ISO 27001:2022 vs 2013: What Changed? | Complete Comparison Guide

📋 Overview of Changes

ISO/IEC 27001:2022 was published in October 2022, replacing the 2013 version. Organizations certified to ISO 27001:2013 have until October 2025 to transition to the new standard. Understanding the changes is critical for planning your transition strategy.

Key Changes Summary

93 controls (down from 114): Consolidated for clarity and reduced duplication
4 themes (vs 14 domains): Organizational, People, Physical, Technological
10 new controls: Covering threat intelligence, cloud security, ICT readiness
24 controls merged: Combined overlapping requirements
58 controls updated: Clarified language and requirements

🏗️ New Control Structure

From 14 Domains to 4 Themes

ISO 27001:2013 organized controls into 14 domains. The 2022 version simplifies this to 4 themes:

2022 Structure (4 Themes)

Organizational Controls (37): Policies, roles, asset management, HR security, supplier management
People Controls (8): Screening, terms of employment, awareness and training
Physical Controls (14): Secure areas, equipment security, utilities, disposal
Technological Controls (34): Authentication, cryptography, network security, logging

Attribute-Based Categorization

The 2022 version adds attributes to each control:

Control Type: Preventive, Detective, or Corrective
Information Security Properties: Confidentiality, Integrity, Availability
Cybersecurity Concepts: Identify, Protect, Detect, Respond, Recover
Operational Capabilities: Governance, Asset Management, Protection, etc.
Security Domains: Governance & Ecosystem, Protection, Defense, Resilience

✨ 10 New Controls in 2022

5.7 Threat Intelligence

Organizations must now collect and analyze threat intelligence relevant to their information security. This formalizes what mature organizations already do informally.

Implementation: Subscribe to threat feeds, monitor security advisories, track vulnerabilities affecting your technology stack.

5.23 Information Security for Cloud Services

Explicit requirements for using, acquiring, and managing cloud services securely. Addresses cloud-specific risks.

Implementation: Cloud provider security assessments, shared responsibility model documentation, cloud configuration reviews.

5.30 ICT Readiness for Business Continuity

Ensures ICT systems are ready to support business continuity requirements. Strengthens resilience focus.

Implementation: Test disaster recovery procedures, verify backup restoration, ensure redundancy.

8.9 Configuration Management

Requires documented configuration management for security-relevant systems. Prevents configuration drift.

Implementation: Infrastructure as Code, configuration baselines, change tracking.

8.10 Information Deletion

Ensures information is deleted securely when no longer required. Supports data minimization.

Implementation: Data retention policies, secure deletion procedures, verification processes.

8.11 Data Masking

Requires masking of sensitive data where appropriate. Supports privacy and testing needs.

Implementation: Anonymization for test data, redaction in logs, tokenization where appropriate.

8.12 Data Leakage Prevention

Addresses preventing data exfiltration and unauthorized disclosure.

Implementation: DLP tools, egress filtering, USB restrictions, email controls.

8.16 Monitoring Activities

Formalizes requirements for monitoring user and system activities.

Implementation: SIEM, log aggregation, user behavior analytics.

8.23 Web Filtering

Requires web filtering to prevent access to malicious content.

Implementation: DNS filtering, proxy servers, URL categorization.

8.28 Secure Coding

Explicit requirements for secure coding principles in software development.

Implementation: OWASP guidelines, code reviews, SAST/DAST, security training.

🔄 Transition Guide for Certified Organizations

Transition Timeline

Deadline: October 2025

October 2022: ISO 27001:2022 published
October 2023: 1-year grace period ends (new audits use 2022 version)
October 2025: 3-year transition period ends (all certificates must be 2022-compliant)

Transition Steps

Gap Analysis: Compare current controls against 2022 Annex A
Update Statement of Applicability: Map 2013 controls to 2022 equivalents
Implement New Controls: Address the 10 new requirements
Update Documentation: Revise policies to reference 2022 standard
Internal Audit: Verify compliance with new requirements
Transition Audit: Certification body assesses 2022 compliance

Common Transition Challenges

Cloud security controls may require new vendor assessments
Threat intelligence requires ongoing subscriptions/processes
Configuration management needs automation
Data leakage prevention may need new tools

💡 Practical Advice for Swedish Organizations

What Most Organizations Already Have

Good news: Many of the "new" controls formalize existing best practices:

Threat intelligence → Already monitoring CVEs and security news
Cloud security → Already using AWS/Azure with some security
Configuration management → Infrastructure as Code already in place
Monitoring → SIEM or log aggregation already deployed

What Needs Work

Controls that typically require new implementation:

Formal threat intelligence process (not just ad-hoc monitoring)
Documented cloud security assessments (not just using cloud services)
Data leakage prevention (may need DLP tools)
Secure coding standards (formalized SDLC security)

Cost Impact

For Swedish SMEs already certified to 2013:

Internal effort: 40-80 hours for gap analysis, documentation updates, implementation
Transition audit: €2,000-€5,000 (often combined with surveillance audit)
New tooling: €1,000-€3,000 if DLP or monitoring gaps exist

Need transition support? Contact Hack23 for gap assessment and transition planning tailored to Swedish organizations.

📚 Resources

Complete ISO 27001 Implementation Guide - Full implementation roadmap for Swedish SMEs
ISO/IEC 27001:2022 Official Standard (ISO.org)
Hack23 Public ISMS - Example implementation aligned with 2022 standard