icon Book Free Consultation

How the New ISO 27001:2022 Controls Can Help Your Business

  • Published On: August 10, 2023 Updated On: September 26, 2023


ISO 27001, the International standard for information security, has been updated to ISO 270012022 after 9 years. The new controls in ISO 27001:2022 aid in identifying risks and devising mitigation plans, ensuring data security, gaining customer trust, and maintaining organizational reputation and growth. Updating to the new ISO standard is crucial for business growth. Let's explore the benefits organizations can gain from the ISO 27001:2022 update and summarise the key differences between the old and new versions.

Old vs. New

Here is a summary of the changes that happened in ISO 27001:2022.

  • Minor revisions have occurred in clauses 4 to 10, with notable changes in sections 4.2- Themes and attributes., 6.2-Terms and conditions of employment, 6.3-Information security awareness, education and training, and 8.3-Information access restriction. New content has been introduced in these areas.
  • A total of 11 new controls have been incorporated into Annex A of ISO 27001:2022, while no pre-existing controls have been removed.
  • The overall count of controls has been reduced from 114 to 93 in the new ISO 27001
  • Modifications encompassed the merging of certain controls, as well as the division of others, all aimed at diminishing the total count.


ISO 27001:2013

ISO 27001:2022

Threat intelligence

Not explicitly defined

Collecting and analysing information about the threats to your organization

Cloud Security

Not explicitly defined

Securing your cloud-based applications and data

Business continuity

Defined as a process

Protecting your organization against disruptions to its IT systems

Data leakage prevention

Not explicitly defined

Preventing the unauthorized disclosure of sensitive data

Information security for use of cloud services

New control

Addressing the specific security risk associated with the use of cloud

ICT readiness for business continuity

New control

Ensuring your IT systems are ready to support your business continuity plan

Physical security monitoring

New control

Monitoring physical security measures to detect and prevent unauthorized access

Configuration management

Revised control

Ensuring that your IT systems are properly configured to meet your security requirements

Information deletion

Revised control

Deleting sensitive data in a secure manner

Data masking

Revised control

Protecting sensitive data by masking it with non-sensitive data


Steps to be followed in ISO 27001:2022 implementation

The implementation process consists of six steps for an organization to establish a robust ISMS:

Step 1 - Leadership commitment and establishing ISMS
Step 2 - Conduct risk assessment
Step 3 - Develop information security policies and procedures
Step 4 - Manage the identified risk
Step 5 - Select controls to be implemented
Step 6 - Implement controls

Leadership commitment and establishing ISMS

To establish a robust Information Security Management System (ISMS), the first step involves gaining support from top management and designated personnel. Their commitment is crucial for the successful implementation of the ISMS. During this step, the scope and objectives of the ISMS are defined, with consideration for specific business units and departments. This process also aids in identifying the information assets that need protection as well as assessing potential threats and risks that the organization may face. By involving top management and key personnel from the beginning, the organization sets the foundation for a comprehensive and effective ISMS that ensures the security of its valuable information assets and supports its overall business objectives.

Conduct risk assessment

During the second phase of the ISMS establishment, a thorough risk assessment is carried out to evaluate and identify potential risks, information assets, and vulnerabilities. Subsequently, a well-defined and documented risk assessment methodology is established. This allows for the automated determination of tolerable and intolerable risks, enabling the organization to develop effective mitigation plans to address the identified vulnerabilities.

Develop information security policies and procedures

After conducting the risk assessment, the next step is to develop information security policies and procedures aligned with ISO 27001 requirements. These policies and controls ensure effective Information Security and protect the organization's assets from potential risks

Implement controls and measures

The fourth step involves putting the defined policies and procedures into action by deploying specific controls. These controls encompass physical, technical, and organizational safeguards aimed at protecting information assets and mitigating identified risks. This proactive approach ensures the effective implementation of Information Security measures throughout the organization.

Monitor and Measure

During this step, continuous monitoring takes place, where the performance of implemented controls is regularly assessed. This is achieved through internal audits and incident reviews, which help measure compliance with established policies and identify areas that require improvement. This ongoing monitoring and evaluation process ensures that the Information Security measures remain effective and up-to-date, enhancing the organization's ability to respond to emerging threats and maintain a strong security posture.

Management Review and continuous improvement

In the last step, the organisation regularly reviews ISMS performance with top management to ensure effectiveness. This involves assessing compliance, identifying improvements, and aligning with changing business needs and emerging threats. Continuous improvement maintains robust Information Security capabilities.

Benefits of new control implementation

Implementing the new controls introduced in ISO 27001:2022 significantly enhances data security measures for businesses. By addressing potential vulnerabilities and effectively mitigating risks, organizations can safeguard their sensitive information, prevent unauthorized access, and protect against data breaches. This proactive approach not only helps maintain the organization's reputation but also instills confidence in clients and customers. As a result, businesses can attract more clients and build stronger relationships, ultimately fostering growth and success in the market. Some examples are listed below:

Regulatory compliance: ISO 27001 controls play a vital role in helping businesses align with industry-specific regulations and data protection laws. By adhering to these requirements, organizations can prevent legal and financial penalties while also showcasing their dedication to protecting data privacy. This commitment fosters trust among clients and stakeholders, strengthening the organization's reputation and credibility in the market.

Improve risk management: The new control implementation can facilitate a systematic approach to risk management. By identifying, assessing, and mitigating information security risks, businesses can reduce financial risks and reputational damage.

Increased employee awareness: Implementation of ISO 27001's new controls also includes providing employees with training. Thorough training will be given to employees on how to foster a culture of security throughout the organization to prevent human errors to protect the inside threats.


ISO 27001:2022 certification is crucial for establishing data security and safeguarding an organization's reputation, which in turn fosters client trust and facilitates organizational growth. At Briskinfosec, we possess a deep understanding of real-time ISO 27001 controls, which sets us apart from others. To showcase our distinct approach, we provide our clients with Free Gap Assessments, tailoring the implementation process of ISO 27001 new controls based on the unique needs of each organization. Our dedicated support and guidance throughout the implementation journey ensure robust Information Security protection for your organization.