ISO/IEC 27001:2022 vs 2013: what actually changed

Start with the high-level answer.

ISO/IEC 27001:2022 is the current published edition of the requirements standard, and ISO lists ISO/IEC 27001:2013 as withdrawn. That matters because a lot of internal documents, SoAs, audit notes, and consultant packs still speak in 2013 language even when the working reality has moved on.

The 2022 revision kept the core idea of ISO/IEC 27001 intact. It is still a management system standard for establishing, implementing, maintaining, and continually improving an ISMS. It is still risk-based. It still expects documented information, internal audit, management review, and a defensible Statement of Applicability.

What changed is the shape around that core. The standard body was refined, Annex A was fully revised to align with ISO/IEC 27002:2022, and the control structure now looks very different to anyone used to the 2013 control set.

The main body changed in useful but easy-to-miss ways.

A lot of commentary on the 2022 update focuses only on Annex A. That is understandable, but incomplete. BSI’s transition materials highlight several requirement-level changes that matter in practice for how teams run the ISMS.

The standard now puts more emphasis on defined processes and their interactions, on planned change, and on operational criteria and control. It also sharpens expectations around organizational roles relevant to information security and around how communication is determined as part of the ISMS.

• Clause 4.4 now explicitly references the processes needed for the ISMS and their interactions
• Clause 6.3 introduces planning of changes
• Clause 8.1 adds clearer language on operational planning, criteria, and control of processes
• Clause 7.4 places more emphasis on determining how communication happens
• There are also editorial and numbering changes, including removal of control objectives from Annex A language

Annex A is where most teams feel the change immediately.

The 2022 edition aligns its reference controls to ISO/IEC 27002:2022. The old 114-control structure from 14 groups is gone. In its place is a 93-control set organized into four themes: organizational, people, physical, and technological.

That does not automatically mean the standard became lighter. In practice, it means the control set was restructured, merged, updated, and modernized. Teams that simply try to force old numbering into new document packs usually end up missing the point of the revision.

The better approach is to treat Annex A as a fresh reference set and then review how the SoA, risk treatment plan, and supporting evidence map to it.

The operational question is not 'what is the new number?'

For most organizations, the useful question is not whether an old control maps neatly to a new identifier. It is whether the ISMS still reflects the real way the organization manages information security today.

That means checking whether your existing documents, risk treatment decisions, and review cycles still describe current practice. It also means asking whether modern areas such as cloud use, deletion, masking, monitoring, and secure coding are treated as real operating topics rather than assumptions.

One extra detail is easy to miss in 2026.

ISO also lists Amendment 1:2024 for ISO/IEC 27001:2022, covering climate action changes. That is separate from the 2022 Annex A reshape, but it is worth knowing if you want your explainer material and document references to feel current rather than frozen at publication day.

So if you are writing about 'old versus new', the cleanest framing is this: the big structural jump was from 2013 to 2022, and the current ISO listing also includes the 2024 climate amendment on top of the 2022 edition.