What actually changed
The 2022 revision cut Annex A from 114 controls to 93, grouped them into four themes (Organisational, People, Physical, Technological) and introduced 11 new controls covering threat intelligence, cloud services, ICT readiness, data masking, secure development and configuration management.
The 11 new controls
- Threat intelligence (5.7)
- Information security for use of cloud services (5.23)
- ICT readiness for business continuity (5.30)
- Physical security monitoring (7.4)
- Configuration management (8.9)
- Information deletion (8.10)
- Data masking (8.11)
- Data leakage prevention (8.12)
- Monitoring activities (8.16)
- Web filtering (8.23)
- Secure coding (8.28)
Statement of Applicability updates
You need a mapped SoA against the 2022 controls with clear justification for inclusion or exclusion. Many organisations are producing a bridging document that shows how their 2013-era controls map to the new structure — auditors are asking for exactly this on transition assessments.
Practical priorities
Threat intelligence, cloud services controls and monitoring activities are where most transition findings are being raised. If you evidence those well, the rest of the transition tends to run smoothly.
Have a question on Cyber, Data & Assurance?
Post it publicly in the Ask Gareth community. Vetted contributors and peers answer — moderated for quality.

