ISO/IEC 27001:2022 and ISO/IEC 27002:2022 introduced the biggest Annex A refresh in years. If you’re already certified—or planning to certify—you’re likely asking the same questions:

What changed (and what didn’t)?
How do the Annex A controls map now?
What does this mean for my Statement of Applicability (SoA), evidence, and audits?

This guide breaks down the changes and gives you a practical “what to do next” path.

Related guides:

Key takeaways

The ISMS management clauses (4–10) aren’t the main change—most work is in Annex A mapping, documentation, and evidence updates.
Annex A moved from 114 controls to 93 controls and is now organized into 4 themes instead of 14 categories.
Controls now have “attributes” (metadata) to help categorize intent and usage; attributes aren’t mandatory, but they’re useful for mapping and reporting.
“Net-new” controls reflect modern risk realities (cloud services, configuration management, data leakage prevention, secure coding, etc.).
If you’re certified, treat the update as a controlled transition project: update SoA mappings, validate evidence, and close gaps before your next audit cycle.

Formal publication (and what’s actually new)

ISO/IEC 27002:2022 (implementation guidance for controls) was published in February 2022.
ISO/IEC 27001:2022 (the certifiable requirements standard) was published in October 2022.

The practical effect is that Annex A controls in ISO 27001:2022 are aligned with the control guidance structure in ISO 27002:2022—so the controls feel more modern, more consistent, and easier to map across frameworks.

Transition timeline (what it means in practice)

ISO certifications operate on audit cycles, so changes like this are handled via transition windows and planned audit updates.

In practice, your “timeline” depends on:

Whether you were certified to ISO 27001:2013
Your next surveillance audit date / recertification timing
How much your Annex A evidence is “just-in-time” vs continuously maintained

If you’re building a program today, the simplest approach is to implement directly against ISO 27001:2022 and ISO 27002:2022 so you don’t build-and-rebuild your SoA later.

Clauses 4–10 (ISMS management requirements) aren’t the big change

ISO 27001 is a management system first. The required ISMS clauses (4 through 10) cover things like:

Scope and context
Leadership and planning
Support and competence
Operational planning and control
Performance evaluation (including internal audit)
Continual improvement

For most organizations, the “heavy lift” of the 2022 update is less about rewriting your management system and more about updating Annex A mappings, refining control intent, and aligning evidence to the new control catalog.

What changed in Annex A controls?

Annex A is the normative control catalog that organizations typically use to treat information security risk. You still tailor controls to your risk posture, but the 2022 version changes the shape of the catalog in a meaningful way.

Control organization (114 → 93 controls; 14 categories → 4 themes)

In the prior structure, Annex A included 114 controls organized into 14 categories (A.5–A.18).

In ISO 27001:2022, Annex A includes 93 controls organized into four themes:

A.5 Organizational controls
A.6 People controls
A.7 Physical controls
A.8 Technological controls

There are net-new controls, some controls were merged, and many were reworded to better reflect modern technology and operating models (especially cloud and software delivery).

Control attributes (new metadata model)

ISO 27002:2022 introduces an attribute model: metadata attached to each control to help you group, filter, and report on controls.

Common attribute families include:

Control type: preventative / detective / corrective
Information security properties: confidentiality / integrity / availability
Cybersecurity concepts: identify / protect / detect / respond / recover
Operational capabilities: e.g., governance, asset management, IAM, vulnerability management, continuity, supplier relationships, assurance
Security domains: governance & ecosystem / protection / defense / resilience

Attributes are not requirements—they’re a structure you can use (or ignore) depending on how you run your ISMS. Many teams find them helpful for:

Mapping controls to internal security domains
Building dashboards by capability (IAM, vuln management, continuity, etc.)
Avoiding duplication when aligning to other frameworks

Notable net-new controls (high-level highlights)

There are multiple “new” controls across Annex A. A few that typically drive concrete implementation work are:

Threat intelligence: moving from “receive alerts” to “analyze and operationalize” threat/vulnerability information.
Identity management: explicit emphasis on managing non-human identities and limiting shared accounts.
Security for cloud services: defined governance for how cloud services are selected, configured, monitored, and reviewed.
ICT readiness for business continuity: more explicit expectations for planning and testing technology continuity.
Physical security monitoring: continuous monitoring of protected physical areas (as appropriate to your environment).
User endpoint devices: protecting information on laptops and endpoints with practical controls.
Configuration management: defining and managing secure configurations for hardware, software, and services.
Information deletion: retention + disposal practices to ensure data is deleted when no longer needed.
Data masking: limiting sensitive data exposure using techniques like pseudonymization/anonymization where appropriate.
Data leakage prevention: controls to reduce unauthorized disclosure via automated tooling and process guardrails.
Web filtering: reducing malware and command-and-control exposure via outbound traffic filtering.
Secure coding: explicit expectations to apply secure coding principles to reduce vulnerabilities in software.

If you already operate a modern security program, many of these will feel familiar. The difference is: they’re now more directly visible in the control catalog you map, evidence, and audit against.

What should you do next?

Here’s a practical path depending on where you are in your ISO journey.

If you’re already ISO 27001 certified

Update your Annex A mapping: map your current controls and evidence to the 93-control catalog.
Refresh your Statement of Applicability (SoA): confirm inclusion/exclusion rationale still matches your risk assessment and scope.
Validate evidence against intent: where controls were merged or reworded, make sure your evidence still tells a clear story.
Run an internal audit focused on transition gaps: treat “transition readiness” like a mini-program with owners and due dates.

If you’re preparing for ISO 27001 certification

Implement directly against ISO 27001:2022 (don’t build against an older catalog unless you have a specific constraint).
Use ISO 27002:2022 guidance to avoid shallow implementations: auditors look for operational reality, not just policy text.
Keep your evidence centralized and exportable: the biggest time sink is usually evidence scavenger hunts, not writing policies.

Streamline ISO 27001:2022 readiness with SecureSlate

The best way to keep ISO from turning into a spreadsheet project is to reduce rework:

One control library
Clear ownership and due dates
Centralized evidence (not scattered screenshots)
Repeatable audit workflows and reporting

SecureSlate helps teams run ISO 27001:2022 readiness as an operational program by connecting controls, tasks, policies, and evidence in one place.

Get started: Create your SecureSlate account

FAQ: ISO 27001:2022 updates

Did ISO 27001 requirements change, or just the controls?

The biggest visible change for most teams is the Annex A refresh (93 controls, new themes, attributes). The management-system structure (clauses 4–10) is still the backbone of the standard.

Are control attributes required?

No. Attributes are guidance-oriented metadata intended to help teams categorize and understand controls. You can use them as-is, adapt them, or ignore them.

Do we have to implement every Annex A control?

No. ISO 27001 is risk-based. You select controls based on risk assessment and scope, document your rationale in the Statement of Applicability, and demonstrate that controls operate effectively.

What’s the most common “gotcha” in transitioning?

Teams often update mappings but don’t update evidence narratives. If a control’s intent changed or multiple controls were merged, make sure your evidence still clearly supports the control outcome.

Disclaimer (legal note)

SecureSlate is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance, you should consult a licensed attorney.

ISO 27001:2022 updates (and what they mean for your organization)