ISO 27001 remains a vital asset for any organisation looking to demonstrate compliance while showing an organisation’s entrenched culture of security, writes Cyber Compliance Technician Aidan Collins.

The internationally recognised standard for Information Security Management Systems (ISMS) offers robust protection against cyber threats with its controls, fostering a culture of security.

With most organisations being certified to the 2013 rendition of the standard, a deadline to migrate to the newer revision, ISO 27001:2022, has been set for 31st October 2025.

Out of the original 114 controls in ISO27001:2013, a total of 57 have been consolidated, 23 have undergone name changes, and 11 new controls have been introduced. The remaining 35 controls were unchanged. This result is a streamlined set of 93 controls, split into four groups.

We recommend that you start updating your ISMS now to get ahead of the deadline rather than working towards it.

We have undergone the transition ourselves ahead of our next surveillance audit and can tell you that mapping existing controls to the new requirements, updating manuals, changing Annex-A control numbers and other aspects of the documentation is time-consuming – especially if not planned correctly.

We have a template Information Security Manual, Policies and Procedures that reflects the new requirements that can be purchased here.

A useful starting point is to map your existing control numbers across using our mapping tool below. If you require assistance migrating to the new version of the standard, please let us know.

Indelible Data Mapping Tool

2022 control	Control Name	2013 Controls
5.1	Policies for information security	5.1.1	5.1.2
5.2	Information security roles and responsibilities	6.1.1
5.3	Segregation of duties	6.1.2
5.4	Management responsibilities	7.2.1
5.5	Contact with authorities	6.1.3
5.6	Contact with special interest groups	6.1.4
5.7	Threat intelligence	NEW
5.8	Information security in project management	6.1.5	14.1.1
5.9	Inventory of information and other associated assets	8.1.1	8.1.2
5.10	Acceptable use of information and other associated assets	8.1.3	8.2.3
5.11	Return of assets	8.1.4
5.12	Classification of information	8.2.1
5.13	Labelling of information	8.2.2
5.14	Information transfer	13.2.1	13.2.2	13.2.3
5.15	Access control	9.1.1	9.1.2
5.16	Identity management	9.2.1
5.17	Authentication information	9.2.4	9.3.1	9.4.3
5.18	Access rights	9.2.2	9.2.5	9.2.6
5.19	Information security in supplier relationships	15.1.1
5.20	Addressing information security within supplier agreements	15.1.2
5.21	Managing information security in the ICT supply chain	15.1.3
5.22	Monitoring, review and change management of supplier services	15.2.1	15.2.2
5.23	Information security for use of cloud services	NEW
5.24	Information security incident management planning and preparation	16.1.1
5.25	Assessment and decision on information security events	16.1.4
5.26	Response to information security incidents	16.1.5
5.27	Learning from information security incidents	16.1.6
5.28	Collection of evidence	16.1.7
5.29	Information security during disruption	17.1.1	17.1.2	17.1.3
5.30	ICT readiness for business continuity	NEW
5.31	Legal, statutory, regulatory and contractual requirements	18.1.1	18.1.5
5.32	Intellectual property rights	18.1.2
5.33	Protection of records	18.1.3
5.34	Privacy and protection of PII	18.1.4
5.35	Independent review of information security	18.2.1
5.36	Compliance with policies, rules and standards for information security	18.2.2	18.2.3
5.37	Documented operating procedures	12.1.1
6.1	Screening	7.1.1
6.2	Terms and conditions of employment	7.1.2
6.3	Information security awareness, education and training	7.2.2
6.4	Disciplinary process	7.2.3
6.5	Responsibilities after termination or change of employment	7.3.1
6.6	Confidentiality or non-disclosure agreements	13.2.4
6.7	Remote working	6.2.2
6.8	Information security event reporting	16.1.2	16.1.3
7.1	Physical security perimeters	11.1.1
7.2	Physical entry	11.1.2	11.1.6
7.3	Securing offices, rooms and facilities	11.1.3
7.4	Physical security monitoring	NEW
7.5	Protecting against physical and environmental threats	11.1.4
7.6	Working in secure areas	11.1.5
7.7	Clear desk and clear screen	11.2.9
7.8	Equipment siting and protection	11.2.1
7.9	Security of assets off-premises	11.2.6
7.10	Storage media	8.3.1	8.3.2	8.3.3	11.2.5
7.11	Supporting utilities	11.2.2
7.12	Cabling security	11.2.3
7.13	Equipment maintenance	11.2.4
7.14	Secure disposal or re-use of equipment	11.2.7
8.1	User endpoint devices	6.2.1	11.2.8
8.2	Privileged access rights	9.2.3
8.3	Information access restriction	9.4.1
8.4	Access to source code	9.4.5
8.5	Secure authentication	9.4.2
8.6	Capacity management	12.1.3
8.7	Protection against malware	12.2.1
8.8	Management of technical vulnerabilities	12.6.1	18.2.3
8.9	Configuration management	NEW
8.10	Information deletion	NEW
8.11	Data masking	NEW
8.12	Data leakage prevention	NEW
8.13	Information backup	12.3.1
8.14	Redundancy of information processing facilities	17.2.1
8.15	Logging	12.4.1	12.4.2	12.4.3
8.16	Monitoring activities	NEW
8.17	Clock synchronization	12.4.4
8.18	Use of privileged utility programs	9.4.4
8.19	Installation of software on operational systems	12.5.1	12.6.2
8.20	Networks security	13.1.1
8.21	Security of network services	13.1.2
8.22	Segregation of networks	13.1.3
8.23	Web filtering	NEW
8.24	Use of cryptography	10.1.1	10.1.2
8.25	Secure development life cycle	14.2.1
8.26	Application security requirements	14.1.2	14.1.3
8.27	Secure system architecture and engineering principles	14.2.5
8.28	Secure coding	NEW
8.29	Security testing in development and acceptance	14.2.8	14.2.9
8.30	Outsourced development	14.2.7
8.31	Separation of development, test and production environments	12.1.4	14.2.6
8.32	Change management	12.1.2	14.2.2	14.2.3	14.2.4
8.33	Test information	14.3.1
8.34	Protection of information systems during audit testing	12.7.1

Don’t leave it to the last minute to migrate to ISO 27001:2022!

Services

Company

Contact Us