The SCF maps its controls to ISO 27001:2022, including all 93 Annex A controls and the 11 controls added in the 2022 revision. Organizations using the SCF can identify which controls satisfy each ISO 27001:2022 objective, streamlining certification preparation, gap analyses, and ongoing audit evidence collection. The cross-mapping also allows ISO 27001-certified organizations to simultaneously demonstrate compliance with NIST CSF, SOC 2, and other frameworks without duplicating control implementations.
ISO 27001:2022 introduced significant changes from the 2013 version. The 2022 revision restructured Annex A from 114 controls in 14 clauses (ISO 27001:2013) to 93 controls in 4 themes: organizational controls (37), people controls (8), physical controls (14), and technological controls (34).
The revision added 11 controls that did not exist in the 2013 version, covering threat intelligence, information security for cloud services, ICT readiness for business continuity, web filtering, secure coding, data masking, data leakage prevention, monitoring activities, configuration management, and related areas.
Organizations certified to ISO 27001:2013 had a deadline of October 31, 2025 to transition their certifications to ISO 27001:2022 - you may want to verify the current status of your certification with your certification body if this applies.
The SCF's mapping to ISO 27001:2022 covers both the mandatory clauses (4 through 10) and all Annex A controls, with particular attention to the 11 new controls that require additional implementation work for organizations transitioning from ISO 27001:2013.
Using the SCF for ISO 27001:2022 compliance provides the added benefit of simultaneous cross-mapping to NIST CSF 2.0, NIST SP 800-53, SOC 2 Trust Service Criteria, PCI DSS, and other frameworks from a single control implementation.
Keep Exploring