Cybernion
← Insights

ISO 27001

ISO 27001:2022 New Controls Explained

3 July 2026 · Updated 3 July 2026

Short answer: ISO 27001:2022 added 11 new Annex A controls covering threat intelligence, cloud, ICT continuity, physical monitoring, configuration, information deletion, data masking, data leakage prevention, monitoring, web filtering and secure coding. They are not extra hurdles so much as areas the 2013 version underweighted. You evidence each with a stated approach and records that show it runs.

The 2022 revision of ISO 27001 rebuilt Annex A. It cut the control count from 114 to 93, regrouped everything into four themes, and added 11 controls that did not exist before. Those 11 are where most transition work landed, because they name practices the older standard left implicit. This walks through each one and what an auditor expects to see.

What changed in ISO 27001 Annex A in the 2022 revision?

Annex A was reorganised, not just trimmed. The 2013 version listed 114 controls across fourteen domains. The 2022 version holds 93 controls across four themes: organisational, people, physical and technological. The drop from 114 to 93 came from merging overlapping controls, not from deleting protection, and 11 new controls were added on top.

The four themes matter for how the Statement of Applicability (SoA) reads and how an auditor navigates it, but the controls themselves carry the substance. For the full grouping and how the themes split, see the Annex A controls explained and the wider ISO 27001 guide. The 2013 to 2022 transition closed on 31 October 2025, so every current certificate is against the 2022 edition and every new certification uses these controls.

What are the 11 new ISO 27001:2022 controls?

The 11 fall across three themes. They reflect risks that grew sharper between 2013 and 2022, cloud, threat intelligence, data leakage and secure development among them.

ControlThemeWhat it addresses
A.5.7 Threat intelligenceOrganisationalCollecting and analysing information on threats to inform decisions
A.5.23 Information security for use of cloud servicesOrganisationalAcquiring, using and exiting cloud services securely
A.5.30 ICT readiness for business continuityOrganisationalICT continuity planning and testing tied to business needs
A.7.4 Physical security monitoringPhysicalDetecting unauthorised physical access
A.8.9 Configuration managementTechnologicalDefining and enforcing secure configurations
A.8.10 Information deletionTechnologicalDeleting data no longer required
A.8.11 Data maskingTechnologicalMasking data to limit exposure
A.8.12 Data leakage preventionTechnologicalDetecting and preventing unauthorised data disclosure
A.8.16 Monitoring activitiesTechnologicalMonitoring systems for anomalous behaviour
A.8.23 Web filteringTechnologicalManaging access to external websites
A.8.28 Secure codingTechnologicalApplying secure coding principles in development

How do you evidence the new ISO 27001 organisational controls?

The three organisational controls are the ones teams most often do informally and then struggle to show. Threat intelligence, A.5.7, wants evidence you gather and act on threat information: a feed or source, a cadence for reviewing it, and a record that the output reached a decision, a patch, a rule change, a risk update. A subscription with no review log will not satisfy an auditor.

Information security for use of cloud services, A.5.23, wants a defined approach to selecting, using and exiting cloud providers, shared responsibility understood, and evidence you apply it. ICT readiness for business continuity, A.5.30, wants continuity plans that cover ICT specifically and a record of testing them, not a policy that has never been exercised. Across all three the pattern holds: a stated approach plus records that prove it runs. Where these controls belong relative to the rest is set by your risk treatment in the risk assessment.

How do you evidence the new ISO 27001 technological controls?

The technological controls are more tooling led, so the evidence is usually configuration and log output. Configuration management, A.8.9, wants baselines defined and enforced, with drift detected. Information deletion, A.8.10, and data masking, A.8.11, want procedures for removing data you no longer need and for masking data in non production environments, with records that show them applied.

Data leakage prevention, A.8.12, is the one auditors probe hardest: technical measures that identify and prevent unauthorised extraction, plus alert records. Monitoring activities, A.8.16, wants systems watched for anomalies with an escalation path. Web filtering, A.8.23, wants external access managed, and secure coding, A.8.28, wants secure development practices with evidence in the pipeline, code review, dependency scanning, standards applied. For a SaaS platform several of these overlap with work already in the build chain; see ISO 27001 for SaaS.

Do all 11 new ISO 27001 controls apply to me?

No, and assuming they do is a common transition mistake. Annex A is a reference set, not a mandatory checklist. Each of the 93 controls, new ones included, is marked applicable or not in your Statement of Applicability, with a reason, and the reason has to trace back to your risk treatment.

A small organisation with no on premises facility may reasonably scope physical security monitoring differently; a team that runs no software development may exclude secure coding with justification. What an auditor will not accept is excluding a control that plainly applies, data leakage prevention on a platform that holds customer data, for instance, with a bare “not applicable”. The new controls are treated exactly like the rest: included where your risk demands it, excluded where it does not, always with the reasoning written down. If you are planning the transition or a first certification, Cybernion runs ISO 27001 readiness and gap analysis against the 2022 control set. The ISO 27001 readiness checklist covers the full document and evidence set, and the ISO 27001 annex A controls explains how to read the full 93 control list.

Frequently asked questions

How many new controls did ISO 27001:2022 add?

The 2022 revision added 11 new Annex A controls and reorganised the rest, so Annex A now holds 93 controls in four themes rather than 114 in fourteen domains. Nothing was removed outright; the reduction came from merging controls, not dropping them.

What are the 11 new ISO 27001:2022 controls?

Threat intelligence, information security for use of cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering and secure coding.

Do the new ISO 27001 controls apply to every organisation?

No. Annex A is a reference set. Each control is included or excluded in your Statement of Applicability with a reason, based on your risk treatment. Some new controls will not apply to your scope, and that is allowed when you record why.

How do you evidence the new ISO 27001 controls for an auditor?

With the same discipline as any control, a policy or procedure that says what you do, plus records that show you do it. For threat intelligence that is a feed and a review log; for data leakage prevention it is tooling configuration and alert records.

Are the new ISO 27001 controls harder than the 2013 ones?

Not inherently, but several reflect practices many organisations had not formalised, such as threat intelligence and configuration management. The effort is usually in writing down and evidencing work that already happens informally.


Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.

Talk to us.

Sources:

  1. ISO/IEC 27001:2022, Information security management systems, iso.org, 2022
  2. ISO/IEC 27002:2022, Information security controls, iso.org, 2022

Last updated: 3 July, 2026

Talk to us about your engagement

A scoped proposal within one business day.