ISO 27001:2022

Are you ready for the transition to ISO 27001:2022

The transition period for organisations that are already certified to ISO 27001:2013 have three years to transition from the official release date in October 2022. AvISO is on hand to help make this transition as smooth and painless as possible to help you get the most from your Information Security Management System (ISMS).

ISO 14001 More Info
More information...
Scroll down

What is ISO 27002:2022 and why is it Important?

ISO 27002 is a supporting document to provide further detail, clarification, and guidance on Annex A in ISO 27001:2022. It should be noted that ISO 27002 is not a certification or a quality mark - it is simply a guideline for how your organisation can implement Information Security best practices. 

Many clients have asked us how they can prepare and transition to the latest version of ISO 27001.  We know that many companies will be taking a phased approach to implementation, so we have produced a series of articles explaining how specific controls work and guidance on how they should be implemented.

What are the changes appearing on the new ISO 27001:2022

The new ISO 27001:2022 now only has 93 controls instead of 114; they have been grouped into four categories: People (8 controls), Organisational (37 controls), Technological (34 controls), and Physical (14 controls). Many of the previous 114 controls have been merged with 11 new controls added.

What does this mean for your organisation? 

In general, you can expect a more streamlined approach to implementing your information security policies and procedures.

What are the new controls in ISO 27001:2022 Annex A? 

  • Information security for the use of cloud services
  • Data masking
  • Information and Communication Technology readiness for business continuity
  • Physical security monitoring
  • Data leakage prevention
  • Configuration management
  • Information deletion
  • Threat intelligence
  • Monitoring activities
  • Secure coding
  • Web filtering

Each control is associated with attributes to help filter, sort, and present the controls in different views for different audiences. These attributes are provided in a table right before the statement of each control. Attributes are:

Control type

  • Preventive 
  • Detective 
  • Corrective 

Information security properties

  • Confidentiality 
  • Integrity 
  • Availability 

Cybersecurity concepts

  • Identify
  • Protect 
  • Detect 
  • Respond 
  • Recover 

Operational Capabilities

  • Governance 
  • Physical security and so forth… (complete list available on AvISO IMS toolbox – a link to be provided that explains about AvISO IMS toolbox)

Security domains

  • Governance and ecosystem
  • Protection
  • Defence
  • Resilience

Our consultants thoughts on the update

The changes that have been made as part of the new ISO27001:2022 version of the information security standard are somewhat moderate.  Whilst the initial format, structure, and feel for the Annex A controls look to be substantially different, on deeper analysis, it becomes evident that the changes introduced have not been very significant.  Inmost cases controls have stayed as they were previously (35 controls); have been renamed (23 controls) and a large section have been merged (57 controls).  Whilst the number of controls and how they are structured has changed, the fundamental requirements of the standard itself and the control areas focused on remain largely consistent with the old version we are familiar with.  Overall, the changes bring about a new, improved, better structured, and streamlined version of Annex A and some small changes to Clauses 4-10.


ask a question

If you would like to know more about ISO Standards, Certification and the value of a good management system you can add to your business we would love to hear from you: Kent: 01892 800476 | London: 02037 458 476 |

By filling out this form, you agree to the terms laid out in our privacy policy
Thank you!
Your submission has been received, one of our team members will be in touch soon.
Oops! Something went wrong while submitting the form.

choose 27002:2022 controls

ISO 27002:2022 is a guideline for information security controls, supporting ISO 27001:2022 Annex A by providing further detail and clarification. There are now four domains (Organisational, People, Physical and Technological) instead of the previous 14. At AvISO, we have put together a page on all 93 controls with an explained purpose and implementation guidance.

As part of ISO 27001:2022, Annex A lays out a set of security controls that organisations can use to demonstrate compliance internationally and best practices. In ISO 27001:2022, a Statement of Applicability (SoA) is a document that lists the Annex A controls an organisation will implement to meet the requirements of the standard.This will include a list of the controls that are necessary for your organisation, a statement outlining why the chosen controls have been included and excluded and the confirmation of implementation.

Ask a Question
By clicking “Continue To Site”, you agree to the storing of cookies on your device to enhance site navigation, analyse site usage, and assist in our marketing efforts. View our Privacy Policy for more information.