What is ISO 27001:2022? Clauses and Requirements Explained

23-Feb-2026

David Walter

Do you know that data is one of the most valuable assets an organisation owns, and also the easiest to lose? A simple mistake, such as a weak password, a phishing email, or an unsecured device, can expose this information within minutes. Many believe that installing antivirus software or a firewall is enough to tackle such situations.

In reality, most security failures happen because there is no structured process for managing risks and security practices. This is where ISO 27001:2022 becomes important. In this blog, we will explore What is ISO 27001:2022, its clauses and requirements, and how the updated controls guide compliance and Risk Management in modern organisations. Let's dive in!

What is ISO 27001:2022?

ISO 27001:2022 is the latest version of the international standard for Information Security Management Systems (ISMS). It provides a structured, risk-based framework to help organisations protect their information, manage security risks, and keep data confidential and accurate.
The 2022 update of the ISO 27001 standard replaces ISO 27001:2013 and reflects modern security challenges such as cloud security, remote work, and emerging cyber threats. Instead of blindly applying security controls, organisations first identify risks and then implement security controls relevant to the business needs.

Key Control Updates From ISO 27001:2013 to ISO 27001:2022

The 2022 revision of ISO 27001 did not change the main purpose of the standard, but it modernised how organisations apply security controls. The updated version aligns Information Security with the current digital environment rather than traditional office infrastructure.
One of the biggest updates is the restructuring of Annexe A controls. ISO 27001:2013 included 114 controls grouped into 14 domains. ISO 27001:2022 latest version now contains 93 controls organised into four clear categories. Below is a detailed overview of the changes:

New Control Structure

The controls are now arranged into four logical groups:

1) Organisational Controls:

There are a total of 37 controls and focus on governance and management responsibilities. They cover policies, supplier relationships, asset management, information classification, and incident management. The idea is to ensure security is guided by management processes rather than only IT actions.

2) People Controls:

They are of eight controls and address human behaviour and employee responsibilities. They include awareness training, disciplinary processes, and responsibilities during hiring and termination. Many data breaches happen due to human error, so this section emphasises employee awareness and accountability.

3) Physical Controls:

They are of 14 controls, and they protect buildings, equipment, and facilities. Examples include secure office areas, visitor control, equipment protection, and safe disposal of devices. Even in a digital age, physical security remains important because attackers can access data through stolen laptops or hardware.

4. Technological Controls:

Its 34 controls deal with technical protection measures such as access control, encryption, logging, backups, malware protection, and network security. This section directly supports IT teams in implementing practical safeguards.

Newly Introduced Controls

ISO 27001:2022 introduces 11 new controls to address modern cybersecurity risks. Some important additions include:

1) Threat Intelligence: Organisations monitor and review emerging cyber threats and vulnerabilities so they can respond early.

2) Information Security for Cloud Services: Defines responsibilities when using cloud providers and managing shared security roles.

3) Information and Communication Technology (ICT) Readiness for Business Continuity: Ensures IT systems can continue operating or recover quickly during disruptions or cyber incidents.

4) Physical Security Monitoring: Use of surveillance and monitoring to detect unauthorised physical access to facilities and equipment.

5) Configuration Management: Maintaining secure configurations of systems, applications, and network devices.

6) Information Deletion: Secure and permanent removal of data when it is no longer required.

7) Data Masking: Protecting sensitive data by hiding or obfuscating it during testing or processing.

8) Data Leakage Prevention: Measures to detect and stop unauthorised transfer or exposure of sensitive information.

9) Monitoring Activities: Improved logging and continuous monitoring to detect suspicious behaviour.

10) Web Filtering: Restricting access to malicious or inappropriate websites.

11) Secure Coding: Developing software using secure development practices to prevent vulnerabilities

The revised ISO 27001:2022 controls shift ISO 27001 from a documentation-heavy standard to a practical, risk-based Security Management system. Overall, the 2022 update improves clarity, reduces duplication, and better addresses current cyber threats.

Learn the basics of Information Security Management Systems with ISO 27001 Foundation Training – Register today!

ISO 27001 Clauses and Audit Requirements

The ISO 27001 standard is classified into ten clauses. However, only clauses 4 to 10 contain auditable requirements. Clauses 0 to 3 are introductory and provide context such as scope, terminology, and references. Let's check what each clause deals with:

Clauses 0-3: An Introduction to ISO 27001:2022

The first three clauses explain how the standard should be used, focusing on the purpose, scope, and terminology of the standard. Although these clauses are not audited, they help organisations understand the framework correctly.

They also clarify that ISO 27001:2022 follows a risk-based approach and is suitable for organisations of any size or industry. In addition, they define key references and concepts used throughout the remaining clauses of the standard.

