ISO 27001:2013 vs ISO 27001:2022: What changed and why it matters

ISO/IEC 27001:2022 replaced the 2013 version of the standard, introducing updates that reflect changes in technology, threat landscapes, and organisational risk management practices. While the core structure of ISO 27001 remains familiar, the differences between ISO 27001:2013 vs ISO 27001:2022 have practical implications for compliance, audits, and certification.

For Australian organisations, understanding these changes is essential, particularly if certification was originally achieved under the 2013 standard or if transition activities are still underway.

This article explains the key differences between ISO 27001:2013 and ISO 27001:2022, what has changed in Annex A, and what organisations need to consider to remain compliant.

For organisations transitioning from ISO 27001:2013 to the 2022 standard, structured ISO 27001 services can help map existing controls to the updated Annex A requirements and reduce audit risk during the transition.

Overview of the ISO 27001 update

ISO/IEC 27001 was updated in 2022 to align with modern security practices and improve consistency with other ISO management system standards.

At a high level:

• The management system clauses were refined, not rewritten
• Annex A controls were reorganised and consolidated
• New controls were introduced to address emerging risks
• Terminology was updated to reflect current practices

Organisations certified under ISO 27001:2013 were required to transition to the 2022 version within the defined transition period to maintain certification.

Structural changes to Annex A

One of the most visible differences between ISO 27001:2013 vs ISO 27001:2022 is the structure of Annex A.

Annex A control count and domains

Under ISO 27001:2013:

• 114 controls
• 14 control domains

Under ISO 27001:2022:

• 93 controls
• 4 control domains:
  • Organisational
  • People
  • Physical
  • Technological

The reduction in control count does not mean fewer requirements. Instead, related controls were consolidated to reduce duplication and improve clarity.

New and updated controls in ISO 27001:2022

ISO 27001:2022 introduced new controls to address risks that were less prominent in 2013.

Examples include:

• Threat intelligence
• Information security for cloud services
• ICT readiness for business continuity
• Physical security monitoring
• Secure coding
• Data masking and data leakage prevention

These additions reflect the increased reliance on cloud platforms, remote working models, and complex supply chains.

What did not change between 2013 and 2022

Despite the updates, many foundational elements remain consistent.

These include:

• The requirement for a risk-based approach
• The need for an information security management system
• Management accountability and leadership involvement
• Internal audits and management reviews
• Continual improvement principles

As a result, organisations with a mature ISMS typically find that transition efforts focus more on control alignment than on rebuilding governance structures.

Statement of Applicability changes

The Statement of Applicability remains a core ISO 27001 artefact, but ISO 27001:2022 places greater emphasis on clarity and justification.

Organisations must:

• Clearly explain why controls are included or excluded
• Demonstrate alignment with risk treatment decisions
• Ensure the Statement of Applicability reflects the updated Annex A structure

Auditors increasingly scrutinise this document during both transition and surveillance audits.

Impact on ISO 27001 compliance in Australia

For Australian organisations, the differences between ISO 27001:2013 vs ISO 27001:2022 primarily affect how compliance is demonstrated rather than whether compliance is achievable.

Common impacts include:

• Updating risk assessments to reflect new control categories
• Reviewing cloud and supplier security practices
• Strengthening evidence for operational controls
• Updating documentation to match revised terminology

Organisations that treat compliance as an ongoing programme rather than a certification exercise typically adapt more easily to the 2022 standard.

Audit and certification considerations

Audits conducted against ISO 27001:2022 focus on whether organisations have:

• Mapped existing controls to the new Annex A structure
• Addressed new control expectations where relevant
• Updated governance and documentation appropriately
• Demonstrated that controls operate effectively in practice

Certification bodies do not expect organisations to implement every new control automatically. Instead, auditors assess whether control selection is justified through risk assessment.

This makes alignment with your broader ISO 27001 audit and ISO 27001 compliance activities critical.

Relationship to other standards and frameworks

ISO 27001:2022 was updated alongside ISO/IEC 27002:2022 to improve consistency. The revised structure also aligns more closely with other management system standards and emerging frameworks.

For organisations managing automated or AI-driven systems, the updated control model aligns more naturally with governance approaches used in ISO 42001, supporting integrated risk management across information security and AI governance.

Should organisations recertify or transition?

Organisations certified under ISO 27001:2013 were required to transition to ISO 27001:2022 within the defined transition period to maintain certification.

For organisations pursuing certification for the first time, ISO 27001:2022 is now the only applicable version of the standard.

In both cases, the focus should be on:

• Updating risk assessments
• Mapping controls correctly
• Ensuring evidence reflects current practices
• Preparing for audits under the updated structure

Final thoughts

The differences between ISO 27001:2013 vs ISO 27001:2022 reflect the evolution of information security rather than a fundamental change in direction. The updated standard improves clarity, reduces duplication, and better addresses modern security risks.

For Australian organisations, understanding these changes helps ensure compliance efforts remain aligned with current expectations and that audits and certification outcomes remain stable.

About CyberPulse

CyberPulse is a security-first compliance partner helping organisations reduce cyber risk, build resilience, and achieve certification with confidence. Founded by former CISOs and security leaders, we combine technical depth with real-world context across advisory, Managed Cybersecurity Services, compliance, and threat defence.

Let’s Talk

Follow us on LinkedIn for practical insights, or contact CyberPulse to speak with an expert about ISO 27001, audit readiness, and control implementation.

Useful Links

• SOC 2 Type 1 vs Type 2: Key Differences for Australian Organisations
• ISO 27001 Audit Australia: A Practical Guide to Certification, Auditors and Readiness
• ISO 27001 Certification Australia: A Practical Guide for Businesses
• ISO 27001 Compliance in Australia: A Practical Guide

Related Services

• ISO 27001 Services
• Managed Compliance Services
• Managed Cybersecurity Services

External Resources

• IEC/ISO 27001 Standard