What Changed in ISO 27001:2022 and Why Saudi Companies Should Upgrade Now

Saudi Arabia’s push toward digital transformation and cybersecurity excellence has made ISO 27001 certification more relevant than ever. Many companies, however, don’t realize the standard received a major update in 2022. Ignoring this update is not an option long-term.

Whether your business operates in oil & gas, healthcare, fintech, or government contracting, understanding these changes extends beyond mere compliance it is about actively safeguarding your business in a landscape where cyber threats are proliferating at an exponential rate.

The updated ISO 27001:2022 standard streamlines controls from 114 to 93, introduces 11 brand-new cybersecurity controls, and reorganizes everything into four practical themes. For Saudi companies already navigating local regulations like ECC and NCNICC, this update offers a pathway to easier compliance by aligning better with regional requirements. There is a catch, though: the window for transition is closing.

TL;DR — Key Transition Dates All transition audits to ISO 27001:2022 must be completed by July 31, 2025, with organizations having until October 31, 2025, to fully transition. The update reduces controls to 93, adds 11 new cybersecurity-focused requirements, and reorganizes everything into 4 categories instead of 14.

What Actually Changed in ISO 27001:2022?

All new ISO 27001 certifications starting November 1, 2023, must use the 2022 version. This is not just a cosmetic refresh. The International Organization for Standardization restructured the entire control framework to reflect modern cybersecurity challenges, including cloud security, data leakage prevention, and threat intelligence.

Controls Reorganization

• Controls reduced from 114 to 93 (21 controls consolidated or merged)
• 11 completely new controls addressing modern security challenges
• 24 controls merged to eliminate redundancy and improve clarity

New Control Structure (4 Themes)

• Organizational — Organizational controls (37 controls): Policies, roles, risk assessment, compliance
• People — People controls (8 controls): Screening, training, disciplinary processes
• Physical — Physical controls (14 controls): Security areas, equipment protection, secure disposal
• Technical — Technical controls (34 controls): Access control, cryptography, network security, monitoring

Main Clause Updates

• Clause 4.2 updated to specify which interested party requirements will be addressed through the ISMS
• New Clause 6.3 (Planning of Changes) requires planned changes to ISMS to consider purpose, consequences, integrity, resources, and responsibilities

For Saudi companies, this is important because your existing documentation, Statement of Applicability (SoA), and risk assessment procedures all need updating. A logistics company in Jeddah, for instance, would need to reassess their cloud security controls if they are using AWS or Azure for tracking systems.

Expert Insight Saudi companies often underestimate the documentation workload during ISO transitions. Organizations typically spend 60–70% of transition time updating policies rather than implementing technical controls. Start your document review now.

What Are the 11 New Controls and Why Do They Matter for Saudi Businesses?

ISO 27001:2022 introduces 11 new controls that address gaps in the old standard: Configuration Management, Data Masking, Prevention of Data Leakage, ICT Readiness for Business Continuity, Deleting Information, Information Security for Using Cloud Services, Monitoring Activities, Monitoring Physical Security, Secure Coding, Threat Intelligence, and Web Filtering.

Cloud & Data Security Controls

• A.8.23 Web Filtering: Essential for fintech companies protecting customer portals from phishing attacks.
• A.5.23 Information Security for Cloud Services: Addresses risks when using STC Cloud, AWS, or Azure.
• A.8.11 Data Masking: Critical for healthcare providers handling patient data in NPHIES systems.
• A.8.12 Data Leakage Prevention: Protects oil & gas companies from sensitive exploration data leaks.

Monitoring & Detection Controls

• A.8.16 Monitoring Activities: Real-time tracking of system access and anomalies.
• A.7.4 Physical Security Monitoring: CCTV and access logs for manufacturing facilities.
• A.5.7 Threat Intelligence: Staying ahead of sector-specific cyber threats.

Resilience & Continuity Controls

• A.8.14 Redundancy of Information Processing: Backup systems for critical operations.
• A.8.19 Configuration Management: Tracking changes across IT infrastructure.
• A.8.28 Secure Coding: For software companies designing applications.

Information Lifecycle Control

• A.8.10 Information Deletion: Ensures proper disposal of data when contracts end.

For a Saudi construction company managing government contracts, these new controls mean you’ll need documented procedures covering how you handle cloud-stored project data, monitor who accesses blueprints, and ensure redundancy for critical project management systems.

Expert Insight The cloud security controls (A.5.23) are particularly important for Saudi companies as Vision 2030 drives cloud adoption. Certification bodies are scrutinising cloud vendor contracts and data residency agreements more carefully during audits.

