ISO 27001:2023 - Updated Policy Requirements Explained
ISO 27001:2023 was released in October 2022, replacing the 2013 version. If you're pursuing certification or already certified, you have until October 2025 to transition to the new standard.
This update introduced 11 new controls, removed 35 legacy controls, and reorganized everything from 14 categories to 4 themes. Here's what it means for your policies.
What Changed in ISO 27001:2023?
Control Structure Redesign
Old (2013): 14 sections, 114 controls
New (2023): 4 themes, 93 controls
The four new themes:
- Organisational Controls (37 controls)
- People Controls (8 controls)
- Physical Controls (14 controls)
- Technological Controls (34 controls)
11 New Controls You Need Policies For
| Control | Title | Required Policy/Documentation |
|---|---|---|
| 5.7 | Threat Intelligence | Threat Intelligence Policy |
| 5.23 | Cloud Services | Cloud Services Security Policy |
| 5.30 | ICT Readiness for Business Continuity | ICT Business Continuity Plan |
| 7.4 | Physical Security Monitoring | Physical Security Monitoring Policy |
| 8.9 | Configuration Management | Configuration Management Policy |
| 8.10 | Information Deletion | Data Deletion & Sanitization Policy |
| 8.11 | Data Masking | Data Masking & Anonymization Policy |
| 8.12 | Data Leakage Prevention | DLP Policy |
| 8.16 | Monitoring Activities | Security Monitoring Policy |
| 8.23 | Web Filtering | Web Filtering & Internet Use Policy |
| 8.28 | Secure Coding | Secure Software Development Policy |
Complete Policy List for ISO 27001:2023
To achieve full compliance, you'll need approximately 18 mandatory policies:
Core Mandatory Policies (Must Have)
- Information Security Policy (Top-level policy)
- Risk Assessment & Treatment Policy
- Access Control Policy
- Cryptography & Key Management Policy
- Physical & Environmental Security Policy
- Asset Management Policy
- Acceptable Use Policy
- Change Management Policy
- Incident Response Policy
- Business Continuity Policy
- Backup & Recovery Policy
- Supplier Security Policy
New/Updated Policies for 2023
- Threat Intelligence Policy (New Control 5.7)
- Cloud Services Security Policy (New Control 5.23)
- Data Deletion & Sanitization Policy (New Control 8.10)
- Data Masking Policy (New Control 8.11)
- DLP Policy (New Control 8.12)
- Secure Coding Policy (New Control 8.28)
Mapping Your Existing Policies
If you're already ISO 27001:2013 certified, here's how old controls map to new ones:
Example mappings:
- A.9 (Access Control) → Controls 5.15-5.18, 8.2-8.5
- A.12 (Operations Security) → Controls 8.6-8.16
- A.17 (Business Continuity) → Controls 5.29-5.30
Download the complete ISO 27001:2023 mapping guide from ISO.
What Auditors Will Look For
During your ISO 27001:2023 audit, expect scrutiny on:
1. Cloud Security (Control 5.23)
- Do you have a cloud services inventory?
- Are cloud security responsibilities documented?
- Have you assessed cloud provider compliance?
2. Threat Intelligence (Control 5.7)
- Do you monitor threat feeds?
- How do you incorporate threat intel into risk assessments?
- What's your process for acting on threat intelligence?
3. Secure Coding (Control 8.28)
- Do developers follow secure coding standards?
- Are code reviews mandatory before deployment?
- Do you use automated security testing tools?
Timeline for Transition
Deadline: October 2025
Organisations with existing ISO 27001:2013 certification have a 3-year transition period. After October 2025:
- ISO 27001:2013 certificates are no longer valid
- All surveillance and recertification audits must use the 2023 standard
- You cannot achieve new ISO 27001:2013 certification
Recommended timeline:
- Q4 2024: Gap analysis and policy drafting
- Q1 2025: Implementation and staff training
- Q2 2025: Internal audit
- Q3 2025: Certification audit
Common Mistakes to Avoid
1. Copy-Pasting Old Policies
Don't just rename your 2013 policies. The new controls have different requirements and evidence needs.
2. Ignoring the 11 New Controls
These aren't optional. If you don't have policies covering threat intelligence, cloud security, and secure coding, you'll fail the audit.
3. Poor Control Mapping
Auditors want to see a clear Statement of Applicability (SoA) showing which policies address which controls. Generic policies without control mapping won't pass.
Get ISO 27001:2023 Compliant Fast
Our ISO 27001 Complete Pack includes all 18 required policies, pre-mapped to the 2023 standard, with control references and implementation guidance.
View ISO 27001 Pack