ISO 27001:2022

What's new in ISO 27001:2022?

Let our Compliance, Security, and Risk experts Assist with your Cybersecurity Program

What's new in ISO 27001:2022?

ISO 27001:2022 Annex A Control Categories

Organizational Controls

Control Category 5 of ISO 27001:2022 sets the foundation for effective information security management within an organization by establishing leadership commitment, defining roles and responsibilities, ensuring resource allocation, promoting communication, and facilitating continual improvement through internal audits and management reviews.

People Controls

Control Category 6 of ISO 27001:2022 emphasizes the importance of effectively managing personnel to mitigate the human factor in information security risks. By implementing controls related to human resource security, training, awareness, and disciplinary processes, organizations can enhance the overall effectiveness of their ISMS and protect information assets from unauthorized access, disclosure, or misuse.

Physical Controls

Control Category 7 of ISO 27001:2022 focuses on implementing physical controls to safeguard information assets and facilities from physical threats, unauthorized access, and environmental hazards. By establishing secure areas, controlling physical access, monitoring and logging access activities, and protecting equipment and assets, organizations can enhance the overall security of their information systems and data.

Technological Controls

Control Category 8 of ISO 27001:2022 focuses on leveraging technological controls to protect information assets and ensure the confidentiality, integrity, and availability of sensitive information. By implementing secure configuration management, identity and access management, cryptography, security operations, system and network security, mobile device security, teleworking controls, and secure development practices, organizations can enhance the overall security of their information systems and infrastructure.


New Controls to Note in ISO 27001:2022

A. 5.7 Threat Intelligence

Information relating to information security threats shall be collected
and analysed to produce threat intelligence.

A.5.23 Information Security for Use of Cloud Services

Processes for acquisition, use, management and exit from cloud
services shall be established in accordance with the organization’s
information security requirements.

A.5.30 ICT Readiness for Business Continuity

ICT readiness shall be planned, implemented, maintained and tested
based on business continuity objectives and ICT continuity requirements.

A.7.4 Physical Security Monitoring

Premises shall be continuously monitored for unauthorized physical

A.8.9 Configuration Management

Configurations, including security configurations, of hardware,
software, services and networks shall be established, documented,
implemented, monitored and reviewed.

A.8.10 Information Deletion

Information stored in information systems, devices or in any other
storage media shall be deleted when no longer required.

A.8.11 Data Masking

Data masking shall be used in accordance with the organization’s
topic-specific policy on access control and other related topic-specific
policies, and business requirements, taking applicable legislation into

A.8.12 Data Leakage Prevention

Data leakage prevention measures shall be applied to systems, networks
and any other devices that process, store or transmit sensitive

A.8.16 Monitoring Activities

Networks, systems and applications shall be monitored for anomalous
behaviour and appropriate actions taken to evaluate potential
information security incidents.

A.8.23 Web Filtering

Access to external websites shall be managed to reduce exposure to
malicious content.

A.8.28 Secure Coding

Secure coding principles shall be applied to software development.

Company Strengths at a glance

Our Strong Points

Cyber Security Services (CSS) has been offering ISO 27001 consulting services since 2013. We have developed a proven methodology and track record on delivering for our customers. In short, we have seen your pain points first hand, and are ready to deliver on day one.

How we help you achieve the ISO 27001:2022 certification:

ISO 27001:2022 Gap Assessment Services

ISO 27001:2022 Independent Audit Services and Internal Control Validation

ISO 27001:2022 Penetration Testing

ISO 27001:2022 Business Continuity Plan (BCP)

Virtual CISO Services


Schedule a Call with a Cyber Security Expert

drop us a line and keep in touch

Learn how we helped 100 top brands gain success.

Let's have a chat