What happened to the 114 controls in the 2013 edition?

The 2022 revision consolidated and reorganized the 114 controls into 93. Some controls were merged where they addressed overlapping concerns, some were split for clarity, and 11 brand-new controls were added to address threats that did not exist at scale in 2013, such as cloud services, threat intelligence, and secure coding.

Is the transition from ISO/IEC 27001:2013 still open?

No. The transition deadline was 31 October 2025 and has now passed. Certificates issued against the 2013 edition are no longer valid. Organizations must be certified against the 2022 edition.

Are the five control attributes mandatory?

No. The five control attributes (control type, information security properties, cybersecurity concepts, operational capabilities, and security domains) are provided in ISO/IEC 27002:2022 as an optional tagging framework. Organizations can use them to filter and analyse controls, but they are not a certification requirement.

Which of the 11 new controls is most commonly flagged in audits?

A.5.23 (information security for use of cloud services) and A.8.9 (configuration management) are frequently highlighted by practitioners because they cover risks that have grown substantially since 2013. A.5.7 (threat intelligence) is also increasingly examined as a leading indicator of an organisation's security maturity.

What's new in ISO/IEC 27001:2022

ISO/IEC 27001:2022 restructured 114 controls into 93 across four themes and introduced 11 new controls. The transition from the 2013 edition ended 31 October 2025. Here's what changed and why it matters.

controls in the 2022 edition — down from 114

ISO/IEC 27001:2022, Annex A

themes replacing 14 control domains

Organizational, People, Physical, Technological

brand-new controls introduced

Including threat intelligence, cloud services, and secure coding

ISO/IEC 27001:2022 landed on 25 October 2022, the first full revision of the information security management standard since 2013. The headline change is a complete overhaul of Annex A: 114 controls organized across 14 domains were restructured into 93 controls across four themes. Eleven new controls were introduced, and the transition deadline of 31 October 2025 has now passed. Certification bodies no longer issue certificates against the 2013 edition.

For candidates preparing for an ISTO Test of Understanding, the 2022 standard is the current examinable edition. Understanding the reorganization (and particularly the 11 new controls and the optional attribute system) is essential preparation.

The Annex A overhaul: 114 → 93 controls across 4 themes

The most visible change in ISO/IEC 27001:2022 is the restructuring of Annex A. The 2013 edition organized controls into 14 domains (from A.5 to A.18), resulting in 114 controls of variable granularity. The 2022 edition consolidates these into four themes, each covering a distinct operational dimension of information security:

Theme	Controls	Focus area
Organizational	37	Policies, roles, supplier relationships, incident management, compliance
People	8	Hiring, training, awareness, disciplinary process, remote working
Physical	14	Premises, equipment, clear-desk, physical security monitoring
Technological	34	Access control, cryptography, configuration, logging, secure development

The total drops from 114 to 93 because many former controls were merged where they addressed the same underlying objective from slightly different angles, and some were restructured for clarity. The reduction is not a relaxation of the standard's expectations. Organizations applying the 2022 edition must still conduct a thorough risk assessment and select applicable controls.

Dimension	2013 edition	2022 edition
Annex A structure	14 control domains (A.5 – A.18)	4 themes: Organizational, People, Physical, Technological
Total controls	114 controls	93 controls (merged, split, and 11 new)
New controls	None — 2013 reflected the threat landscape of that era	11 new controls covering cloud, threat intelligence, secure coding, and more
Control attributes	Not present	Optional five-attribute tagging system in ISO/IEC 27002:2022
Alignment with cybersecurity frameworks	Limited cross-referencing to frameworks such as NIST CSF	Cybersecurity concepts attribute (Identify/Protect/Detect/Respond/Recover) maps to NIST CSF
Statement of Applicability	Derived from 14-domain Annex A	Derived from the four-theme Annex A; SoA must reference 2022 controls

The 11 new controls

The most substantive additions are the 11 controls that did not exist in the 2013 edition at all. They reflect a decade of change in how organizations operate (cloud adoption, growing threat sophistication, and increased regulatory attention to data and software security). Each is identified by its Annex A reference in the 2022 edition:

