Lesson 16: ISO 27001:2022 — Key Changes and a Practical Implementation Plan

What You Will Learn in This Lesson

• The structural differences between ISO 27001:2013 and ISO 27001:2022
• How the new Annex A control set is reorganized into four themes
• The 11 brand-new controls introduced in the 2022 revision and why they matter
• A phased implementation plan to transition or achieve first-time certification

Why ISO 27001:2022 Deserves Your Full Attention

If your organization already holds ISO 27001:2013 certification, you have until October 31, 2025 to complete the transition — and many Saudi financial institutions are still mid-journey. If you are pursuing certification for the first time, every new audit from an accredited body now benchmarks against the 2022 edition exclusively. Either way, understanding exactly what changed — and what did not — is the fastest path to an efficient project plan.

The good news: the core management system clauses (4 through 10) received only minor wording refinements. The real action is in Annex A, where the control catalogue was completely restructured. The 2013 edition listed 114 controls across 14 domains. The 2022 edition consolidates these into 93 controls across just four themes: Organizational, People, Physical, and Technological. That is not a simple relabeling exercise — it reflects how modern security programs actually operate and eliminates redundant overlaps that made mapping painful.

The New Annex A Structure: Four Themes, 93 Controls

The four themes replace the old 14-domain structure and group controls by their primary nature rather than by technology silo. Organizational controls (37) cover governance, policies, roles, supplier management, and legal compliance. People controls (8) address screening, awareness, disciplinary processes, and remote working. Physical controls (14) handle facilities, equipment, cabling, and secure disposal. Technological controls (34) span access management, cryptography, logging, network security, and secure development.

For practitioners who spent years mapping the old A.5 through A.18 domains to SAMA CSCC or NCA ECC, this restructuring actually simplifies cross-framework mapping. A single ISO control now aligns more cleanly to a single regulatory requirement, reducing the many-to-many headaches that plagued GRC teams.

Practical Example: A mid-size Saudi insurance company had 247 lines in its compliance matrix mapping ISO 27001:2013 controls to SAMA CSCC domains. After restructuring to the 2022 edition, the same team reduced the matrix to 158 lines — a 36% reduction — because merged controls eliminated duplicate mappings. Their annual internal audit cycle dropped from six weeks to four.

The 11 New Controls You Must Address

While many existing controls were merged or reworded, 11 entirely new controls appeared in the 2022 revision. Each reflects a threat or operational reality that simply did not exist — or was not well understood — when the 2013 edition was drafted. Here is what they cover and how to approach them:

A.5.7 — Threat Intelligence: Your organization must establish processes to collect, analyze, and act on cyber threat intelligence. For Saudi financial institutions, this means subscribing to sector-specific feeds (Saudi CERT advisories, FS-ISAC), defining IOC ingestion workflows, and documenting how threat intel informs your risk assessments. Do not treat this as a checkbox — SAMA CSCC Domain 3 already expects active threat monitoring.

A.5.23 — Information Security for Cloud Services: Cloud adoption across Saudi banks and fintechs has accelerated sharply. This control requires you to define acquisition, use, management, and exit criteria for every cloud service. Document your shared responsibility model for each provider (AWS, Azure, Oracle Cloud — whoever you use), and ensure your contract includes audit rights and data residency guarantees aligned with SAMA's cloud computing guidelines.

A.5.30 — ICT Readiness for Business Continuity: Beyond traditional BCP, this control demands that your ICT infrastructure is specifically tested for continuity scenarios. Run tabletop exercises that simulate a ransomware lockout of your core banking system, and validate that your RTO and RPO numbers are achievable — not aspirational.

A.7.4 — Physical Security Monitoring: Continuous surveillance of facilities using CCTV, access logs, and environmental sensors. Many Saudi data centers already meet this standard, but branch offices and remote disaster recovery sites are often gaps.

A.8.9 — Configuration Management: Maintain documented, approved baseline configurations for all systems and enforce drift detection. Tools like Ansible, Puppet, or cloud-native services (AWS Config, Azure Policy) make this operationally feasible.

A.8.10 — Information Deletion: When data reaches end-of-life, delete it verifiably. This control directly supports PDPL compliance, which grants data subjects the right to erasure.

A.8.11 — Data Masking: Apply masking or pseudonymization techniques in non-production environments. If your test database contains real customer National IDs or IBANs, you are already in violation of this control and likely PDPL as well.

A.8.12 — Data Leakage Prevention: Implement DLP controls across endpoints, email, and cloud storage. Microsoft Purview, Symantec DLP, or Forcepoint are common choices in the Saudi market.

