ISO 27001:2022 introduced 11 new controls that didn't exist in the 2013 standard. If your ISMS was certified under the prior version, a transition audit is required — and audit firms are failing organizations that treat the new controls as administrative checkboxes.
The Four New Themes and What They Signal
The 2022 revision reorganized controls around four themes: Organizational (37 controls), People (8 controls), Physical (14 controls), and Technological (34 controls).
// Transition Deadline
Organizations certified under ISO 27001:2013 must complete transition to the 2022 standard by October 31, 2025. Certificates issued under the 2013 standard expired after this date.
The 11 New Controls: Where Organizations Are Failing
Control 5.7 (Threat Intelligence) and 5.23 (Information Security for Use of Cloud Services) are the two most commonly missing in transition audits.