Back to Blog
ISO 27001:2023 policy requirements showing the 11 new controls and 4-theme structure

ISO 27001:2023 - Updated Policy Requirements Explained

ISO 27001:2023 was released in October 2022, replacing the 2013 version. If you're pursuing certification or already certified, you have until October 2025 to transition to the new standard.

This update introduced 11 new controls, removed 35 legacy controls, and reorganized everything from 14 categories to 4 themes. Here's what it means for your policies. For the full control-to-policy mapping, see our ISO 27001 framework page.

What Changed in ISO 27001:2023?

Quick answer. The 2022 revision of ISO/IEC 27001 restructured Annex A from 14 sections and 114 controls into 4 themes and 93 controls, and introduced 11 new controls — threat intelligence, cloud security and secure coding among them — each of which needs a documented policy.

Control Structure Redesign

Old (2013): 14 sections, 114 controls
New (2023): 4 themes, 93 controls

The four new themes:

  1. Organisational Controls (37 controls)
  2. People Controls (8 controls)
  3. Physical Controls (14 controls)
  4. Technological Controls (34 controls)

11 New Controls You Need Policies For

Control Title Required Policy/Documentation
5.7 Threat Intelligence Threat Intelligence Policy
5.23 Cloud Services Cloud Services Security Policy
5.30 ICT Readiness for Business Continuity ICT Business Continuity Plan
7.4 Physical Security Monitoring Physical Security Monitoring Policy
8.9 Configuration Management Configuration Management Policy
8.10 Information Deletion Data Deletion & Sanitization Policy
8.11 Data Masking Data Masking & Anonymization Policy
8.12 Data Leakage Prevention DLP Policy
8.16 Monitoring Activities Security Monitoring Policy
8.23 Web Filtering Web Filtering & Internet Use Policy
8.28 Secure Coding Secure Software Development Policy

Complete Policy List for ISO 27001:2023

Quick answer. Full compliance needs roughly 18 mandatory policies, from the top-level information security policy through risk assessment and treatment, access control, cryptography, asset management and incident response. The list below separates the core mandatory set from the conditional ones.

To achieve full compliance, you'll need approximately 18 mandatory policies:

Core Mandatory Policies (Must Have)

  1. Information Security Policy (Top-level policy)
  2. Risk Assessment & Treatment Policy
  3. Access Control Policy
  4. Cryptography & Key Management Policy
  5. Physical & Environmental Security Policy
  6. Asset Management Policy
  7. Acceptable Use Policy
  8. Change Management Policy
  9. Incident Response Policy
  10. Business Continuity Policy
  11. Backup & Recovery Policy
  12. Supplier Security Policy

New/Updated Policies for 2023

  1. Threat Intelligence Policy (New Control 5.7)
  2. Cloud Services Security Policy (New Control 5.23)
  3. Data Deletion & Sanitization Policy (New Control 8.10)
  4. Data Masking Policy (New Control 8.11)
  5. DLP Policy (New Control 8.12)
  6. Secure Coding Policy (New Control 8.28)

Mapping Your Existing Policies

Quick answer. Organisations certified against the 2013 edition do not start over — old controls map to new ones; for example, A.9 access control maps to controls 5.15–5.18 and 8.2–8.5. The mappings below cover the most common cases, and ISO publishes the complete correspondence table.

If you're already ISO 27001:2013 certified, here's how old controls map to new ones:

Example mappings:

  • A.9 (Access Control) → Controls 5.15-5.18, 8.2-8.5
  • A.12 (Operations Security) → Controls 8.6-8.16
  • A.17 (Business Continuity) → Controls 5.29-5.30

Download the complete ISO 27001:2023 mapping guide from ISO.

What Auditors Will Look For

Quick answer. Auditors concentrate scrutiny on the new controls: a cloud services inventory with documented responsibilities (control 5.23), an operating threat-intelligence process (5.7), and evidence each new policy is more than a renamed 2013 document. The checklist below covers the questions asked most often.

During your ISO 27001:2023 audit, expect scrutiny on:

1. Cloud Security (Control 5.23)

2. Threat Intelligence (Control 5.7)

3. Secure Coding (Control 8.28)

Timeline for Transition

Quick answer. The transition deadline was 31 October 2025: certificates against the 2013 edition are no longer valid, and all surveillance and recertification audits now run against ISO/IEC 27001:2022. Any organisation still carrying 2013-era documentation should treat the gap analysis as overdue.

Deadline: October 2025

Organisations with existing ISO 27001:2013 certification have a 3-year transition period. After October 2025:

Recommended timeline:

Common Mistakes to Avoid

Quick answer. The expensive mistakes are predictable: renaming 2013 policies instead of rewriting them for the new control requirements, skipping the 11 new controls entirely, and a Statement of Applicability that does not clearly map policies to controls. Auditors check all three early.

1. Copy-Pasting Old Policies

Don't just rename your 2013 policies. The new controls have different requirements and evidence needs.

2. Ignoring the 11 New Controls

These aren't optional. If you don't have policies covering threat intelligence, cloud security, and secure coding, you'll fail the audit.

3. Poor Control Mapping

Auditors want to see a clear Statement of Applicability (SoA) showing which policies address which controls. Generic policies without control mapping won't pass.

Get ISO 27001:2023 Compliant Fast

Our ISO 27001 Core Set pack includes all 18 required policies, pre-mapped to the 2023 standard, with control references and implementation guidance.

View ISO 27001 Pack

Further Resources

Quick answer. The links below lead to the official ISO/IEC 27001:2022 standard — the definitive source for control wording — plus the PolicySuite framework page with the full Annex A control library and related policy-requirement guides for SOC 2 and NIST CSF.

Keep reading

How to structure ISO 27001:2022 policies

Quick answer. ISO 27001:2022 reorganises Annex A into 4 themes (organisational, people, physical, technological) covering 93 controls. Effective policies map clause-by-clause to these controls and version-stamp at generation so auditors can trace each control to its policy. Bespoke generation typically replaces a £5,000–£15,000 consultancy engagement with a one-off £400 pack — a 12× to 38× cost reduction with the same audit-readiness.

References and primary sources

Quick answer. The guidance above is cross-referenced against the primary-source documents below. Each link resolves to an official regulator or standards-body publication so the chain stays intact end-to-end.

The documents that survive enterprise vendor review and regulator scrutiny cite their primary sources clause by clause. Many UK SMEs first discover a policy gap when a buyer’s legal team challenges a generic phrase — for example, a citation to guidance that has since been revised. Checking each policy against the sources above closes that gap before someone else finds it.