How Does ISO 27001:2022 Align with Saudi Cybersecurity Regulations?

ISO 27001:2022 explicitly aligns with ECC-2 (updated December 2024) requirements, covering Clause 6 risk management, A.5.7 threat intelligence, A.8.8 vulnerability management, and full Annex A governance controls. This alignment is a significant advantage for Saudi businesses managing multiple compliance frameworks.

Alignment with NCA Requirements

• The ISMS satisfies the majority of NCNICC-1:2025 private sector requirements, including A.5.1–5.4 policies & governance, A.5.15–5.18 access control, A.5.24–5.28 incident management, and A.5.19–5.22 supplier risk.
• The risk assessment methodology (Clause 6) maps directly to NCA’s Essential Cybersecurity Controls (ECC).
• Incident response planning (A.5.24-5.28) covers NCA incident reporting obligations.

Benefits for Government Contractors

• Many government tenders now require ISO 27001 certification as a baseline.
• The updated standard incorporates cybersecurity requirements found in SAMA’s Cyber Security Framework for financial institutions.
• Healthcare organizations can use ISO 27001:2022 controls to address Ministry of Health data protection requirements.

Saudi Regulatory Alignment Summary

Regulation	ISO 27001:2022 Alignment	Key Controls
NCA ECC-2	Direct mapping to governance, risk, and technical controls	A.5.7, A.8.8, Clause 6
SAMA Cyber Framework	Information security and operational resilience	A.5.24-5.28, A.8.14
SDAIA Data Regulations	Data lifecycle and privacy controls	A.8.10, A.8.11, A.8.12
MOH Health Data	Patient information protection	A.5.15-5.18, A.8.11

What’s the Transition Process and Timeline?

Critical Deadlines Transition audits must conclude by July 31, 2025. Organizations have until October 31, 2025, to fully transition. After November 1, 2025, ISO 27001:2013 certificates will no longer be recognised by certification bodies or regulatory authorities.

Transition Timeline

• Now – July 2025: Conduct transition audit with your certification body.
• By October 31, 2025: Complete all corrective actions and receive your updated certificate.
• After November 1, 2025: ISO 27001:2013 certificates will no longer be recognized.

5-Step Transition Process

1. Step 1 — Gap Analysis (2–4 weeks): Compare your current 2013 controls against 2022 requirements, identify which new controls apply, and assess documentation gaps.
2. Step 2 — Update ISMS Documentation (6–12 weeks): Revise your Statement of Applicability (SoA), update your risk assessment, rewrite policies addressing new controls (especially cloud security, monitoring, threat intelligence), and update your Information Security Policy with Clause 6.3 requirements.
3. Step 3 — Implement New Controls (8–16 weeks): Deploy technical controls (web filtering, monitoring systems, data masking tools), establish procedures for configuration management and secure coding, and train staff.
4. Step 4 — Internal Audit (2–4 weeks): Test implementation of new controls, verify documentation completeness, and address non-conformities before the certification audit.
5. Step 5 — Transition Audit (1–2 weeks): The certification body reviews the updated ISMS, focusing on new controls and documentation structure.

Key Documents Requiring Updates

• Statement of Applicability (SoA) — complete restructure
• Risk Assessment and Treatment Plan
• Information Security Policy
• Access Control Policy
• Incident Response Plan
• Business Continuity Plan
• Supplier Security Policy
• Cloud Services Policy (new)
• Data Deletion Procedure (new)
• Secure Coding Standards (if applicable)

Common Mistakes Saudi Companies Make During Transition

1. Treating it as just a documentation exercise. Many companies update their SoA numbers without actually implementing controls. Auditors will test whether you have deployed web filtering or established threat intelligence processes.

2. Ignoring cloud security controls. If you are using any cloud services — and most organizations are — you cannot mark A.5.23 as “not applicable.” You require documented cloud vendor assessments, data residency agreements, and access controls.

3. Underestimating the monitoring requirements. The new monitoring controls (A.8.16, A.7.4) demand evidence — logs, SIEM systems, or at minimum documented monitoring schedules with evidence of review.

4. Poor supplier risk management mapping. The merged supplier controls (A.5.19-5.22) are more comprehensive. You need contracts with security clauses and regular vendor assessments.

5. Waiting until the last minute. With all certification bodies handling transition audits, scheduling becomes tight as deadlines draw near. Companies contacting auditors in September 2025 may struggle to book slots before October 31.

6. Not involving technical teams early. IT and security teams need adequate time to implement technical controls. A Dammam-based manufacturer learned this the hard way when they discovered implementing proper configuration management (A.8.19) would take 12 weeks, not two.

Frequently Asked Questions