What Changed in the 2022 Update to ISO 27001's Controls?
## The short answer
The 2022 revision of ISO 27001 kept the core management-system requirements broadly stable but significantly **reorganised and modernised the reference controls** in Annex A. The controls were regrouped into **four themes** — organisational, people, physical, and technological — consolidated into a shorter list through merging, and refreshed with **new controls** addressing risks that had grown in importance, such as cloud services, threat intelligence, and data-handling practices. If your organisation certified under the older version, you will need to transition your ISMS and Statement of Applicability to the updated structure.
## What stayed the same
The fundamentals of ISO 27001 did not change. You still need a risk-driven Information Security Management System with leadership commitment, defined scope, risk assessment and treatment, objectives, internal audits, management reviews, and continual improvement. If you built a genuine ISMS, its backbone remains intact. The change is concentrated in how the controls are *organised and described*.
## The move to four control themes
Previously the reference controls were spread across many separate domains. The 2022 update reorganised them into four clear themes:
- **Organisational controls** — policies, roles, supplier relationships, and the governance scaffolding of security.
- **People controls** — screening, awareness, responsibilities, and conduct of individuals.
- **Physical controls** — facilities, equipment, secure areas, and physical access.
- **Technological controls** — the technical measures such as access control, cryptography, logging, and secure development.
This thematic grouping is more intuitive and maps more naturally onto how organisations actually assign ownership: governance teams, HR, facilities, and engineering each see their slice clearly.
## Consolidation of the control set
The updated Annex A contains **fewer controls overall**, not because security expectations shrank, but because overlapping controls were merged into single, clearer ones. Several older controls that addressed similar concerns were combined. The practical effect is a tidier list that is easier to reason about and map evidence against — though you must remap your existing controls to the new numbering.
## New and enhanced controls
The revision introduced controls reflecting how technology had moved on. The themes of these additions include:
- **Cloud services** — explicitly addressing the security of services you consume from cloud providers.
- **Threat intelligence** — gathering and using information about threats to inform your defences.
- **Information deletion and data masking** — handling data through its lifecycle, including secure deletion and reducing exposure of sensitive data.
- **Data leakage prevention** — measures to detect and prevent unauthorised data exfiltration.
- **Monitoring activities** — strengthened expectations around monitoring for anomalous behaviour.
- **Secure development and configuration** — reflecting modern software delivery practices.
These additions are unsurprising: they codify practices that mature security teams were already adopting, and bring the standard into line with how organisations operate today.
## Attributes: a new way to view controls
The updated guidance also introduced **attributes** — tags you can use to view and filter controls from different angles, such as by control type (preventive, detective, corrective), by security property (confidentiality, integrity, availability), or by operational capability. Attributes are not mandatory, but they are a useful lens for organising your programme and reporting to different stakeholders.
## What this means if you are already certified
Organisations certified under the previous version are expected to transition to the updated structure within the transition window set by the certification ecosystem. Practically, that means:
1. **Remap your Statement of Applicability** to the new themes and control numbering.
2. **Assess the new controls** — decide whether each is applicable, justify your decision, and implement where needed.
3. **Update your risk treatment** to reference the revised controls.
4. **Refresh documentation and training** so your team uses the current structure.
5. **Plan the transition audit** with your certification body.
Most of your existing controls will carry over — the work is re-expressing them in the new framework and genuinely addressing the handful of new controls.
## Common transition mistakes
- **Treating it as a pure paperwork exercise** and skipping the new controls that require real implementation, like cloud security or data-leakage prevention.
- **Letting the SoA fall out of step** with the new numbering, so evidence no longer maps cleanly.
- **Leaving the transition to the last minute** and colliding with the audit deadline.
## Where tooling helps
Remapping controls and tracking which new ones you have implemented is exactly the kind of bookkeeping that becomes error-prone in spreadsheets. Enterprise-grade compliance platforms — the kind neart.ai builds — maintain the mapping between the current control set, your risk treatments, and live evidence, so a framework update becomes a structured remap rather than a rebuild.
## Takeaway
The 2022 update did not reinvent ISO 27001 — it modernised and tidied the controls into four themes, merged overlaps, and added controls for cloud, threat intelligence, and data handling. If you are already certified, plan an early, deliberate transition: remap your SoA, genuinely implement the new controls, and do not leave it until the audit clock runs down.