SOC 2 Type I vs. Type II: Which Do You Need?
Breaking down the differences between SOC 2 Type I and Type II reports, and helping you determine which is right for your organization.
A comprehensive overview of the key changes in the 2022 revision and what organizations need to do to maintain certification.
What Changed in ISO 27001:2022?
The 2022 revision of ISO 27001 represents the first major update since 2013. While the core management system requirements in Clauses 4 through 10 remain largely intact, Annex A has been restructured from 14 control domains with 114 controls down to 4 themes with 93 controls. The four new themes are Organizational, People, Physical, and Technological. Additionally, 11 new controls have been introduced covering areas like threat intelligence, cloud security, ICT readiness for business continuity, and data masking.
Key Structural Changes
The restructuring moves away from the legacy domain-based approach to a more attribute-driven model. Each control now carries five attributes: control type (preventive, detective, corrective), information security properties (confidentiality, integrity, availability), cybersecurity concepts (identify, protect, detect, respond, recover), operational capabilities, and security domains. This allows organizations to filter and view controls through multiple lenses, making control selection and gap analysis more intuitive.
The 11 New Controls
The new controls address modern security challenges: Threat Intelligence (A.5.7), Information Security for Cloud Services (A.5.23), ICT Readiness for Business Continuity (A.5.30), Physical Security Monitoring (A.7.4), Configuration Management (A.8.9), Information Deletion (A.8.10), Data Masking (A.8.11), Data Leakage Prevention (A.8.12), Monitoring Activities (A.8.16), Web Filtering (A.8.23), and Secure Coding (A.8.28). Organizations must evaluate each for applicability within their scope.
Transition Timeline and Approach
Organizations certified against ISO 27001:2013 must transition by October 31, 2025. TSC recommends beginning with a transition gap assessment to identify which new controls apply and where current implementations fall short. From there, update your Statement of Applicability, implement any required controls, adjust documentation, and conduct an internal audit before your transition audit.
Key Takeaways
- Annex A restructured from 14 domains (114 controls) to 4 themes (93 controls) with 11 new additions.
- The attribute-based approach provides more flexible control categorization and mapping.
- Transition deadline is October 31, 2025 — organizations should start gap analysis now.
- New controls address cloud security, threat intelligence, data masking, and secure coding.
- TSC provides structured transition support from gap assessment through certification audit.
How TSC Can Help
TSC provides end to end consulting across 40+ compliance frameworks. Our structured process ensures your organization moves from initial assessment to audit readiness efficiently and confidently.
Whether you are beginning your compliance journey or maintaining existing certifications, our team brings the expertise and methodology to support your goals.
ISO Standards
Need help with compliance?
Schedule a consultation to discuss how TSC can support your compliance program.
Schedule a ConsultationRelated