Comprehensive Guide to the 11 New Security Controls in ISO 27001:2022
If you are working with ISO 27001, you may be curious about the new requirements introduced in the 2022 update and what additional controls need to be implemented.
This article highlights the 11 newly introduced security controls in ISO 27001.
For a broader overview of the updates, you can refer to a comparison of the 2013 and 2022 revisions.
11 new controls introduced in the ISO 27001 2022 revision:
- 5.7 Threat intelligence
- 5.23 Information security for use of cloud services
- 5.30 ICT readiness for business continuity
- 7.4 Physical security monitoring
- 8.9 Configuration management
- 8.10 Information deletion
- 8.11 Data masking
- 8.12 Data leakage prevention
- 8.16 Monitoring activities
- 8.23 Web filtering
- 8.28 Secure coding
You may observe that some of the newly introduced controls in ISO 27001 are similar to those from the 2013 version. However, since these have been formally categorized as new controls in ISO 27002:2022, all 11 have been included in this article.
This article is primarily based on guidance from ISO 27002:2022 and provides a high-level overview covering requirements, technology, people, and documentation aspects. For a more detailed understanding, it is recommended to refer to the official ISO 27002 standard available on the ISO website.
It is also important to note that achieving compliance with ISO 27001 does not require implementing every control listed in the standard. It is important to understand that these controls are not mandatory. ISO 27001 allows organizations to exclude specific controls if no relevant risks have been identified and there are no legal, regulatory, or contractual obligations requiring their implementation.
How are security controls defined in ISO 27001?
ISO 27001, which supports the implementation of ISO 27001, describes a security control as something that influences or manages risk. In practical terms, this means any action, process, or technical safeguard an organization introduces to reduce the likelihood or impact of security risks.
What additional security controls were added in ISO 27001:2022?
Let’s review and understand the 11 newly introduced ISO 27001 controls.
A.5.7 Threat intelligence
Description. This control focuses on identifying and understanding potential threats by collecting and evaluating relevant intelligence. The goal is to enable organizations to take proactive measures to reduce risks. Threat intelligence may include information on specific attack types, attacker techniques, emerging vulnerabilities, or broader threat trends. Such information should be sourced both internally and externally, including inputs from security tools, vendor advisories, and official communications from regulatory or government bodies.
Technology. For smaller organizations, implementing this control may not require additional tools, but rather better utilization of existing systems to identify and interpret threat-related data. In contrast, larger organizations may need dedicated solutions that provide real-time insights into threats, vulnerabilities, and security incidents. Regardless of size, organizations should leverage threat intelligence to strengthen system configurations and improve overall security posture.
Organization/processes. Organizations should establish structured processes for collecting, analyzing, and applying threat intelligence. This includes integrating threat insights into risk management activities, enhancing preventive controls, and supporting ongoing security testing and monitoring practices.
People. Employees should be educated on the importance of identifying and reporting potential threats. Clear guidance should be provided on how threat information should be communicated, including defined reporting channels and responsibilities.
Documentation. While ISO 27001 does not mandate specific documentation for this control, organizations may choose to incorporate threat intelligence practices into relevant policies and procedures, such as risk management, incident management, or information security policies.
✅ Supplier Security Policy – Establish clear guidelines for sharing threat-related information between the organization and its external parties, including suppliers and business partners, to ensure timely and secure communication.
✅ Incident Management Procedure – Define the internal communication process for reporting and escalating threat-related information within the organization, ensuring that relevant stakeholders are informed promptly.
✅ Security Operating Procedures – Outline the methods and responsibilities for collecting, analyzing, and utilizing threat intelligence to support ongoing security operations.
A.5.23 Information security for use of cloud services
Description. This control focuses on establishing appropriate security measures for the use of cloud services to ensure the protection of organizational data. It covers the entire lifecycle of cloud services, including selection, implementation, operation, and termination. The objective is to ensure that cloud usage aligns with defined security expectations and risk levels.
Technology. In most situations, additional tools may not be necessary, as cloud platforms typically include built-in security capabilities. However, organizations may need to enhance their current service plans to access stronger security features. In some cases, if a provider does not meet required security standards, migrating to a more suitable provider may be necessary. Generally, the emphasis is on properly configuring and fully utilizing the existing security features offered by cloud services.
Organization/processes. Organizations should define clear processes for identifying security requirements related to cloud services and establishing criteria for selecting cloud providers. Additionally, guidelines should be in place for acceptable usage, along with defined procedures for securely offboarding or discontinuing cloud services.
People. Employees should be made aware of the risks associated with cloud usage and trained on how to securely use cloud platforms. This includes understanding available security features and following best practices when handling data in the cloud.
Documentation. Although ISO 27001 does not explicitly require documentation for this control, organizations may choose to include cloud-related security requirements within existing policies. Smaller organizations can incorporate these into supplier or vendor security policies, while larger organizations may benefit from maintaining a dedicated cloud security policy.
A.5.30 ICT readiness for business continuity
Description. This control ensures that an organization’s information and communication technology (ICT) environment is prepared to handle disruptions and continue supporting critical operations. The focus is on maintaining the availability of systems and data through proper planning, implementation, ongoing maintenance, and regular testing of continuity measures.
Technology. Organizations may need to implement solutions that improve system resilience and ensure continuity in the event of disruptions. This can include backup mechanisms, failover systems, and redundant network connectivity. The selection of such technologies should be guided by risk assessments and recovery objectives, including how quickly systems and data need to be restored.
Organization/processes. A structured approach should be established to plan for business continuity, considering both risks and operational requirements. In addition to planning, organizations should define processes for maintaining continuity-related technologies and regularly testing disaster recovery and business continuity arrangements to ensure effectiveness.
People. Employees should be informed about potential disruption scenarios and their impact on business operations. Training should be provided to ensure that relevant personnel understand their roles in maintaining system readiness and responding effectively during incidents.
Documentation. Although ISO 27001 does not explicitly require documentation for this control, organizations are encouraged to formalize their approach. Smaller organizations may include ICT readiness within key documents such as:
✅ Disaster Recovery Plan – covering preparation, implementation, and maintenance of recovery capabilities
✅ Internal Audit Report – documenting testing and validation of readiness
Larger organizations, or those aligned with business continuity standards, may maintain more structured documentation such as business impact assessments, continuity strategies, detailed continuity plans, and testing reports.
A.7.4 Physical security monitoring
Description. This control focuses on overseeing sensitive physical locations to ensure that access is restricted to authorized individuals only. These areas may include offices, operational sites, storage facilities, and any other locations where critical assets are present. The objective is to detect and prevent unauthorized entry.
Technology. Based on the level of risk, organizations may implement various monitoring solutions such as surveillance cameras, intrusion detection systems, or alarm mechanisms. In some cases, physical supervision—such as security personnel—may also be used as an effective control measure.
Organization/processes. Organizations should clearly define responsibilities for monitoring sensitive areas, including who is accountable for oversight and how incidents should be reported. Established communication channels must be in place to ensure timely response to any physical security events.
People. Employees should be made aware of the risks associated with unauthorized physical access. They should also be trained on how to use any monitoring tools and understand their role in maintaining physical security.
Documentation. Although ISO 27001 does not mandate specific documentation for this control, organizations may choose to include relevant details within existing procedures, such as:
✅ Physical Security Procedures – outlining monitored areas and assigned responsibilities
✅ Incident Management Procedures – defining how physical security incidents are reported and managed
A.8.9 Configuration management
Description. This control ensures that security configurations across all technology components are properly defined, maintained, and controlled throughout their lifecycle. The objective is to maintain a consistent and secure configuration baseline while preventing unauthorized or unintended changes. Key activities include establishing configurations, implementing them, continuously monitoring compliance, and performing periodic reviews.
Technology. Configuration management applies to a wide range of assets, including applications, systems, network devices, and services. Smaller organizations may manage configurations manually using existing tools and processes, while larger organizations typically require dedicated solutions to enforce standardized configurations and detect deviations.
Organization/processes. Organizations should establish a formal process for defining, reviewing, and approving security configurations. This should also include procedures for tracking changes, monitoring compliance with defined baselines, and ensuring that any deviations are identified and addressed promptly.
People. Employees involved in managing systems should understand the importance of maintaining secure configurations. Appropriate training should be provided to ensure they can correctly implement, manage, and review configuration settings in line with organizational standards.
Documentation. Unlike some other controls, documentation is expected for configuration management under ISO 27001. Smaller organizations may document configuration requirements within operational procedures, while larger organizations typically maintain dedicated configuration management procedures.
In addition, detailed configuration standards are often defined separately for individual systems to simplify updates and maintenance. All configuration changes should be recorded to maintain a clear audit trail and support accountability.
A.8.10 Information deletion
Description. This control focuses on ensuring that data is securely removed once it is no longer needed, reducing the risk of unauthorized disclosure and supporting compliance with privacy and regulatory obligations. It applies to all forms of data storage, including internal systems, cloud platforms, and removable media.
Technology. This control focuses on ensuring that data is securely removed once it is no longer needed, reducing the risk of unauthorized disclosure and supporting compliance with privacy and regulatory obligations. It applies to all forms of data storage, including internal systems, cloud platforms, and removable media.
Organization/processes. A defined process should be established to determine what data needs to be deleted, when it should be removed, and how the deletion should be performed. This process should also clearly assign responsibilities and ensure that deletion activities are carried out consistently and securely.
People. Employees should understand the importance of properly disposing of sensitive information. Training should be provided to ensure that both end users and administrators follow correct procedures when deleting data from systems and devices.
Documentation. Although ISO 27001 does not strictly require documentation for this control, organizations are encouraged to define guidelines within relevant policies and procedures, such as:
✅ Disposal and Destruction Policy – outlining secure methods for removing data from physical and removable media
✅ Acceptable Use Policy – providing guidance to users on handling and deleting sensitive data on their devices
✅ Security Operating Procedures – detailing how administrators should securely delete data from servers and network systems
Larger organizations may also maintain a Data Retention Policy to define how long different types of information should be retained and the appropriate timelines for deletion.
A.8.11 Data masking
Description. This control focuses on reducing the exposure of sensitive information by applying data masking techniques in combination with access controls. It is particularly relevant for protecting personal data, which is often subject to strict privacy regulations, but it can also be applied to other types of confidential or sensitive information.
Technology. Organizations can implement various techniques to mask data, such as anonymization and pseudonymization, especially where required by regulatory frameworks. Additional methods like encryption or data obfuscation may also be used to ensure that sensitive information is not directly accessible or identifiable.
Organization/processes. Clear processes should be established to identify which data requires masking, determine access permissions, and define the methods used to protect that data. These processes should ensure that only authorized individuals can access sensitive information in its original form.
People. Employees should be made aware of the importance of protecting sensitive data through masking techniques. Training should be provided to help them understand which types of data require masking and how to apply the appropriate methods in their daily activities.
Documentation. While ISO 27001 does not mandate specific documentation for this control, organizations may include data masking requirements within relevant policies and procedures, such as:
✅ Information Classification Policy – defining sensitive data categories and identifying which data requires masking
✅ Access Control Policy – specifying access permissions for masked and unmasked data.
✅ Secure Development Policy – outlining how masking techniques are implemented within systems and applications
For larger organizations or those subject to strict privacy regulations, additional documentation may be maintained, including:
✅ Privacy or Personal Data Protection Policy – defining responsibilities for handling sensitive and personal data
✅ Anonymization and Pseudonymization Policy – detailing the implementation of masking techniques in compliance with regulatory requirements
A.8.12 Data leakage prevention
Description. This control focuses on preventing the unauthorized exposure of sensitive information and ensuring that any such incidents are quickly identified and addressed. It applies to data stored or processed across systems, networks, and user devices, with the objective of minimizing the risk of data loss or disclosure.
Technology. Organizations may implement solutions that monitor and control potential data leakage points, such as email systems, removable media, endpoints, and mobile devices. Preventive measures can include restricting data transfers, blocking unauthorized uploads, controlling copy-paste functions, applying encryption, and using monitoring tools to detect suspicious activity.
Organization/processes. A structured approach should be established to classify data based on sensitivity, assess risks associated with different technologies and user behaviors, and identify channels through which data leakage may occur. Based on this assessment, appropriate controls and technologies should be implemented to prevent or limit exposure.
People. Employees should be educated on the types of sensitive data handled within the organization and the importance of protecting it. Clear guidance should be provided on acceptable and prohibited actions when handling such information, supported by regular awareness and training programs.
Documentation Although ISO 27001 does not explicitly require documentation for this control, organizations are encouraged to incorporate data leakage prevention measures into existing policies and procedures, such as:
✅ Information Classification Policy – defining sensitivity levels and corresponding protection requirements
✅ Security Operating Procedures – outlining monitoring and prevention tools used by administrators
✅ Acceptable Use Policy – specifying permitted and restricted user activities related to data handling
A.8.16 Monitoring activities
Description. This control focuses on continuously observing systems and environments to detect abnormal or suspicious behavior. The purpose is to identify potential security events early and trigger appropriate response actions when necessary. Monitoring should cover systems, networks, and applications to ensure visibility across the entire environment.
Technology. Organizations may utilize various monitoring capabilities, including analysis of security logs, system and application events, user access patterns, administrator activities, and network traffic. Additional monitoring can include tracking system performance, verifying application behavior, and identifying deviations from expected operations.
Organization/processes. A structured monitoring approach should be defined, specifying which systems and activities are subject to monitoring, who is responsible, and how monitoring is performed. This includes establishing a baseline for normal behavior, identifying anomalies, and defining procedures for reporting and responding to detected events.
People. Employees should be informed that system activities are subject to monitoring and should understand acceptable usage practices. IT and security personnel should be trained to effectively use monitoring tools and interpret alerts to ensure timely detection and response.
Documentation. Although ISO 27001 does not explicitly require documentation for this control, organizations may include monitoring requirements within operational procedures. Smaller organizations may incorporate these into general security procedures, while larger organizations often maintain dedicated monitoring and logging procedures.
Additionally, maintaining records of monitoring activities and detected events is recommended to support analysis, investigation, and audit requirements.
A.8.23 Web filtering
Description This control focuses on regulating user access to internet resources to reduce security risks and ensure appropriate usage. By controlling which websites can be accessed, organizations can protect their systems from malicious content and limit exposure to unsafe or non-compliant online activities.
Technology. Organizations may implement technical solutions such as web filtering tools, secure web gateways, or endpoint protection systems that block access to harmful or unauthorized websites. These tools can restrict access based on URLs, IP addresses, or content categories. In addition to technical controls, organizations may also define guidelines outlining prohibited websites and rely on user compliance where appropriate.
Organization/processes. Clear processes should be established to define which categories of websites are restricted and how filtering rules are maintained and updated. This includes ongoing review of filtering policies to ensure they remain effective against emerging threats.
People. Employees should be educated about the risks associated with unsafe internet usage and provided with clear guidance on acceptable browsing behavior. System administrators should also be trained on how to configure, manage, and monitor web filtering solutions.
Documentation. Although ISO 27001 does not mandate specific documentation for this control, organizations may include web filtering requirements within existing policies and procedures, such as:
✅ Security Operating Procedures – outlining how administrators implement and manage web filtering controls
✅ Acceptable Use Policy – defining permitted and restricted internet usage for employees
Larger organizations may choose to maintain a dedicated procedure that details the implementation and management of web filtering controls.
A.8.28 Secure coding
Description. This control focuses on embedding security practices into the software development process to minimize vulnerabilities. It requires organizations to define and follow secure coding principles throughout the entire development lifecycle, including planning, development, testing, and ongoing maintenance of applications.
Technology. Organizations may use various tools to support secure development, such as solutions for managing software components and libraries, protecting source code integrity, detecting vulnerabilities, and monitoring for security events. Security features like authentication mechanisms, encryption, and input validation should also be incorporated into applications to enhance protection.
Organization/processes. A structured approach should be established to define secure coding standards applicable to both internally developed software and third-party components. This includes processes for evaluating and approving external libraries, staying updated on emerging security threats, and integrating security activities at each stage of development—before coding begins, during development, and after deployment through reviews, updates, and maintenance.
People. Developers should be educated on the importance of secure coding practices and provided with training on relevant techniques, standards, and tools. This helps ensure that security is consistently considered during application development.
Documentation. While ISO 27001 does not explicitly require documentation for this control, organizations may choose to formalize secure coding practices within their policies. Smaller organizations can include these requirements within a general secure development policy, whereas larger organizations often maintain detailed procedures tailored to individual development projects.
