Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice


When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

ISO27001 Toolkit Version 11A – The New Controls


Obviously the big news story at the moment concerning the ISO27001 standard is the new set of controls published by ISO in February in the form of ISO27002:2022. After a false start and much deliberation, ISO will be updating the ISO27001 standard to match ISO27002 during the year, but in the meantime, we have a slightly awkward period of time where the two standards don’t match. The CertiKit ISO27001 Toolkit Version 11A is an interim release which provides many of the documents needed to bring your ISMS into line with the new control set when you’re ready.

ISO27001 toolkit with new ISO27002 controls

The New Controls

If you haven’t heard, the new set of controls specified in ISO27002:2022 consists of 93 individual controls organised into four themes, namely:

  • Clause 5. Organizational controls
  • Clause 6. People controls
  • Clause 7. Physical controls
  • Clause 8. Technological controls

Many of the controls from the previous version have been merged and there are eleven new ones to contend with, which are:

  • 5.7 Threat intelligence
  • 5.23 Information security for use of cloud services
  • 5.30 ICT readiness for business continuity
  • 7.4 Physical security monitoring
  • 8.9 Configuration management
  • 8.10 Information deletion
  • 8.11 Data masking
  • 8.12 Data leakage prevention
  • 8.16 Monitoring activities
  • 8.23 Web filtering
  • 8.28 Secure coding

Decision Time

What this means is that organizations that are either already certified to the ISO27001 standard, or are working towards certification, have a choice to make of when to adopt the new control set. Many will undoubtedly simply wait until the new version of ISO27001 appears and then use the transition period (usually around 2 years) to make the switch.

However, there is an opportunity for some to get ahead of the change and to start the adoption of the new controls sooner. And that is what this update to the ISO27001 Toolkit is all about.

Version 11A of the Toolkit

In Version 11A we have added a new folder called ISO27002 2022 – New controls which provides a total of 25 additional documents covering the 11 new controls. These are a combination of policies, processes, reports and spreadsheet tools that allow an organization to start to address the new control requirements, whilst maintaining their current ISO27001:2013 ISMS (information security management system).

The list of new documents is as follows:

  • ISO27001 2013 Statement of Applicability (with mapping to the new controls)
  • ISO27002 2022 Control attributes
  • ISO27002 2022 Gap Assessment Tool
  • ISO27002 2022 Statement of Applicability
  • Threat Intelligence Policy
  • Threat Intelligence Process
  • Threat Intelligence Report
  • Cloud Services Policy
  • Cloud Services Process
  • Cloud Services Questionnaire
  • Business Impact Analysis Process
  • Business Impact Analysis Report
  • Business Impact Analysis Tool
  • CCTV Policy
  • Configuration Management Policy
  • Configuration Management Process
  • Configuration Standard Template
  • EXAMPLE Configuration Standard Template
  • Information Deletion Policy
  • Data Masking Policy
  • Data Masking Process
  • Data Leakage Prevention Policy
  • Monitoring Policy
  • Web Filtering Policy
  • Secure Coding Policy

Of course, you’ll need to consider whether all of these controls are applicable to your organization in the usual “ISO27001 Statement of Applicability” way.

What Comes Next

When ISO publishes the new version of the ISO27001 standard (understood to be in 2022) we will be updating the CertiKit ISO27001 Toolkit accordingly (to Version 12) and this will also be available free of charge for those who qualify for our lifetime updates scheme. (This depends on the date you purchased your ISO27001 toolkit, speak to our team if you have any queries).

We expect there to be a transition period for the new standard, and it may well take some time for registered certification bodies to train their auditors up to certify against it, so the first certificates for ISO/IEC 27001:2022 may not be seen until 2023.

In summary, it’s an exciting but possibly confusing time for ISO27001 so don’t forget we’re here to help via our toolkits and related services, so feel free to get in touch.

We’ve helped more than 4000 businesses with their compliance


The documents are excellent in covering a vast number of key areas in terms of ISO. I particularly like the layout and the comprehensive nature of the documents provided.

GTI Group

View all Testimonials