ISO 27001:2022 explained: requirements, key changes and implementation strategies

ISO 27001:2022 is one of the most widely recognised international standards for information security. Discover how to implement the framework effectively in your organisation.

Contents

1. What is ISO 27001?
2. Benefits
3. Changes 2013 vs. 2022
4. Requirements
5. Audit & Compliance
6. Implementation & Certification

Key takeaways: ISO 27001:2022

• ISO 27001:2022 is the internationally recognised standard for managing information security risks within a structured ISMS
• The 2022 revision streamlined Annex A from 114 to 93 controls and introduced four new control categories, making implementation more manageable
• Organisations pursuing certification must meet defined ISO 27001 requirements across governance, risk management and continuous improvement
• Regular ISO 27001 audits – both internal and external – are essential for maintaining compliance and identifying vulnerabilities before they become threats
• Effective ISO 27001:2022 implementation includes ongoing staff awareness training – SoSafe’s cybersecurity awareness training helps organisations meet this requirement systematically

What is ISO 27001?

ISO 27001 turns information security into a management discipline. Instead of leaving security to tools, policies and ad hoc decisions, the standard requires an information security management system, or ISMS. In practical terms, this means knowing which risks matter, who owns them and how the chosen controls are checked. The purpose is to keep information confidential, accurate and available, with enough evidence to show that the system works.

The latest version is ISO/IEC 27001:2022. Many people use ISO 27001 as shorthand, especially in day-to-day security work. For certification projects, tender documents and comparisons with other standards, the full designation is usually the better choice. The IEC part refers to the International Electrotechnical Commission, which publishes the standard together with ISO. In the UK, the same standard may also appear as BS ISO/IEC 27001.

For CISOs and IT leaders, ISO 27001 matters because it moves security decisions closer to the business. Scope, risk treatment, management review and audit evidence are not side topics for IT. They are part of how the organisation proves that information security is being managed. That makes the ISO 27001 framework especially useful when certification is planned and external assessors need to see a clear trail from risk to control.

ISO 27001 benefits: what the 2022 version changes

The ISO 27001 benefits in the 2022 version are not limited to certification. For security leaders, ISO 27001:2022 is easier to connect with day-to-day risk work, board reporting and supplier expectations.

• A smaller control set makes the ISMS easier to manage in practice, especially for teams that need clear ownership rather than more paperwork
• The risk-based approach helps security teams put time and budget where exposure is highest
• ISO/IEC 27001:2022 links security objectives more closely to business goals and stakeholder expectations
• Security becomes part of existing business processes, which helps teams assess NIS2 readiness and understand who is affected 

ISO 27001:2022 changes compared with the 2013 version

One of the most visible ISO 27001:2022 changes is right in the title. The 2013 standard still referred to “information technology”. The 2022 version uses “information security, cybersecurity and privacy protection”, which is closer to the reality security teams deal with today.

The difference between ISO 27001 version 2013 and 2022 is not only wording. The update gives more weight to governance, risk ownership and the way security is reviewed across the organisation. For CISOs and IT leaders, that matters because the ISMS has to work between audits, not only when an assessor is due.

Focus on the Controls

The biggest operational change is ISO 27001:2022 Annex A. The old control structure was cut down and regrouped, making ownership easier to assign.

• The number of controls was reduced from 114 to 93
• The previous 14 domains were replaced by four themes:
  1. Organisational
  2. People
  3. Physical
  4. Technological

The “People” theme is especially relevant from a human risk perspective. Technical controls remain essential, but they cannot cover every decision employees make during the working day. Human Risk Management supports Control 6.3 by helping teams deliver awareness training, track progress and collect audit-relevant evidence more easily.

ISO 27001 requirements: what organisations need to cover

The ISO 27001 requirements are not limited to Annex A controls. ISO 27001:2022 also looks at how the ISMS is run in practice. Clauses 4 to 10 cover the management side: scope, leadership, risk treatment, resources, daily operation, review and improvement.

ISO 27001 audit and compliance

An ISO 27001 audit brings the ISMS out of the policy folder. Under ISO 27001:2022, organisations need evidence from daily security work, not only documents prepared for certification. Internal checks, management reviews and training records help show whether the system is actually being used.

Audits as a reality check

External audits matter, but they should not be the first time gaps appear. Internal audits give security teams a chance to test the ISMS earlier and deal with weak points before an external assessor reviews the system.

Attendance records are not enough for awareness and training. Auditors will want to understand whether people know the risks in their role and can act on them. Cybersecurity awareness training helps here by showing where policy knowledge turns into behaviour and where extra support is still needed.

Supporting ISO 27001 compliance

ISO 27001 compliance depends on technical controls, but not on those alone. People still make decisions every day that can lower or increase risk. Management reviews under clause 9.3 bring those behaviour signals together with audit findings and resource decisions.Human Risk Management gives security teams a clearer view of what is changing in practice. Training progress, reporting behaviour and risk patterns can support audit discussions and keep compliance work closer to real employee behaviour.

ISO 27001 implementation: from control set to certification

A good ISO 27001:2022 implementation starts with scope, ownership and risk. ISO 27001:2022 can look complex at first, but the work becomes easier to manage when it is broken down into a few clear steps.

1. Define the scope
   Decide which parts of the organisation the ISMS will cover. A scope that is too broad too early can make the project harder than it needs to be.
2. Secure leadership commitment
   Senior management needs to provide resources, approve the security policy and stay involved. Without leadership support, the ISMS will struggle to move beyond documentation.
3. Assess the risks
   Identify the assets, threats and business areas that carry the most risk. A data-driven Human Risk Management platform can help highlight teams or behaviours that need closer attention.
4. Select the right controls
   Choose the relevant controls from Annex A and document the decision in the Statement of Applicability. Some organisations also use CIS Controls or the COBIT framework to sharpen the link between IT governance and operational risk.
5. Build awareness and competence
   Train employees so they understand their role in protecting information. Alongside technical training, cybersecurity awareness training and targeted communication help build a Human Firewall in daily work.
6. Run an internal audit
   Use independent internal auditors to check whether the chosen measures are working. This gives teams time to fix weak points before the certification audit.
7. Complete the certification audit
   The final step is a two-stage audit by an accredited certification body. The assessor reviews whether the ISMS meets the requirements and whether the documented processes work in practice.

The table below shows how an ISO 27001:2022 control set can be scaled for different company sizes, including practical guidance for smaller organisations.

Certification against the ISO 27001 framework can reassure customers, partners and auditors that information security is managed properly. But the day-to-day work still depends on people. They decide how quickly incidents are reported, whether policies are followed and where risky habits appear. A good ISO 27001:2022 implementation deals with that human layer from the start.

Note:This article provides general information and does not replace legal advice. Requirements may differ depending on your organisation, scope, sector and location. For guidance on ISO 27001:2022, certification or local obligations, speak to a qualified legal adviser or certification specialist.