ISO 27001:2023 - Updated Policy Requirements Explained
ISO 27001:2023 was released in October 2022, replacing the 2013 version. If you're pursuing certification or already certified, you have until October 2025 to transition to the new standard.
This update introduced 11 new controls, removed 35 legacy controls, and reorganized everything from 14 categories to 4 themes. Here's what it means for your policies. For the full control-to-policy mapping, see our ISO 27001 framework page.
What Changed in ISO 27001:2023?
Quick answer. The 2022 revision of ISO/IEC 27001 restructured Annex A from 14 sections and 114 controls into 4 themes and 93 controls, and introduced 11 new controls — threat intelligence, cloud security and secure coding among them — each of which needs a documented policy.
Control Structure Redesign
Old (2013): 14 sections, 114 controls
New (2023): 4 themes, 93 controls
The four new themes:
- Organisational Controls (37 controls)
- People Controls (8 controls)
- Physical Controls (14 controls)
- Technological Controls (34 controls)
11 New Controls You Need Policies For
| Control | Title | Required Policy/Documentation |
|---|---|---|
| 5.7 | Threat Intelligence | Threat Intelligence Policy |
| 5.23 | Cloud Services | Cloud Services Security Policy |
| 5.30 | ICT Readiness for Business Continuity | ICT Business Continuity Plan |
| 7.4 | Physical Security Monitoring | Physical Security Monitoring Policy |
| 8.9 | Configuration Management | Configuration Management Policy |
| 8.10 | Information Deletion | Data Deletion & Sanitization Policy |
| 8.11 | Data Masking | Data Masking & Anonymization Policy |
| 8.12 | Data Leakage Prevention | DLP Policy |
| 8.16 | Monitoring Activities | Security Monitoring Policy |
| 8.23 | Web Filtering | Web Filtering & Internet Use Policy |
| 8.28 | Secure Coding | Secure Software Development Policy |
Complete Policy List for ISO 27001:2023
Quick answer. Full compliance needs roughly 18 mandatory policies, from the top-level information security policy through risk assessment and treatment, access control, cryptography, asset management and incident response. The list below separates the core mandatory set from the conditional ones.
To achieve full compliance, you'll need approximately 18 mandatory policies:
Core Mandatory Policies (Must Have)
- Information Security Policy (Top-level policy)
- Risk Assessment & Treatment Policy
- Access Control Policy
- Cryptography & Key Management Policy
- Physical & Environmental Security Policy
- Asset Management Policy
- Acceptable Use Policy
- Change Management Policy
- Incident Response Policy
- Business Continuity Policy
- Backup & Recovery Policy
- Supplier Security Policy
New/Updated Policies for 2023
- Threat Intelligence Policy (New Control 5.7)
- Cloud Services Security Policy (New Control 5.23)
- Data Deletion & Sanitization Policy (New Control 8.10)
- Data Masking Policy (New Control 8.11)
- DLP Policy (New Control 8.12)
- Secure Coding Policy (New Control 8.28)
Mapping Your Existing Policies
Quick answer. Organisations certified against the 2013 edition do not start over — old controls map to new ones; for example, A.9 access control maps to controls 5.15–5.18 and 8.2–8.5. The mappings below cover the most common cases, and ISO publishes the complete correspondence table.
If you're already ISO 27001:2013 certified, here's how old controls map to new ones:
Example mappings:
- A.9 (Access Control) → Controls 5.15-5.18, 8.2-8.5
- A.12 (Operations Security) → Controls 8.6-8.16
- A.17 (Business Continuity) → Controls 5.29-5.30
Download the complete ISO 27001:2023 mapping guide from ISO.
What Auditors Will Look For
Quick answer. Auditors concentrate scrutiny on the new controls: a cloud services inventory with documented responsibilities (control 5.23), an operating threat-intelligence process (5.7), and evidence each new policy is more than a renamed 2013 document. The checklist below covers the questions asked most often.
During your ISO 27001:2023 audit, expect scrutiny on:
1. Cloud Security (Control 5.23)
- Do you have a cloud services inventory?
- Are cloud security responsibilities documented?
- Have you assessed cloud provider compliance?
2. Threat Intelligence (Control 5.7)
- Do you monitor threat feeds?
- How do you incorporate threat intel into risk assessments?
- What's your process for acting on threat intelligence?
3. Secure Coding (Control 8.28)
- Do developers follow secure coding standards?
- Are code reviews mandatory before deployment?
- Do you use automated security testing tools?
Timeline for Transition
Quick answer. The transition deadline was 31 October 2025: certificates against the 2013 edition are no longer valid, and all surveillance and recertification audits now run against ISO/IEC 27001:2022. Any organisation still carrying 2013-era documentation should treat the gap analysis as overdue.
Deadline: October 2025
Organisations with existing ISO 27001:2013 certification have a 3-year transition period. After October 2025:
- ISO 27001:2013 certificates are no longer valid
- All surveillance and recertification audits must use the 2023 standard
- You cannot achieve new ISO 27001:2013 certification
Recommended timeline:
- Q4 2024: Gap analysis and policy drafting
- Q1 2025: Implementation and staff training
- Q2 2025: Internal audit
- Q3 2025: Certification audit
Common Mistakes to Avoid
Quick answer. The expensive mistakes are predictable: renaming 2013 policies instead of rewriting them for the new control requirements, skipping the 11 new controls entirely, and a Statement of Applicability that does not clearly map policies to controls. Auditors check all three early.
1. Copy-Pasting Old Policies
Don't just rename your 2013 policies. The new controls have different requirements and evidence needs.
2. Ignoring the 11 New Controls
These aren't optional. If you don't have policies covering threat intelligence, cloud security, and secure coding, you'll fail the audit.
3. Poor Control Mapping
Auditors want to see a clear Statement of Applicability (SoA) showing which policies address which controls. Generic policies without control mapping won't pass.
Get ISO 27001:2023 Compliant Fast
Our ISO 27001 Core Set pack includes all 18 required policies, pre-mapped to the 2023 standard, with control references and implementation guidance.
View ISO 27001 PackFurther Resources
Quick answer. The links below lead to the official ISO/IEC 27001:2022 standard — the definitive source for control wording — plus the PolicySuite framework page with the full Annex A control library and related policy-requirement guides for SOC 2 and NIST CSF.
- ISO 27001:2023 Official Standard
- UK GDPR Updates 2025
- Policy Acknowledgement Best Practices
- ISO 27001 framework and Annex A controls library
- More compliance articles
Keep reading
SOC 2 Type II Policy Checklist
All five Trust Service Criteria mapped to the policies your auditor needs to see.
NIST CSF 2.0 Changes and Policies
The new GOVERN function, six core areas, and the policies you need to update.
10 cybersecurity policies every SME needs
The minimum set Cyber Essentials and ICO breach assessments expect you to have in place.