ISO 27001:2022 Explained: The 11 New Controls and What They Mean for Your Infrastructure

ISO 27001:2022 is the first major revision of the standard since 2013. While the structural changes are modest—93 controls instead of 114, reorganised into 4 themes rather than 14—the 11 entirely new controls signal where real-world security risk has shifted over the past decade: cloud services, threat intelligence, data masking, and secure development.

If your organisation is certified under ISO 27001:2013, this breakdown will help you scope your transition gap analysis and prioritise remediation before your next surveillance audit.

The 11 New Controls at a Glance

All 11 new controls appear in Annex A under the reorganised themes. Here is what each requires and the most practical way to evidence compliance:

5.7 — Threat Intelligence

Organisations must collect and analyse information about information security threats and incorporate findings into their risk treatment decisions. This is not about buying a threat feed and calling it done—auditors want to see how threat data actually feeds your risk assessment process.

Evidence approach: Document your threat intelligence sources, show examples of threat reports reviewed in risk committee minutes, and link specific threats to control updates or acceptance decisions.

5.23 — Information Security for Use of Cloud Services

This control requires a documented process for acquiring, using, managing and exiting cloud services, including security requirements in cloud supplier agreements. Given how organisations actually use cloud today, this is one of the highest-effort new controls.

Evidence approach: Create a cloud service inventory with security classifications, ensure your supplier agreements reference shared responsibility models, and document your cloud exit procedures.

5.30 — ICT Readiness for Business Continuity

ICT continuity planning must be integrated with your business continuity management system, with clearly defined RTOs and RPOs for critical systems. The control explicitly requires testing of ICT continuity arrangements.

Evidence approach: Show BCM/ICT alignment in your BCP documentation, test results with dates, and evidence that recovery objectives have been reviewed against business requirements.

7.4 — Physical Security Monitoring

Premises and facilities must be continuously monitored against unauthorised physical access. For organisations operating entirely in cloud environments, this typically applies to colocated or managed data centre agreements.

Evidence approach: CCTV logs, access control reports, or data centre audit certifications (SOC 2 Type II from your provider commonly satisfies this).

8.9 — Configuration Management

Security configurations must be established, documented, implemented, monitored and reviewed for hardware, software, services and networks. This is where Posture Compass directly maps—continuous automated configuration assessment is the most efficient way to demonstrate ongoing compliance with this control.

Evidence approach: Configuration baseline documents, automated scanning reports, and a change management process that validates configuration compliance before deployment.

8.10 — Information Deletion

Information stored on systems, devices and media must be deleted when no longer required. The control covers both intentional deletion and end-of-life media disposal.

Evidence approach: Data retention schedules, deletion logs, and certificates of destruction for decommissioned hardware.

8.11 — Data Masking

Data masking, pseudonymisation or anonymisation must be used where appropriate—particularly for personal data in non-production environments. This aligns tightly with GDPR requirements many organisations already have in place.

Evidence approach: Technical documentation showing masking applied in test environments, data classification policy linking sensitivity levels to masking requirements.

8.12 — Data Leakage Prevention

DLP measures must apply to systems, networks and output devices that process, store or transmit sensitive information. Critically, the control requires DLP policies to be reviewed following any significant change in data classification or processing activities.

Evidence approach: DLP policy documentation, tool configurations, incident reports, and review records after major system changes.

8.16 — Monitoring Activities

Networks, systems and applications must be monitored for anomalous behaviour, and monitoring results must be evaluated and trigger appropriate responses. This is broader than traditional SIEM—it includes application-level and endpoint anomaly detection.

Evidence approach: Monitoring architecture documentation, alert tuning records, and evidence that monitoring outputs are regularly reviewed by responsible personnel.

8.23 — Web Filtering

Access to external websites must be managed to reduce exposure to malicious content. This may include URL categorisation filtering, DNS-based protection, or secure web gateways.

Evidence approach: Web filtering policy, technical configuration of filtering tools, and user awareness training records.

8.28 — Secure Coding

Secure coding principles must be applied to software development. This includes both internally developed and outsourced software, and requires secure coding practices to be defined and followed throughout the development lifecycle.

Evidence approach: Secure coding standards document, code review records, SAST/DAST scan results, and evidence that developers have received secure coding training.

Practical Transition Roadmap

The ISO 27001:2022 transition deadline for existing certifications is 31 October 2025. Most certification bodies are already requiring the new standard for first-time certifications. Here is a practical approach:

1. Gap assessment: Map your existing controls to the new Annex A structure. Many 2013 controls simply map 1:1 to reorganised 2022 controls.
2. New control gap analysis: For each of the 11 new controls, assess your current state and the delta to full compliance.
3. Prioritise by effort and risk: 8.9 (Configuration Management) and 5.23 (Cloud Services) typically require the most new work for infrastructure-heavy organisations.
4. Update your Statement of Applicability: The SoA must reflect the 2022 Annex A structure.
5. Schedule transition audit: Work with your certification body early—slots fill up as the deadline approaches.

The 2022 revision is not about adding complexity—it is about aligning the standard with how security actually works in modern cloud-native environments. Treat it as an opportunity to modernise your programme, not just update documentation.