What are the ISO 27001:2022 controls?
BlogISO 27001
January 16, 2025

What are the ISO 27001:2022 controls?

Written by
Danielle Mason, Compliance Analyst, BD Emerson
Reviewed by
No items found.

Accelerating security solutions for small businesses 

Tagore offers strategic services to small businesses. 

A partnership that can scale 

Tagore prioritized finding a managed compliance partner with an established product, dedicated support team, and rapid release rate.

Standing out from competitors

Tagore's partnership with Vanta enhances its strategic focus and deepens client value, creating differentiation in a competitive market.

ISO published the ISO 27001 standard to outline an information security management system (ISMS) in 2005. Since then, significant revisions have taken place in 2013 and 2022 to better reflect the evolving climate of cybersecurity threats and technologies. This article lays out the most current control requirements as established in ISO 27001:2022

This article will explain how the 2022 version of ISO has evolved from its 2013 predecessor and the current controls that your organization can implement to become ISO 27001 compliant.

What are the current ISO 27001 controls?

ISO 27001 controls form the backbone of the ISMS. They are designed to address risks to information security and ensure that critical data remains confidential, available, and integral. The controls are divided into four categories, or themes, under Annex A: organizational, people, physical, and technological measures.

Annex A in the ISO 27001:2013 standard included 114 controls across 14 domains, including access control, cryptography, and incident management. The 2022 update reorganized and modernized these controls to align with cybersecurity challenges. Instead of 14 domains, the updated controls are grouped into four broader themes:

  1. People: Addressing human factors in security, such as training and awareness
  2. Organizational: Governance, risk management, and compliance practices
  3. Physical: Protection of physical assets and locations
  4. Technological: Safeguarding IT systems and infrastructure

The update aimed to simplify implementation and improve clarity as new threats emerge. 

{{cta_withimage2="/cta-blocks"}} 

Key differences between ISO 27001:2022 and ISO 27001:2013

The shift from ISO 27001:2013 to ISO 27001:2022 introduced several notable changes:

#1 Reduction and consolidation of controls

The number of controls has decreased from 114 to 93, with several consolidated to eliminate redundancy. For example, cryptographic policies and key management controls are now grouped under a single, streamlined control.

#2 Introduction of "attributes" for enhanced context

The 2022 version introduces five attributes to help organizations understand the purpose and application of each control:some text

  1. Cybersecurity concepts
  2. Information security properties
  3. Operational capabilities
  4. Security domains
  5. Control types (preventive, detective, corrective)

These attributes allow for a more flexible and tailored approach to implementing controls based on organizational needs.

#3 New controls to address emerging threats

Fourteen new controls have been added, reflecting advancements in technology and the rise of threats like ransomware and supply chain attacks. Some of these include:some text

  • Threat intelligence: Requires organizations to collect and analyze information relating to information security threats
  • Data leakage prevention: Companies must implement technical measures that detect and prevent the disclosure and/or extraction of information
  • Information security for use of cloud security services: Requires organizations to specify and manage information security for the use of cloud services
  • Configuration management: Policies must be established to manage how an organization documents, implements, monitors, and reviews the use of configurations across its entire network
  • Data masking: This control is fulfilled by providing data masking techniques for personal identifiable information (PII) to comply with laws and regulations

These changes provide a more holistic and modern approach to information security, helping organizations address risks more effectively with the rise of remote work and ever-evolving cybersecurity threats.

Implementing 27001 controls with Vanta

Implementing ISO 27001 controls can seem daunting, but Vanta’s automated compliance platform helps organizations map existing controls to the updated standard, identify gaps, and implement changes seamlessly.

Vanta’s progress tracking and views of tests and controls overlap with complementary standards like SOC 2 and GDPR, which get you closer to multi-standard compliance for a fraction of the effort.

The platform’s control mapping feature simplifies understanding how your current ISMS aligns with the 2022 framework, saving time and reducing complexity. Additionally, the platform’s continuous monitoring capability ensures that new controls like cloud service security are actively maintained, reducing the risk of non-compliance.

Want to learn more about how to implement ISO 27001 controls effectively? Discover how BD Emerson’s information security experts can help your organization get ISO 27001 audit-ready. Schedule a consultation today! 

