Skip to main content
WPROIT WPROIT
en

Compliance & Governance

What changed in ISO 27001:2022 for European implementers

The 2022 revision tightens governance, adds 11 new controls and reorganises Annex A into four themes. A condensed migration guide for organisations holding a 2013 certificate.

W
WPROIT Administrator
8 min read
Table of contents

If your organisation holds an ISO 27001:2013 certificate, you have until late 2025 to transition to the 2022 edition. The clock is real — your certification body will not extend the deadline, and your customers' procurement teams will start asking questions long before then.

The headline changes

Annex A has been reorganised from 14 control categories into four themes (Organisational, People, Physical, Technological). The total number of controls dropped from 114 to 93 through consolidation, but 11 entirely new controls were added.

The 11 new controls — what they actually require

  • Threat intelligence (5.7) — actionable, not just consumed
  • Information security for use of cloud services (5.23)
  • ICT readiness for business continuity (5.30)
  • Physical security monitoring (7.4)
  • Configuration management (8.9)
  • Information deletion (8.10)
  • Data masking (8.11)
  • Data leakage prevention (8.12)
  • Monitoring activities (8.16)
  • Web filtering (8.23)
  • Secure coding (8.28)

What auditors will look for

Three areas will receive disproportionate attention during transition audits: cloud security (5.23), threat intelligence (5.7), and information deletion (8.10) — the last being a frequent compliance gap that organisations under-estimate.

A six-step migration plan

  1. Map your current 2013 controls onto the 2022 structure (gap analysis)
  2. Identify which of the 11 new controls genuinely apply to your scope
  3. Update your Statement of Applicability — this is mandatory
  4. Document the new threat-intelligence and cloud-security processes
  5. Run a focused internal audit on the new and changed areas
  6. Schedule your transition audit at least three months before your deadline

WPROIT's compliance practice has supported organisations across Germany, the Netherlands and Poland through this migration. The most common pattern: organisations with mature 2013 programmes can transition in 8-12 weeks; those whose 2013 implementations were paper exercises take significantly longer.

Tagged with

#ISO 27001

Share this article

LinkedIn X Email
W

Written by

WPROIT Administrator

Senior consultants at WPROIT advising European enterprises on cybersecurity, compliance and resilience.

Talk to our team

Continue reading

You might also like

View all articles →

A NIS2 readiness checklist for European mid-market businesses

NIS2 widens the perimeter of "essential and important entities" across the EU. Here is a practical 12-point checklist that mid-market security leaders can run before their auditor does.

9 min read

The first 72 hours after a GDPR data leak: a pragmatic playbook

GDPR's 72-hour notification clock starts when you become aware of a breach — not when you are sure of the scope. A clear playbook for the most pressured three days a CISO will face.

10 min read

Reducing MTTR: a European SOC tuning playbook

Most security operations centres do not have an alert problem — they have a tuning problem. Five concrete steps that have cut mean time to respond by half across multiple WPROIT engagements.

7 min read