AI-27001Request a free evidence review

New controls

The 11 new Annex A controls in ISO/IEC 27001:2022

The 2022 revision introduced 11 new controls. They are a useful signal of where ISO/IEC 27001 now expects more explicit thinking about cloud, data handling, monitoring, resilience, and secure engineering.

7 min readSecurity managers, IT leads, developers, and anyone updating a 2013-era control set2026-04-23

Here is the list first

BSI’s published transition material lists 11 controls as new in the 2022 Annex A structure. For many teams, just seeing the full list in one place is the most useful starting point.

  • A.5.7 Threat intelligence
  • A.5.23 Information security for use of cloud services
  • A.5.30 ICT readiness for business continuity
  • A.7.4 Physical security monitoring
  • A.8.9 Configuration management
  • A.8.10 Information deletion
  • A.8.11 Data masking
  • A.8.12 Data leakage prevention
  • A.8.16 Monitoring activities
  • A.8.23 Web filtering
  • A.8.28 Secure coding

What these new controls are really pointing at

Taken together, the 11 controls tell a fairly clear story. ISO/IEC 27001 is putting more explicit weight on operational awareness, modern technical hygiene, and clearer data handling expectations.

Threat intelligence, cloud security, monitoring, configuration management, and secure coding all reflect areas that became much harder to treat as implicit or optional as organizations grew more distributed and more dependent on cloud and software delivery.

A practical way to group them

It is often easier to understand the new controls by clustering them into operating themes instead of memorizing them one by one.

  • Awareness and resilience: threat intelligence, ICT readiness for business continuity, physical security monitoring
  • Cloud and technical discipline: cloud services, configuration management, monitoring activities, web filtering, secure coding
  • Data handling and containment: information deletion, data masking, data leakage prevention

Why they matter even if you already do some of this work

A lot of organizations will look at the list and say that none of it feels entirely new. That is fair. Many capable teams already do some level of cloud assurance, code review, monitoring, and deletion management.

What changes in the ISO/IEC 27001 context is that these topics now have clearer identity in the reference control set. That tends to push organizations to make ownership, policy, evidence, and review cadence more explicit than before.

What to look for when reviewing your own ISMS

The simplest check is whether each new control can be pointed to in a way that is operationally believable. That does not always mean a standalone policy. Often it means a combination of process, technical setting, record, and review evidence.

  • For threat intelligence, look for intake, analysis, relevance, and resulting actions
  • For cloud services, look for governance around selection, use, shared responsibility, and review
  • For deletion and masking, look for clear treatment of sensitive data across environments
  • For monitoring and web filtering, look for operational controls rather than generic statements
  • For secure coding, look for how development practice is actually governed, reviewed, and improved

Free review

Not ready to book? Get a practical evidence next step instead.

Pick the lower-friction option that fits where you are. We’ll use your page and campaign context to understand the request without adding tracking clutter to the visible URL.

We’ll look at one evidence flow and send practical gaps or next steps.

12
Choose an offer

Send this short request now, or add optional sales context first if it helps route the reply.

Prefer to talk it through?

If you are deciding how these controls should show up in your ISMS, compare notes.

The new controls tend to expose gaps between what a team does in practice and what its formal ISMS can actually show. If you are working through that gap, I’m happy to compare notes.

See the free ISO 27001 evidence review

Related reading

More ISO/IEC 27001 explainers.

These pieces are meant to help technical teams, advisers, and internal owners make sense of the 2022 edition, Annex A, and how older material should be reviewed.

Telecoms insight

What Ofcom's Telecoms Access Review 2026-31 means for ISP compliance evidence

The Telecoms Access Review is not an ISO 27001 rule, but it changes the operating environment for ISPs, altnets, wholesale buyers, and infrastructure users. That makes clean evidence ownership more important.

7 min readISP, altnet, wholesale telecoms, and TSA compliance teams
Read What Ofcom's Telecoms Access Review 2026-31 means for ISP compliance evidence

Incident evidence insight

Palo Alto zero-days are an ISO 27001 evidence problem, not just a patching problem

When a perimeter firewall zero-day is exploited before every team has patched, the compliance question becomes practical: can you prove exposure, ownership, mitigation, customer impact, and management review quickly enough?

7 min readMSPs, ISPs, SaaS security teams, and ISO 27001 owners
Read Palo Alto zero-days are an ISO 27001 evidence problem, not just a patching problem

AI-27001 is a product of SW DIGITAL SERVICES LIMITED, registered in England and Wales. Company number 17178287.