Clause 4: Organisation Control

Clause 4 requires a company to understand its business environment before implementing security practices. Before implementing security, a company needs to identify stakeholders, legal obligations, business processes, and dependencies.

Organisations should also define the scope of their ISMS. The scope may include the entire organisation or only a specific department such as IT operations or cloud services.

Clause 5: Leadership

Clause 5 focuses on management responsibility. Information Security cannot be handled only by the IT team. Thus, senior leadership is required to actively support and guide security activities across the organisation.

Leadership responsibilities include establishing an Information Security policy, assigning roles, and ensuring resources are available. They also need to communicate the importance of security to employees.

Clause 6: Planning

Clause 6 is the core of ISO 27001 because it deals with Risk Management. Organisations have to identify threats, analyse their impact, and decide how to manage them. The outcome of this is a risk assessment and a risk treatment plan.

The organisation also needs to define security objectives. These objectives should be measurable and aligned with business requirements. They must also be regularly reviewed and updated as risks or business activities change.

Clause 7: Support

Clause 7 focuses on resources and operational readiness. It requires organisations to provide training, awareness programmes, and competence management. Employees should understand how their actions affect information security.

This clause also requires proper documentation. Policies, procedures, and records must be maintained as evidence. It ensures that resources, communication, and documentation are available to operate and maintain the ISMS effectively.

Clause 8: Operation

Clause 8 covers the implementation of risk treatment plans. In other words, this is where organisations apply security controls and operate the ISMS in real life. These may include access control, encryption, backups, supplier management, and incident handling.

The clause also requires change management. Whenever systems change, organisations must check the security impact. This makes sure new technologies or updates do not introduce vulnerabilities.

Clause 9: Performance Evaluation

Clause 9 ensures organisations measure whether their ISMS works. This can be done through internal audits, monitoring security performance, and conducting management reviews. This prevents organisations from assuming their security is effective without evidence.

Metrics often include incident frequency, vulnerability closure times, or audit findings. Necessary actions are then taken to improve security performance where gaps are identified.

Clause 10: Improvement

Clause 10 focuses on continual improvement. Organisations need to rectify the problems and prevent them from happening again. When an incident occurs, they analyse the root cause and improve controls.

Security threats constantly evolve, so organisations must continually improve their protection measures. This can often be done through the Plan-Do-Check-Act (PDCA) cycle, which helps organisations review, update, and strengthen their Information Security processes regularly.

Develop the skills needed to evaluate an ISMS and identify gaps with ISO 27001 Internal Auditor Training – Sign up soon!

How ISO 27001:2022 Clauses Guide Organisational Risk Management?

ISO 27001:2022 is designed around Risk Management rather than simple compliance. The clauses help organisations identify possible threats, apply suitable controls, and regularly improve their security practices. Instead of reacting after an incident, organisations learn to manage risks before they cause damage in a structured manner.

Clause 4 identifies business context, Clause 5 establishes leadership responsibilities, Clause 6 evaluates risks, Clause 7 provides resources and support, Clause 8 implements controls, and Clause 9 measures effectiveness. Finally, Clause 10 improves the system. This sequence essentially forms a security lifecycle.

How Have the ISO 27001:2022 Updates Rewritten the Compliance Equation?

The ISO 27001:2022 revision significantly changed how organisations approach compliance. The updated version shifts the focus from paperwork to actual security effectiveness. Organisations are now expected to show how their controls work in practice instead of documentation.

 Here is how the changes are perceived:

1) Shift From Documentation to Real Security: Shifts compliance from a checklist and documentation exercise to demonstrating real security effectiveness.

2) Controls Aligned With Modern Threats: Updates controls to address cloud usage, remote work, and current cyberattack methods.

3) Greater Leadership Accountability: Requires active involvement of senior management in security decisions and responsibilities.

4) Continuous Monitoring and Improvement: Emphasises ongoing audits, monitoring, and corrective actions instead of one-time compliance.

5) Better Integration With Other Standards: Aligns with other ISO Management Systems to simplify governance and reduce duplication.

6) From Reactive to Proactive Compliance: Encourages organisations to prevent risks rather than respond after incidents occur.

Conclusion

ISO 27001:2022 has been revolutionised as a modern and practical framework for managing Information Security in organisations. It emphasises risk-based thinking, leadership involvement, and continuous improvement across the business. A strong knowledge of What is ISO 27001:2022 helps you protect sensitive data more effectively and respond to incidents in a structured manner. It also helps strengthen trust with customers, partners, and regulators while supporting long-term business reliability.

Take control of Information Security in your organisation with ISO 27001 Training – Start now!