Skip to main content

ISO/IEC 27001:2022

On October 25, 2022, the new version of ISO/IEC 27001, ISO/IEC 27001:2022 ‘In-formation technology - Security techniques - Information security management systems – Requirements’ (hereinafter ISO 27001:2022) was published.

After April 30, 2024, initial audits and recertification audits may no longer be performed based on ISO/IEC 27001:2013 or 2017. From that date, the use of the 2022 version is mandatory.

Surveillance audits may still be carried out as part of a three-year cycle based on the 2013 or 2017 version, until April 30, 2026 at the latest.

The new versions of ISO 27001:2022 and ISO 27002:2022 are available via the NEN website, both in Dutch and English.


The transition audit

In order to transition a certified management system for information security (ISMS) to the new ISO 27001:2022 version, Noordbeek will have to carry out a transition audit.

The transition audit takes 4 hours and will be conducted as a separate audit via a video meeting.

After the audit, Noordbeek will prepare a report. The file will be assessed internally and, if everything is approved, Noordbeek will produce a new ISO 27001:2022 certificate and hand it over to you.

The cost for this transition audit is 1 audit day.


Changes in the controls

The most important change in ISO 27001:2022 concerns the division of Annex A into four chapters. ISO 27001:2017 contained 114 controls, divided into 14 chapters, namely Annex 5 to Annex 18.

ISO 27001:2022 contains 93 controls, divided into 4 chapters, namely:

  • Annex A.5, ‘Organizational controls’: 37 controls;
  • Annex A.6, ‘People controls’: 8 controls;
  • Annex A.7, ‘Physical controls’: 14 controls;
  • Annex A.8, ‘Technological controls’: 34 controls.


There are 11 new measures, namely:

  • A.5.7, Threat intelligence;
  • A.5.23, Information security for use of cloud services;
  • A.5.30, ICT readiness for business continuity;
  • A.7.4, Physical security monitoring;
  • A.8.9, Configuration management;
  • A.8.10, Information deletion;
  • A.8.11, Data masking
  • A.8.12, Data leakage prevention;
  • A.8.16, Monitoring activities;
  • A.8.23, Web filtering;
  • A.8.28, Secure Coding.


Changes in the management system

There are limited changes in chapters 4 to 10. This concerns:

  • 4.1, Understanding the organization and its context – refinement;
  • 4.2, Understanding the needs and expectations of interested parties– refinement;
  • 4.4, Information security management system – tightening;
  • 6.1.3, Information security risk treatment– tightening;
  • 6.2, Information security objectives and the planning to achieve them – tightening;
  • 6.3, Planning of changes – addition;
  • 7.4, Communication – tightening;
  • 8.1, Operational planning and control – rewritten;
  • 9.1, Monitoring, measurement, analysis and evaluation– tightening;
  • 9.2. Internal audit – split;
  • 9.3, Management review – split;
  • 10, Improvement - change of numbering.


If you have any questions about the new version of the standard and the transition, please feel free to contact us.


Noordbeek Certification B.V.
Rijndijk 235
2394 CD Hazerswoude
Chamber of Commerce 80529585

This email address is being protected from spambots. You need JavaScript enabled to view it.

© Noordbeek B.V. All rights reserved.