A.5.7 Threat intelligence — Organizations must gather, analyse, and act on information about threats relevant to their information security posture.
A.5.23 Information security for use of cloud services — Acquisition, use, management, and exit processes for cloud services must be governed by specific security requirements.
A.5.30 ICT readiness for business continuity — ICT continuity must be planned, implemented, verified, and reviewed to ensure availability during disruption.
A.7.4 Physical security monitoring — Premises must be monitored continuously for unauthorized physical access.
A.8.9 Configuration management — Security configurations for hardware, software, services, and networks must be established, documented, implemented, and monitored.
A.8.10 Information deletion — Information held on systems, devices, or media must be deleted when it is no longer needed, following the applicable retention requirements.
A.8.11 Data masking — Masking of personal data and other sensitive information must be applied in accordance with applicable policies and requirements.
A.8.12 Data leakage prevention — Measures must be applied to detect and prevent unauthorized disclosure or extraction of information by people, processes, or systems.
A.8.16 Monitoring activities — Networks, systems, and applications must be monitored for anomalous behaviour, and appropriate actions taken in response.
A.8.23 Web filtering — Access to external websites must be managed to reduce exposure to malicious content.
A.8.28 Secure coding — Secure coding principles must be applied to software development.

The majority of new controls fall in the Technological theme (A.8.x), reflecting the reality that the most significant expansion of the threat surface since 2013 has been technological (cloud, software supply chains, and data proliferation).

The five control attributes

ISO/IEC 27002:2022, the companion guidance document, introduces a system of five optional attributes that can be applied to any of the 93 controls. They are a tagging framework, not additional requirements:

Control type — whether a control is preventive, detective, or corrective in nature.
Information security properties — which of the classic triad (Confidentiality, Integrity, Availability) the control primarily supports.
Cybersecurity concepts — alignment with the NIST Cybersecurity Framework phases: Identify, Protect, Detect, Respond, Recover.
Operational capabilities — which operational area the control addresses (e.g., governance, asset management, application security).
Security domains — broad security domains such as governance and ecosystem, protection, defence, and resilience.

Organizations use the attribute system to slice Annex A in different ways: an information security manager might filter by cybersecurity concept to map controls against a NIST CSF gap analysis; a CISO might filter by control type to ensure a balanced portfolio of preventive, detective, and corrective measures. The system is also useful for scope-limited risk assessments, for example, filtering to Technological controls when assessing a specific software development pipeline.

The transition deadline

The transition from ISO/IEC 27001:2013 to the 2022 edition ended on 31 October 2025. That deadline has passed. Certificates issued under the 2013 edition are no longer valid; any organization that did not complete its transition before that date needed to undergo recertification against the 2022 standard. If you are reviewing a supplier's or partner's ISO/IEC 27001 certificate, check that it references the 2022 edition.

ISO/IEC 27001 revision milestones

Oct 2013
ISO/IEC 27001:2013 published
Fourteen control domains, 114 controls in Annex A
Oct 2022
ISO/IEC 27001:2022 published
Published 25 October 2022 — four themes, 93 controls, 11 new
2024
Amd 1:2024 (climate)
Minor climate-change amendment to context clauses — separate from the 2022 Annex A overhaul
Oct 2025
Transition deadline passed
31 October 2025 — the deadline for migrating from the 2013 edition

One separate note: Amendment 1:2024 added a minor climate-change consideration to the context clauses (4.1 and 4.2) of ISO/IEC 27001, as part of the same coordinated Annex SL amendment that updated 31 management-system standards simultaneously. This amendment is largely administrative for an information security standard and does not affect the Annex A control set described in this article.

What this means for candidates

For candidates sitting an ISTO Test of Understanding, the current examinable standard is ISO/IEC 27001:2022. Expect questions on:

The four-theme structure and which types of controls fall into each theme.
The 11 new controls (particularly A.5.7, A.5.23, A.5.30, A.8.9, and A.8.28) and the risks they address.
The Statement of Applicability and how it references the 2022 Annex A.
The nature and purpose of the five control attributes, and specifically that they are optional.

The companion article ISO/IEC 27001 controls explained: the 4 themes of Annex A goes deeper into the content and logic of each theme, with example controls and a guide to navigating Annex A in practice.