Navigating the Changes in ISO/IEC 27001:2022 – What Your Business Needs to Know 

Here’s a snapshot of the most important changes you need to know:

1. Updated Title

The standard now explicitly references cybersecurity and privacy protection, highlighting its broader scope beyond traditional information security.

2. Revised Control Structure in Annex A

The number of controls has been reduced from 114 to 93, organised into four main categories:

• Organisational Measures – 37 controls

• People Controls – 8 controls

• Physical Controls – 14 controls

• Technical Controls – 34 controls

• 11 new controls have been introduced, covering areas such as:

  • Threat analysis

  • Cloud service information security

  • ICT readiness for business continuity

  • Data masking and leakage prevention

  • Secure software development

3. New Clause: Planning of Changes

Clause 6.3 now requires businesses to plan changes to their ISMS to ensure it remains suitable, adequate, and effective.

 4. Enhanced Risk Management Approach

Organisations must adopt a more integrated, systematic approach to identifying, assessing, and mitigating information security risks, considering both internal and external factors.

5. Greater Top-Level Engagement

ISO/IEC 27001:2022 emphasises board-level commitment to information security, ensuring that senior management actively supports the ISMS.

6. Clearer Language and Terminology

The updated standard uses simpler, more precise language, making clauses easier to understand and implement.

7. Transition Period

Organisations certified under the 2013 version must transition to ISO/IEC 27001:2022 by 31 October 2025, after which old certifications will no longer be valid.

Transitioning to ISO/IEC 27001:2022 can feel overwhelming, but that’s where Bulletproof Cyber comes in. We provide end-to-end support to ensure your business remains compliant and secure:

• Gap Analysis & Assessment: Identify which areas of your current ISMS need updating to meet the 2022 standard.

• Implementation Support: Help implement new controls, update policies, and integrate enhanced risk management practices.

• Top-Level Engagement Guidance: Work with your leadership team to ensure strategic alignment with ISO/IEC 27001:2022 requirements.

• Training & Awareness: Equip your employees with the knowledge and tools needed to maintain compliance and mitigate cyber risks.

• Audit Preparation & Certification: Prepare your organisation for a smooth audit process, minimising disruption and ensuring timely certification.

By partnering with Bulletproof Cyber, businesses can simplify the transition, reduce risk, and reinforce trust with clients and stakeholders.

ISO/IEC 27001:2022 brings important updates that reflect the evolving cybersecurity landscape. With careful planning and expert support from Bulletproof Cyber, your business can navigate these changes confidently, ensuring both compliance and robust protection against modern threats.