SideGuy · Compliance clarity · reviewed 2026-06-09

ISO 27001:2013 vs 2022: the control restructure and the 11 new controls

If you certified under 2013, you've transitioned to 2022 (or you're out of date). The standard's structure didn't change much — but Annex A was rebuilt: controls were consolidated, re-themed, and 11 genuinely new ones were added for the cloud era. Here's the real diff.

The operator's bottom line: Use ISO 27001:2022 — 2013 is fully superseded and its certificates had to transition within three years of the 2022 publication. The management system (clauses 4–10) is essentially unchanged; the real work is in Annex A, which dropped from 114 controls in 14 domains to 93 controls in 4 themes (Organizational 37, People 8, Physical 14, Technological 34) and added 11 genuinely new controls — threat intelligence, cloud services, data masking, DLP, secure coding and others. By an operator who did both transitions: it's a control-mapping and gap exercise — re-map your Statement of Applicability and implement the 11 new controls — not an ISMS rebuild.

Side-by-side

DimensionISO 27001:2013ISO 27001:2022
Annex A controls114 controls93 controls (merged + de-duplicated, not weakened)
Structure14 control domains (A.5–A.18)4 themes: Organizational (37), People (8), Physical (14), Technological (34)
New controls11 new: threat intel, cloud services, ICT continuity readiness, physical monitoring, config management, information deletion, data masking, DLP, monitoring activities, web filtering, secure coding
AttributesNoneControls now tagged with attributes (control type, security property, etc.) for easier mapping
Clauses 4–10The management-system clausesMinor wording alignment — the ISMS core is essentially unchanged
TransitionCertificates expired / had to transitionThe standard in force; new certifications are 2022 only
The honest verdict.
The management system barely changed — the action is all in Annex A. The 11 new controls are the cloud-era catch-up (threat intelligence, cloud services, data masking, DLP, secure coding), and the re-theming makes the control set easier to navigate. If you built on 2013, the transition was a control-mapping exercise plus implementing the genuinely new items, not a rewrite of your ISMS.

Which one do you actually need?

Pick ISO 27001:2013 if…

Nothing — 2013 is superseded. Existing 2013 certificates had to transition to 2022, so anyone still on 2013 needs to update.

Pick ISO 27001:2022 if…

Everyone certifying or recertifying now. Focus your gap work on the 11 new controls and re-mapping your Statement of Applicability to the new 4-theme structure.

Questions operators actually ask

How many controls are in ISO 27001:2022?

93 in Annex A, down from 114 — but that's consolidation, not relaxation. Several 2013 controls were merged, and 11 brand-new controls were added, so the coverage actually expanded.

What are the 11 new controls?

Threat intelligence, information security for cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding — largely cloud-era and modern-ops additions.

Did the transition have a deadline?

Yes — organizations certified to 2013 were required to transition within the IAF-set window (three years from the 2022 publication). New certifications are issued only against 2022.

Is the 2013→2022 change a big project?

It's a mapping-and-gap exercise, not a rebuild. Your ISMS (clauses 4–10) stays largely the same; you re-map Annex A to the 4 themes, update your Statement of Applicability, and implement the 11 new controls you don't already cover.

Not sure which fits your stage? No meeting required — text the question and get an operator-honest answer.
See the Compliance department →

Related compliance comparisons

Written by PJ Zonis · SideGuy Solutions · operator-honest, vendor-neutral · Compliance hub

💬 Text PJ