A.8.16 — Monitoring Activities: Centralized logging and monitoring with defined alert thresholds. If you operate a SOC, this control validates your SIEM use cases and escalation procedures.

A.8.23 — Web Filtering: Control access to external websites to reduce malware and phishing risk. Proxy-based or DNS-based filtering (Zscaler, Cisco Umbrella) satisfies this requirement.

A.8.28 — Secure Coding: Embed secure coding practices into your SDLC — code reviews, SAST/DAST scanning, and developer training. This control aligns directly with SAMA CSCC's application security requirements.

A Phased Implementation Plan

Whether you are transitioning from 2013 or starting fresh, a structured approach prevents scope creep and audit surprises. Here is a proven four-phase plan:

PHASE 1 — GAP ANALYSIS (Weeks 1-4)
─────────────────────────────────────
• Map current controls to the new Annex A structure
• Identify gaps against the 11 new controls
• Review and update your Statement of Applicability (SoA)
• Deliverable: Gap report + updated SoA draft

PHASE 2 — RISK ASSESSMENT UPDATE (Weeks 5-8)
─────────────────────────────────────────────
• Refresh asset inventory (include cloud services)
• Re-run risk assessment using updated threat landscape
• Align risk treatment plan with new control numbering
• Deliverable: Updated risk register + risk treatment plan

PHASE 3 — CONTROL IMPLEMENTATION (Weeks 9-20)
──────────────────────────────────────────────
• Deploy new controls (threat intel, DLP, config mgmt, etc.)
• Update policies and procedures to reference 2022 numbering
• Conduct staff awareness sessions on changes
• Deliverable: Updated ISMS documentation + evidence folders

PHASE 4 — INTERNAL AUDIT & CERTIFICATION (Weeks 21-26)
───────────────────────────────────────────────────────
• Run full internal audit against ISO 27001:2022
• Address nonconformities and observations
• Schedule Stage 1 and Stage 2 with certification body
• Deliverable: Internal audit report + management review minutes

For organizations that already hold the 2013 certificate, Phase 1 can often be compressed to two weeks because you already have a functioning ISMS. The critical investment is in Phase 3, where the new controls — particularly threat intelligence, cloud security, and data leakage prevention — may require tool procurement and configuration.

Connecting to the Saudi Regulatory Landscape

ISO 27001 certification is not explicitly mandated by SAMA, but it is heavily referenced as a recognized baseline in both the SAMA Cyber Security Framework (CSCC) and NCA's Essential Cybersecurity Controls (ECC). Many Saudi financial institutions pursue ISO 27001 as a foundational layer, then map SAMA-specific requirements on top. The 2022 revision makes this easier because the new control themes align more naturally with SAMA CSCC's domain structure. Additionally, controls like A.8.10 (Information Deletion) and A.8.11 (Data Masking) directly support PDPL compliance obligations around data minimization and the right to erasure. If your organization plans to undergo a SAMA cyber maturity assessment, having a current ISO 27001:2022 certificate significantly reduces the effort required to demonstrate compliance across overlapping domains.

Common Mistakes to Avoid

• Treating the transition as a documentation exercise: Simply renumbering your SoA from the old control IDs to the new ones is not a transition. Auditors will verify that the 11 new controls are genuinely implemented, not just listed. Allocate budget and project time for actual tool deployment and process changes.
• Ignoring the cloud security control (A.5.23): Many organizations assume their cloud provider handles everything. The shared responsibility model means you are accountable for configuration, access management, and data classification in the cloud. Document your responsibilities explicitly for each service (IaaS, PaaS, SaaS).
• Delaying the risk assessment refresh: Your 2013-era risk register likely does not account for threats like supply chain attacks, AI-powered phishing, or cloud misconfiguration. Running Phase 3 without an updated risk assessment means you may implement controls that do not address your actual top risks.

Lesson Summary

• ISO 27001:2022 restructures Annex A from 114 controls across 14 domains to 93 controls across four themes (Organizational, People, Physical, Technological), simplifying cross-framework mapping to SAMA and NCA requirements.
• Eleven new controls address modern realities including threat intelligence, cloud security, data masking, DLP, secure coding, and ICT business continuity — most of which directly support Saudi regulatory obligations.
• A four-phase implementation plan (Gap Analysis → Risk Assessment → Control Implementation → Internal Audit) spanning approximately 26 weeks provides a realistic timeline for transition or first-time certification.

Next Lesson

In the next lesson we will cover: Risk Management According to SAMA and NCA Standards — how to build a risk management program that satisfies both regulators simultaneously, including risk appetite statements, quantitative vs. qualitative methods, and reporting to the board.

Ready to apply these concepts in your organization? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment.