Detailed Mapping of 2013 Annex A Controls to 2022 Controls

The transition from ISO/IEC 27001:2013 to the 2022 version brought significant changes to Annex A controls, necessitating a detailed mapping of the old controls to the new structure. Annex A is essential as it lists the security controls organizations use for risk treatment and compliance.

The 2013 version featured 114 controls across 14 categories, while the 2022 revision streamlined this to 93 controls organized into four broader domains. This mapping enables organizations to systematically understand which previous controls correspond to the new controls, identify merged or removed controls, and incorporate newly introduced ones.

Detailed Mapping of Controls

In ISO/IEC 27001:2022, changes in control organization simplify application and enhance risk alignment. Here are the main aspects of how controls have been mapped and restructured.

1. Control Reduction and Merging

Twenty-four controls from the 2013 version were merged, with many similar or overlapping controls combined to simplify implementation. For example, multiple controls around access management, cryptography, or monitoring activities were consolidated.

2. New Controls

Eleven new controls were added to address modern security challenges, including:

Threat intelligence

Information security for cloud services

ICT readiness for business continuity

Physical security monitoring

Configuration management

Information deletion

Data masking

Data leakage prevention

Monitoring activities

Web filtering

Secure coding

3. Control Grouping Changes

The old 14 domains were replaced by four main categories in 2022:

Organizational (37 controls)

People (8 controls)

Physical (14 controls)

Technological (34 controls)

4. Example Mapping

Controls related to human resources security from multiple 2013 controls are now grouped under People controls (e.g., screening, roles and responsibilities, training).

Physical and environmental security controls remain largely similar but are streamlined under Physical controls.

Technology-related controls, such as access control, system acquisition, development, and maintenance, are now in Technological controls.

Organizational controls cover policy, governance, risk management, supplier relationships, and incident management.

5. Statement of Applicability (SoA) Impact: Organizations must update their SoA to reflect the new control list, indicating which of the new controls they apply and documenting the rationale for any exclusions.