{{cta_simple2="/cta-blocks"}}

Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail
Logo of incident.io
Incident.io
Logo of Lumos
Lumos
Icepanel logo on a white background.
IcePanel
Epsilon Logo
Epsilon3
The logo for supabase.
Supabase
EasyLLama Logo
EasyLlama
Qualifi Logo
Qualifi
Logo of toku
Toku
FEATURED VANTA RESOURCE

The ultimate guide to scaling your compliance program

Learn how to scale, manage, and optimize alongside your business goals.

DOWNLOAD FOR FREE

Table of contents

No titles!

Share this article

Share this article

Related Resources

Compliance
Events

Building Trust in the AI Boom: Security, Capital, and Credibility from Day One

Join the CFOs of Vanta and Mercury for a tactical conversation on how early-stage teams can build trust with investors and buyers, without slowing down.

Compliance
Events

How to Automate ISO 27001 & SOC 2 Compliance

Curious about why compliance is so important, which businesses need it, and how Vanta's automation can help you quickly achieve it? Join Vanta’s 45-minute live product demo. Two of our team members will walk you through the platform and answer your questions in real time.

SOC 2
Events

Vanta in Action: SOC 2 & ISO 27001 Compliance Automation

Demonstrating security compliance with a framework like SOC 2, ISO 27001, HIPAA, etc. is not only essential for scaling your business and raising capital, it also builds an important foundation of trust.

SOC 2
Events

Product Demo: Automating Compliance for SOC 2, ISO 27001, HIPAA, and More

Learn how Vanta’s automation tools can help you streamline compliance, continuously monitor security controls, and scale your risk management program with ease.

Related Resources

ISO 27001
Blog
How SaaS companies can achieve ISO 27001 certification

Get a practical guide for efficient ISO 27001 certification for SaaS companies. Discover potential compliance challenges and the tools that can support you.

ISO 27001
Blog
ISO 27001 for healthcare companies: Benefits and implementation steps

Discover the specifics of ISO 27001 for healthcare organizations. See why you should adopt it and how to do it without wasting time and resources.

ISO 27001
Events
Live Demo: Automating Compliance for ISO 27001, CPS234, and More

Discover how automation can transform your compliance efforts into a streamlined, efficient process. Join the live demo on May 14th to see it in action and get your compliance questions answered.

ISO 27001
Events
Live Demo: Simplify ISO 27001 and SOC 2 compliance with Vanta

See how Vanta automates up to 90% of your ISO 27001 and SOC 2 compliance work, saving you time and reducing manual effort.

ISO 27001
Events
Live Demo: Automate ISO 27001 and SOC 2 compliance with Vanta

See how Vanta simplifies compliance, accelerates workflows, and helps you prove your commitment to security—no matter where you are in your GRC journey.

ISO 27001
Blog
The 4 categories of ISO 27001 controls

Explore the four categories of ISO 27001 controls—organizational, people, physical, and technological.

ISO 27001
Blog
6 key steps to ISO 42001 certification explained

Discover how to meet the standard’s requirements efficiently.

ISO 27001
Events
Live Demo: How to streamline ISO 27001 and SOC 2 compliance with automation

Watch Vanta’s 45-minute demo to see how our platform automates up to 90% of the work for achieving ISO 27001 and SOC 2 compliance, helping you streamline security and move towards continuous compliance.

ISO 27001
Events
ISO 27001 vs SOC 2: Which standard is right for my startup?

Attaining security standards such as ISO 27001 or SOC 2 can help boost your business, but for technology startups, security compliance is often lower on the list of company priorities.

ISO 27001
Events
ISO 27001 vs. SOC 2: Which standard is right for my business?

Complying with security standards such as ISO 27001 or SOC 2 can help boost your business, but for technology startups, security compliance is often lower on the list of company priorities.

ISO 27001
Events
ISO 27001 Compliance for SaaS

On 10 October at 2 PM BST, join the Ask Me (Almost) Anything with Herman Errico and Kim Elias, compliance experts at Vanta. They’ll answer (almost) all your questions about ISO 27001 compliance.

Iso 27001 compliance checklist.
ISO 27001
Blog
The ISO 27001 Compliance Checklist

ISO 27001 is the global gold standard for ensuring the security of information and its supporting assets. Obtaining ISO 27001 certification can help an organization prove its security practices to potential customers anywhere in the world.

Get compliant and build trust—fast

Request a demo
G2 Badge 2025 - Best Software | Top 50 Governance, Risk, & Compliance ProductsG2 Badge 2025 - Best Software | Top 50 Security ProductsG2 Badge 2025 - Best Software | Top 100 Best Software Products