Information Security guide: What changed in ISO/IEC 27001:2022 vs 2013
Information security teams should treat ISO IEC 27001:2022 as the default in 2026. ISO published ISO IEC 27001:2022 on 25 October 2022, and the main certification transition deadline was 31 October 2025.
If your organisation still runs a 2013 based approach, this guide explains what changed and what auditors typically expect to see.
The headline changes in ISO/IEC 27001:2022 vs 2013
1) Clause structure updated and planning for changes is clearer
ISO/IEC 27001:2022 aligns to the harmonised management system structure and includes planning for changes (often referenced as Clause 6.3). Auditors commonly test whether changes in technology, suppliers, or scope are planned and controlled.
2) Annex A was simplified and regrouped
Annex A moved from 114 controls to 93 controls, which were regrouped into four categories:
- Organisational
- People
- Physical
- Technological
This is not reduced security. It is a restructuring that removes duplication and modernises implementation guidance.
3) Annex A includes 11 new controls
ISO/IEC 27002:2022 introduced 11 new controls that feed into ISO/IEC 27001:2022 Annex A use.
Commonly referenced new controls include:
- Threat intelligence
- Information security for use of cloud services
- Data leakage prevention
- Secure coding
- Configuration management
- Monitoring activities
Amendment 1:2024 climate action changes
ISO issued Amendment 1:2024 (often referred to as climate action changes) that applies to ISO/IEC 27001:2022.
In practice, auditors will look for evidence that you considered:
- Whether climate change is a relevant issue in your context (Clause 4.1 thinking)
- Whether interested parties have climate-related requirements (Clause 4.2 thinking)
What auditors typically expect as evidence
Focus on alignment between your documents and reality:
- Updated Statement of Applicability aligned to the 93 control structure
- Risk assessment and risk treatment updates where control selection changed
- Evidence for modern controls, for example, secure coding practices, cloud baselines, DLP rules, and monitoring outputs
- Internal audit and management review records showing the transition was planned, implemented, and evaluated
Young businessman analyzing data, holding magnifying glass generated by artificial intelligence
ISO 27001:2022 vs 2013 comparison checklist
- A) Transition status
- Confirm certification status and transition completion after 31 October 2025
- Confirm your certification body transition audit outcome and scope
- B) Clauses and management system
- Update change control to include planned changes (planning for changes)
- Confirm ISMS scope, context, and interested parties are current
- Confirm competence and awareness includes security role expectations
- C) Annex A mapping
- Map 2013 controls to 2022 structure (four categories)
- Update Statement of Applicability for 93 controls
- Confirm evidence matches what the SoA claims
- D) New controls
- Threat intelligence considered and implemented where relevant
- Cloud security control coverage confirmed
- DLP coverage confirmed
- Secure coding control coverage confirmed
- E) Climate amendment
- Record whether climate change is relevant in context analysis
- Record interested party climate requirements where relevant
- Confirm management review references the above decisions
ISO IEC 27001:2022 is about clearer change control, a modernised Annex A, and evidence that matches real operations.