Can we still get a 2013 certificate?

No — new certifications since H2 2024 have been 2022 only. Existing 2013 certificates expired 31 October 2025.

Is the 2022 version easier or harder?

Easier to navigate (fewer controls, clearer themes) but the new controls (cloud, threat intel, DLP, web filtering, secure coding) require real implementation effort. Most organisations had to deploy 3-5 new tools to satisfy the 11 new controls.

ISO 27001:2022 Annex A control mapping for UK IT teams

ISO 27001:2022 restructured Annex A from 114 controls (2013 version) down to 93 — but the change is substantive, not cosmetic. The new structure organises controls into 4 themes: organisational (37), people (8), physical (14), technological (34). UK organisations transitioning from ISO 27001:2013 must complete by October 2025; new certifications are 2022 only. This is the practical mapping for IT teams.

ISO 27001:2022 — Annex A control themes

The 4 themes of Annex A:2022

Theme A.5 — Organisational controls (37): policies, leadership, asset management, supplier relationships, business continuity.

Theme A.6 — People controls (8): screening, employment terms, awareness, disciplinary.

Theme A.7 — Physical controls (14): facilities, equipment, clear desk + screen.

Theme A.8 — Technological controls (34): identity + access, cryptography, secure development, backups, vulnerability management, logging + monitoring, network security.

The 11 new controls in 2022

A.5.7 Threat intelligence

A.5.23 Information security for use of cloud services

A.5.30 ICT readiness for business continuity

A.7.4 Physical security monitoring

A.8.9 Configuration management

A.8.10 Information deletion

A.8.11 Data masking

A.8.12 Data leakage prevention

A.8.16 Monitoring activities

A.8.23 Web filtering

A.8.28 Secure coding

How Servnet customers typically implement

A.5.23 Cloud security — Microsoft Defender for Cloud + Zscaler CSPM / Netskope.

A.8.9 Configuration management — Microsoft Intune + Jamf Pro for endpoint; Servnet-deployed configuration baselines for servers.

A.8.12 Data leakage prevention — DLP services via Microsoft Purview, Netskope DLP, Symantec DLP.

A.8.16 Monitoring — SIEM (Microsoft Sentinel, Splunk) + 24/7 SOC (MDR).

A.8.23 Web filtering — included with SASE platforms (Zscaler, Palo Alto Prisma).

A.8.28 Secure coding — SAST / DAST tooling (Snyk, Checkmarx, GitHub Advanced Security).

ISO 27001 transition — 2013 → 2022 / new cert

The transition timeline

ISO 27001:2013 certifications: must transition to 2022 standard by 31 October 2025. After that, 2013 certificates are no longer valid.

Most UK certified organisations had transitioned by mid-2025; if you're not yet, prioritise.

New certifications are 2022 standard only.

What Servnet does

Servnet supports ISO 27001:2022 alignment + technical control deployment. We don't issue certificates (UKAS-accredited certification bodies do that) but we run the gap analysis, deploy missing controls, and prepare evidence packs for your auditor.