When ISO/IEC 27001:2022 replaced the 2013 version, many organizations treated it as a maintenance update. A new year on the cover, some renumbered controls, a transition deadline that felt distant. That reading missed what the revision actually did.
The 2022 Annex A is structurally different, and the changes reflect how information security has evolved over the nine years between versions. Understanding the changes matters because the transition is not a rewording exercise. It is a re-architecting of how controls are organized and how they map to modern risks.
## The common belief
The shortcut most transition projects take is to map old controls to new ones and update the Statement of Applicability. Check the box, file the paperwork, move on. On paper the organization is compliant with the 2022 version.
The problem is that the 2022 revision was not a relabeling. It was a response to observed gaps in the 2013 controls and a consolidation that changed the substance of what compliance looks like.
## What actually changed
Three changes carry most of the weight.
### 1. Fewer controls, organized differently
Annex A went from 114 controls to 93. The reduction is not simplification. It is consolidation: many 2013 controls were merged because they addressed the same underlying risk through different technical lenses, and the consolidation forces the organization to think about the risk rather than the control.
The 93 controls are now organized into four themes: organizational (37 controls), people (8 controls), physical (14 controls), and technological (34 controls). The old clause-numbered grouping is gone. The theme structure is closer to how CISOs actually think about security programs.
### 2. Eleven new controls
Eleven controls are genuinely new, not reworded. They address areas the 2013 version did not cover or covered indirectly: threat intelligence, information security for cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding.
Each of these reflects a category of risk that matured between 2013 and 2022. Cloud moved from an edge case to the dominant operational model. Threat intelligence moved from a nice-to-have to a baseline. Data leakage moved from a specialist concern to a cross-functional one.
### 3. Attributes as a second organizing layer
The 2022 version introduces five attributes that tag each control: control type (preventive, detective, corrective), information security properties (confidentiality, integrity, availability), cybersecurity concepts (identify, protect, detect, respond, recover, mirroring NIST CSF), operational capabilities, and security domains.
Attributes allow organizations to view their control set through different lenses without rewriting it: “which of our controls are detective?” “which address integrity?” “which correspond to NIST CSF’s ‘respond’ function?” This flexibility is new and consequential.
> The 2022 revision looks like a version bump. Structurally, it is a reorganization of how controls map to modern threats. Treating it as cosmetic is the mistake most transition projects make.
>
## Reframing the question
The question most transition projects ask is “How do we map old controls to new?” The useful question is “What gaps did our 2013 implementation have that the 2022 revision exposes?”
An organization that answers the second question honestly usually finds that some of the new controls describe capabilities the organization already has (often informally) and that a small number describe genuine gaps that need addressing before the transition audit.
## The structural shift
ISO management system standards have been moving toward modularity for a decade. The Harmonized Structure (formerly Annex SL) standardized the clauses across management system families. The 2022 revision of 27001 took the next step: it kept the clauses stable and restructured only the control annex, signaling that Annex A is where the standard absorbs change from the outside world.
That matters because it suggests the next revision will likely touch the controls again, not the clauses. Organizations that build Annex A as a flexible, attribute-tagged control library now will transition more easily next time. Organizations that harden their ISMS around the specific 2022 control list will face the same retrofit work again in a decade.
## What this means for your organization
Use the transition as a real review. If you are still on 2013, this is the cheapest opportunity you will get to reassess your SoA, retire irrelevant controls, and address the new ones with current evidence rather than retrofitting.
Invest in the attributes. Tagging controls with the five attribute categories takes effort once and pays every time you need to answer a question from a buyer, regulator, or auditor about your control set. It is also the foundation for integrating 27001 with NIST CSF, SOC 2, or other frameworks.
Treat the new controls as genuinely new. Controls like threat intelligence, data leakage prevention, and monitoring activities usually require new processes, not just new documents. Plan for implementation time, not just documentation time.
> A version bump that consolidates 114 controls into 93, adds 11 new ones, and introduces a five-dimensional tagging system is not a version bump. It is a new operating model for the ISMS.
>
—
Ready to move from documentation to certification?
📩 [[email protected]](mailto:[email protected]) · 🌐 [zertia.ai](http://zertia.ai)
–
