The 2022 revision of ISO 27001 collapsed Annex A from 114 controls down to 93, restructured them into four themes, and introduced 11 brand-new controls that catch first-time implementers off guard. Here is what those 11 actually require.
The structural shift in 30 seconds
ISO 27001:2022 reorganized controls into four thematic groups: Organizational (37), People (8), Physical (14), and Technological (34). The old 14 control categories from the 2013 version are gone. If your ISMS documentation still references “A.5 Information security policies” or “A.9 Access control,” you are working from the old standard and your auditor will flag it.
The 11 new controls in plain English
| Control | Title | What it actually requires |
|---|---|---|
| A.5.7 | Threat intelligence | Document a process for collecting, analyzing, and acting on threat intel (CVEs, advisories, dark web mentions of your brand) |
| A.5.23 | Information security for cloud services | Formal policy for selecting, contracting, operating, and exiting cloud providers |
| A.5.30 | ICT readiness for business continuity | Cyber-specific BC plans, not just generic disaster recovery |
| A.7.4 | Physical security monitoring | CCTV, sensors, or other physical monitoring for sensitive areas |
| A.8.9 | Configuration management | Documented secure baselines for systems, with drift detection |
| A.8.10 | Information deletion | Provable deletion practices, not just retention policies |
| A.8.11 | Data masking | Mask or pseudonymize sensitive data in non-production environments |
| A.8.12 | Data leakage prevention | DLP controls on endpoints, email, and cloud apps |
| A.8.16 | Monitoring activities | Anomaly detection and alerting on networks, apps, and user behavior |
| A.8.23 | Web filtering | Block access to malicious or inappropriate sites |
| A.8.28 | Secure coding | Formal secure SDLC, including SAST/DAST or equivalent |
The four controls most companies fail on
Across the dozens of ISO 27001:2022 audits we have observed since the standard went live, the same four controls trip up implementers repeatedly.
A.5.7 Threat intelligence
Auditors are no longer satisfied with “we have a SIEM.” You need documented sources (CISA KEV, vendor advisories, ISACs), a triage owner, and evidence of intel-driven action. A monthly threat-intel summary signed by the CISO closes this gap cleanly.
A.8.9 Configuration management
The 2013 standard let you point at hardening guides. The 2022 standard wants documented baselines per asset class (servers, endpoints, network gear, cloud accounts) AND evidence you detect drift. CIS Benchmarks plus a config-as-code tool like Terraform Cloud or AWS Config closes this.
A.8.10 Information deletion
Most companies have a retention policy but no proof of deletion. Build a quarterly deletion log that ties retention rules to specific deletion events. NIST SP 800-88 is the reference auditors expect you to cite.
A.8.28 Secure coding
This is the control that surprises non-software-first companies. You need a written secure coding standard, evidence developers were trained on it, and either SAST/DAST tooling or formal peer code review with security gates.
Transition deadline
If you were certified under ISO 27001:2013, your transition deadline to 27001:2022 is October 31, 2025. After that date the older certificate is no longer valid. Most certification bodies recommend booking transition audits 6+ months in advance.
How QAE maps these
QAE ships with all 93 controls mapped to specific evidence types and integration sources. For the 11 new controls, we have pre-built playbooks that turn each into a quarterly evidence collection job. If you are starting from scratch, this saves roughly 80-120 hours of ISMS scoping work.
Bottom line
The 2022 revision is genuinely better. It eliminates redundancy, modernizes for cloud, and tightens what auditors look for. But the 11 new controls require real implementation, not documentation theater. Plan for 3-4 months of preparation before you book the certification audit.
Want to skip the spreadsheet years?
QAE automates evidence collection across 200+ integrations, maps controls across 20+ frameworks, and gets you audit-ready in 11 weeks.
Book a Free Demo →