The world’s most recognized information security standard was overhauled in October 2022, and the transition window for organizations holding the older 2013 certification has now closed. If your organization was certified under ISO 27001:2013, that certificate has expired. If you are pursuing certification for the first time, ISO 27001:2022 is the only version available to you. This guide breaks down exactly what changed between the two versions and what you need to do now, whether you missed the transition deadline or are starting fresh.
The Critical Deadline Has Passed
First, the most important fact for 2026. ISO/IEC 27001:2022 replaced ISO/IEC 27001:2013 when it was published on October 25, 2022. Organizations holding a 2013 certificate were given a three-year transition window, and that period ended on October 31, 2025, at which point all ISO 27001:2013 certificates were revoked regardless of the expiration date printed on the certificate itself.
What this means in practice depends on where you stand. No new audits against the 2013 version have been conducted since April 30, 2024, so any certification or recertification activity now happens exclusively against the 2022 standard. If a client or partner contacts your certification body to verify a 2013 certificate after October 30, 2025, they will be told it is no longer valid.
Why ISO 27001 Was Updated
SO 27001 has been the global benchmark for managing the security of information assets for over a decade, with tens of thousands of certified organizations worldwide. Holding the certification signals that an organization has invested in the people, processes, and technology needed to protect its data, validated by an independent expert assessment.
The 2022 revision exists because the threat landscape changed. The 2022 edition reflects that the threats organizations face, along with their severity and frequency, have shifted since 2013, and it realigns the standard with the updated ISO/IEC 27002 reference set of controls. The good news for organizations familiar with the older version is that the structural logic of the standard is intact. The changes are meaningful but manageable.
What Changed in the Clauses (4–10)
The number of management clauses did not change, but the language was updated to align ISO 27001 more closely with other ISO management system standards built on the same harmonized structure. The notable updates:
Clause 4.2 (Needs and Expectations of Interested Parties): A sub-clause was added requiring you to analyze which interested-party requirements will be addressed specifically through the ISMS, rather than simply identifying those requirements.
Clause 4.4 (Information Security Management System): New language requires organizations to identify the necessary processes and their interactions within the ISMS.
Clause 5.3 (Roles, Responsibilities, and Authorities): Clarified that roles relevant to information security must be communicated within the organization.
Clause 6.2 (Objectives and Planning): Added guidance clarifying that information security objectives should be monitored regularly and formally documented.
Clause 6.3 (Planning of Changes): This is a genuinely new clause. It establishes that any changes needed to the ISMS must be adequately planned. This formalizes change management as a first-class requirement.
Clause 7.4 (Communication): Sub-clauses d and e were simplified and merged into a single renamed sub-clause d, “how to communicate.”
Clause 8.1 (Operational Planning and Control): Expanded so the ISMS must establish criteria for the actions identified in Clause 6 and control those actions in accordance with the criteria.
Clause 9.2 (Internal Audit): Restructured, though not materially. It consolidated the previously separate 9.2.1 and 9.2.2 into a single section.
Clause 9.3 (Management Review): Now explicitly requires that management reviews consider any changes to the needs and expectations of interested parties.
Clause 10 (Improvement): Reordered so that Continual Improvement (10.1) is listed first and Nonconformity and Corrective Action (10.2) second.
The single most operationally significant addition here is Clause 6.3. Organizations transitioning or certifying fresh should make sure their change-management process is documented and demonstrable, because it is now an explicit requirement an auditor will look for.
What Changed in the Annex A Controls
This is where the biggest structural overhaul happened, and it is the part most people mean when they ask “what changed in ISO 27001:2022.”
The total number of controls dropped from 114 to 93. This reduction came primarily from merging overlapping controls together, not from removing protections. Eleven entirely new controls were added, one control was split into two while keeping the same requirements, and the rest were either unchanged or simply renamed. For most existing controls, the underlying requirements stayed largely the same.
The organizing structure was simplified dramatically. The 14 control sections of the old version were consolidated into 4 themes in ISO 27002:2022:
Section 5 (Organizational), Section 6 (People), Section 7 (Physical), and Section 8 (Technology).
The 11 New Controls
These additions reflect modern security concerns, particularly cloud, threat intelligence, and data protection, that barely existed or were immature in 2013:
| Control | Name | Theme |
|---|---|---|
| 5.7 | Threat intelligence | Organizational |
| 5.23 | Information security for use of cloud services | Organizational |
| 5.30 | ICT readiness for business continuity | Organizational |
| 7.4 | Physical security monitoring | Physical |
| 8.1 | Data masking | Technology |
| 8.9 | Configuration management | Technology |
| 8.10 | Information deletion | Technology |
| 8.12 | Data leakage prevention | Technology |
| 8.16 | Monitoring activities | Technology |
| 8.23 | Web filtering | Technology |
| 8.28 | Secure coding | Technology |
If your organization is implementing or re-implementing the standard, these eleven controls are where you will likely find the most new work, especially around cloud services, data leakage prevention, secure coding, and threat intelligence. They are also a useful lens on where information security risk has concentrated over the past decade.
What You Must Do Now
Your action plan depends on your situation.
If your 2013 certificate expired: You cannot perform a transition audit anymore, because that window closed with the deadline. You will need a full ISO 27001:2022 certification audit (Stage 1 and Stage 2). Your prior work is not wasted. All elements of the 2013 version are covered in the 2022 version, so the work you completed earlier still counts toward your 2022 implementation. The practical first step is to engage a certification body, scope the gap, and schedule the audit.
If you are certifying for the first time: Implement against the 2022 standard directly. Build your ISMS around clauses 4 through 10, pay particular attention to the new Clause 6.3 change-planning requirement, and select your Annex A controls through a Statement of Applicability, giving close attention to the eleven new controls. Typical implementation timelines run 6 to 12 months depending on organizational size and complexity.
If you maintained a current ISMS but need to confirm alignment: Run an internal audit against the 2022 clauses and the 4-theme control structure, update your Statement of Applicability and risk treatment to reflect the new controls, and make sure your documentation demonstrates the new change-planning and communication requirements.
Across all three scenarios, the core tasks are the same: map your existing controls to the new 4-theme structure, close the gaps the eleven new controls create, document your change-management process, and keep leadership engaged through the management review cycle.
How Elevate Can Help
Whether your certification lapsed at the October 2025 deadline or you are building an ISMS from the ground up, the path to ISO 27001:2022 is well-defined but demanding. Elevate Consult guides organizations through readiness assessments, gap analysis against the 2022 clauses and controls, remediation, and audit preparation, so you reach certification with a program that holds up to scrutiny rather than a checklist that does not. Schedule an ISO 27001:2022 readiness consultation to map your gaps and build a realistic path back to certification.