What are the ISO 27001 updates?

After nine years, one of the most widely-used information security frameworks and certifications – ISO 27001 – has been updated

Jason Koestenblatt, Team Lead, Content Marketing
October 25, 2022

Close up photo of roman column on building exterior

As the cybersecurity threat landscape and its innumerable risk vectors expand daily, businesses are in need of foundational principles and guidance to ensure a defendable security posture cannot be penetrated.  

In October 2005, the International Organization for Standardization (ISO) released its first framework, the 27001, that outlined a cybersecurity foundation for businesses. If followed, implemented, and attested to, companies following the standards could obtain certification of the practice while also bolstering their digital security posture. 

The ISO 27001 was updated in 2013 and, with much anticipation, the joint organization has published its first update to the framework in nine years.  

“In my opinion, these updates are long overdue,” said Kevin Liu, Director of Information Security at OneTrust. “The ISO: 27001:2013 was a good starting point but it is dated and does not address key risks we face today with operating in the cloud. The new sections: Information security for cloud services, ICT readiness for business continuity, configuration management, information deletion, etc. are good requirements to help OneTrust enhance our security posture. I think most mature organizations, Including OneTrust, are performing these new requirements already. We will need to assess and update our control inventory to align with ISO 27001: 2022. In addition, we may need to update procedure and process documents to support ISO 27001: 2022.”  

Building or expanding your business’s Information Security Management System (ISMS) is a critical component to cybersecurity success. Learn more in this webinar 

What are the ISO 27001 updates? 

The number of annex controls has decreased from 114 to 93 and are situated in four sections, instead of the previous 14. That decrease isn’t due to removals, rather a result of mergers. There are minor changes to clauses four to 10 as well.  

A high-level look at the changes includes: 

Clauses four to 10 — Minor changes in the clauses below:

Modified clauses 

  • Clause 4.2, 4.3 and 4.4 (no real change — changes were added to clarify certain requirements) 
  • Clause 6.1.3 and 6.2 (modified requirement) and Clause 7.4 (modified requirement) 
  • Clause 8.1 (clarification changes) 
  • Clause 9.1 (clarification changes) 
  • Clause 10.1 is now continual Improvement and Clause 10.2 is Nonconformity and corrective action (just swapping between two clauses)  

New Clauses 

  • Clause 6.3 (new clause) — when changes are made to the ISMS, it should be in a planned manner 

Clauses divided into sub clauses 

  • Clause 9.2 is divided into 9.2.1 and 9.2.2. 
  • Clause 9.3 is divided into 9.3.1, 9.3.2 and 9.3.3 

Annex Controls: 

  • New version has 93 controls as opposed to 114 
  • 57 previous controls have been merged into 24 
  • 23 renamed controls 
  • 35 are unchanged but control number changed 
  • 11 new controls added 
  • 1 control split into 2 


  • 14 domains have been reduced to 4 domains for better categorization, including: 
  • 37 Organizational  
  • 34 Technological 
  • 14 Physical 
  • 8 People 


  • Written in hashtags for searchability 
  • 5 attributes total 
  • Each control assigned with these attributes 

“The ISO update is a good opportunity for CISOs to readdress information security and risk management controls across their enterprise,” said Justin Henkel, VP of Security, OneTrust. “ISO’s updated risks and associated controls bring the framework into better alignment with today’s operational threat environment and mitigation strategies. Organizations looking to up-level their information security management system (ISMS) should look at ISO to improve their security posture.” 

What are the next steps for your business? 

If your organization follows the ISO 27001 standard it will also need to update its processes to remain certified. There will be a two-year transition period for certified organizations to revise their management system to conform to the new version of the standard. Businesses currently in the process of working toward certification should continue to do so and implement an ISMS.  

Beyond just having a checklist for your internal analysis and remediation, take a look at the simple steps needed for technology and automation to enhance your business’s ability to put best practices into action:  

  • Connect your IT ecosystem: Inventory and relate assets, risks, controls, and integrate with risk adjacent systems.   
  • Measure risk: Quantify risk with streamlined risk assessments enhanced by AI.   
  • Remediate risk: Expedite and manage risk treatment plans with workflow automation.   
  • Monitor control performance: Facilitate self-assessments and continuous controls monitoring.   
  • Visualize & report: Inform decision making with role-based reporting for executives, risk managers, and risk owners.   

Learn more about constructing your ISMS and how OneTrust can help with a demo. Request one here.  

You may also like


Third-Party Risk

5 Ways to save time when assessing third parties for privacy and security risks webinar

Join our webinar and learn how to save time and streamline third-party risk assessment throughout the TPRM lifecycle.

October 25, 2023

Learn more


Third-Party Risk

Live demo: Building your third-party risk management program with OneTrust

Explore how OneTrust can help you build an efficient third-party risk management program that streamlines manual processes and uncovers hidden risks.

September 28, 2023

Learn more


Third-Party Risk

Live Demo EMEA: How OneTrust can help advance your third-party risk management program

Join us for a live demo of OneTrust's third-party risk management solution and see how it can help automate and streamline your TPRM program.

September 19, 2023

Learn more