain: context of the organisation (clause 4), leadership (5), planning including risk assessment and treatment (6), support (7), operation (8), performance evaluation (9), improvement (10). The smaller but consequential changes: clause 6.2 now explicitly requires monitoring of information security objectives; clause 6.3 is new and formalises management of changes to the ISMS; clause 9.3 tightens the management review structure.

Why customers and regulators are demanding the 2022 edition

ISO/IEC 27001:2022 has quietly become the de-facto standard in enterprise RFPs and in regulated environments. This is particularly true for supplier assessments by large corporates, for public-sector procurement, for sector standards such as TISAX (automotive) and for evidencing Art. 32 GDPR security measures. Germany's BSI IT-Grundschutz already publishes cross-reference tables mapping to the 2022 controls. Anyone still operating on the 2013 edition in 2026 will stand out in any serious due diligence, for the wrong reason.

A typical transition project

1. 1Gap analysis against the 2022 edition, map existing controls to the new structure, assess applicability of the new controls.
2. 2Revise the Statement of Applicability (SoA), refresh the justification (including exclusions) for every control.
3. 3Refresh risk assessment and treatment, re-evaluate cloud, supply-chain and data-leakage risks in particular.
4. 4Adjust policies and procedures, re-document threat intelligence, information deletion, data masking and secure coding.
5. 5Awareness and training, bring staff up to speed on the new controls (especially cloud, DLP, web filtering).
6. 6Internal audit and management review, verify effectiveness before the certification body arrives.
7. 7Transition or re-certification audit by an accredited certification body, formal confirmation of the new certificate.