Back to blog
Cyber, Data & Assurance

ISO/IEC 27001:2022 — making sense of the control changes

Annex A was restructured around ISO/IEC 27002:2022. We break down the new organisational, people, physical and technological controls and what they mean for your Statement of Applicability.

Ask Gareth Editorial Published 9 April 2026 Updated 9 July 2026 6 min read
ISO/IEC 27001 InfoSec Controls
ISO/IEC 27001:2022 — making sense of the control changes

What actually changed

The 2022 revision cut Annex A from 114 controls to 93, grouped them into four themes (Organisational, People, Physical, Technological) and introduced 11 new controls covering threat intelligence, cloud services, ICT readiness, data masking, secure development and configuration management.

The 11 new controls

  • Threat intelligence (5.7)
  • Information security for use of cloud services (5.23)
  • ICT readiness for business continuity (5.30)
  • Physical security monitoring (7.4)
  • Configuration management (8.9)
  • Information deletion (8.10)
  • Data masking (8.11)
  • Data leakage prevention (8.12)
  • Monitoring activities (8.16)
  • Web filtering (8.23)
  • Secure coding (8.28)

Statement of Applicability updates

You need a mapped SoA against the 2022 controls with clear justification for inclusion or exclusion. Many organisations are producing a bridging document that shows how their 2013-era controls map to the new structure — auditors are asking for exactly this on transition assessments.

Practical priorities

Threat intelligence, cloud services controls and monitoring activities are where most transition findings are being raised. If you evidence those well, the rest of the transition tends to run smoothly.

Take it to the community

Have a question on Cyber, Data & Assurance?

Post it publicly in the Ask Gareth community. Vetted contributors and peers answer — moderated for quality.

General information only. Ask Gareth is a knowledge and community platform. Content is not client-specific legal, regulatory, accreditation, certification or professional advice. Ask Gareth is not a certification body, accreditation body or regulator. See our full disclaimer.
Talk to us

Not sure where to start?

Ask a question

Ask Gareth

Post a public question inspired by this article. Category is captured for routing.