The 2022 version of ISO/IEC 27001, the standard that defines the requirements for an

information security management system (ISMS), was published on 25 October 2022.

Certification bodies will have 12 months from the last day of the publication month of
ISO/IEC 27001:2022 (i.e., 31 October 2023) to transition to ISO/IEC 27001:2022.
Organizations will have 36 months from the last day of the publication month (i.e., 31
October 2025) to transition to the new version of the standard.
Several clauses were reworded or reordered in ISO/IEC 27001:2022.
There are minimal new requirements in clauses 4-10.
However, the change in clause 4.4 will significantly impact how an organization
manages their ISMS.
New requirements include:
Clause 3 – added links for ISO and IEC databases
Clause 4.2(c) – added new bullet
Clause 4.4 – added a requirement to establish, implement, maintain, and
continually improve processes and their interactions.
Clause 5.1 – added Note to clarify the term “business”
Clause 6.3 – added a new section for “Planning of Changes”
ISO/IEC 27001:2022 now has 93 controls compared to 114 controls in ISO/IEC
27001:2013.
There are 11 new controls in 2022 version of the standard. 56 controls in ISO/IEC
27001:2013 have been merged into 24 controls in ISO/IEC 27001:2022.
Many of the controls in the 2022 version have undergone some form of text change.
The 93 controls are divided into 4 themes:
Organizational 3 new 28 merged
People No new controls 2 merged controls
Physical 1 new 5 merged
Technical 7 new 21 merged
Below is a matrix that outlines the differences between ISO/IEC 27001:2013 and
ISO/IEC 27001:2022.
CONTROLS