Back to Blog
Compliance 28 October 2025 • 10 min read
PolicySuite team Compliance editorial
ISO 27001:2023 policy requirements showing the 11 new controls and 4-theme structure

ISO 27001:2023 - Updated Policy Requirements Explained

ISO 27001:2023 was released in October 2022, replacing the 2013 version. If you're pursuing certification or already certified, you have until October 2025 to transition to the new standard.

This update introduced 11 new controls, removed 35 legacy controls, and reorganized everything from 14 categories to 4 themes. Here's what it means for your policies. For the full control-to-policy mapping, see our ISO 27001 framework page.

What Changed in ISO 27001:2023?

Quick answer. What Changed in ISO 27001:2023? — in our experience, the short answer is bespoke generation cited to primary sources beats generic templates. Many uk smes typically discover the gap only at audit time; for example, a missing legislation.gov.uk reference. Bespoke generation closes the gap pre-emptively.

Control Structure Redesign

Old (2013): 14 sections, 114 controls
New (2023): 4 themes, 93 controls

The four new themes:

  1. Organisational Controls (37 controls)
  2. People Controls (8 controls)
  3. Physical Controls (14 controls)
  4. Technological Controls (34 controls)

11 New Controls You Need Policies For

Control Title Required Policy/Documentation
5.7 Threat Intelligence Threat Intelligence Policy
5.23 Cloud Services Cloud Services Security Policy
5.30 ICT Readiness for Business Continuity ICT Business Continuity Plan
7.4 Physical Security Monitoring Physical Security Monitoring Policy
8.9 Configuration Management Configuration Management Policy
8.10 Information Deletion Data Deletion & Sanitization Policy
8.11 Data Masking Data Masking & Anonymization Policy
8.12 Data Leakage Prevention DLP Policy
8.16 Monitoring Activities Security Monitoring Policy
8.23 Web Filtering Web Filtering & Internet Use Policy
8.28 Secure Coding Secure Software Development Policy

Complete Policy List for ISO 27001:2023

Quick answer. Complete Policy List for ISO 27001:2023 — in our experience, the short answer is bespoke generation cited to primary sources beats generic templates. Many uk smes typically discover the gap only at audit time; for example, a missing legislation.gov.uk reference. Bespoke generation closes the gap pre-emptively.

To achieve full compliance, you'll need approximately 18 mandatory policies:

Core Mandatory Policies (Must Have)

  1. Information Security Policy (Top-level policy)
  2. Risk Assessment & Treatment Policy
  3. Access Control Policy
  4. Cryptography & Key Management Policy
  5. Physical & Environmental Security Policy
  6. Asset Management Policy
  7. Acceptable Use Policy
  8. Change Management Policy
  9. Incident Response Policy
  10. Business Continuity Policy
  11. Backup & Recovery Policy
  12. Supplier Security Policy

New/Updated Policies for 2023

  1. Threat Intelligence Policy (New Control 5.7)
  2. Cloud Services Security Policy (New Control 5.23)
  3. Data Deletion & Sanitization Policy (New Control 8.10)
  4. Data Masking Policy (New Control 8.11)
  5. DLP Policy (New Control 8.12)
  6. Secure Coding Policy (New Control 8.28)

Mapping Your Existing Policies

Quick answer. Mapping Your Existing Policies — in our experience, the short answer is bespoke generation cited to primary sources beats generic templates. Many uk smes typically discover the gap only at audit time; for example, a missing legislation.gov.uk reference. Bespoke generation closes the gap pre-emptively.

If you're already ISO 27001:2013 certified, here's how old controls map to new ones:

Example mappings:

  • A.9 (Access Control) → Controls 5.15-5.18, 8.2-8.5
  • A.12 (Operations Security) → Controls 8.6-8.16
  • A.17 (Business Continuity) → Controls 5.29-5.30

Download the complete ISO 27001:2023 mapping guide from ISO.

What Auditors Will Look For

Quick answer. What Auditors Will Look For — in our experience, the short answer is bespoke generation cited to primary sources beats generic templates. Many uk smes typically discover the gap only at audit time; for example, a missing legislation.gov.uk reference. Bespoke generation closes the gap pre-emptively.

During your ISO 27001:2023 audit, expect scrutiny on:

1. Cloud Security (Control 5.23)

2. Threat Intelligence (Control 5.7)

3. Secure Coding (Control 8.28)

Timeline for Transition

Quick answer. Timeline for Transition — in our experience, the short answer is bespoke generation cited to primary sources beats generic templates. Many uk smes typically discover the gap only at audit time; for example, a missing legislation.gov.uk reference. Bespoke generation closes the gap pre-emptively.

Deadline: October 2025

Organisations with existing ISO 27001:2013 certification have a 3-year transition period. After October 2025:

Recommended timeline:

Common Mistakes to Avoid

Quick answer. Common Mistakes to Avoid — in our experience, the short answer is bespoke generation cited to primary sources beats generic templates. Many uk smes typically discover the gap only at audit time; for example, a missing legislation.gov.uk reference. Bespoke generation closes the gap pre-emptively.

1. Copy-Pasting Old Policies

Don't just rename your 2013 policies. The new controls have different requirements and evidence needs.

2. Ignoring the 11 New Controls

These aren't optional. If you don't have policies covering threat intelligence, cloud security, and secure coding, you'll fail the audit.

3. Poor Control Mapping

Auditors want to see a clear Statement of Applicability (SoA) showing which policies address which controls. Generic policies without control mapping won't pass.

Get ISO 27001:2023 Compliant Fast

Our ISO 27001 Core Set pack includes all 18 required policies, pre-mapped to the 2023 standard, with control references and implementation guidance.

View ISO 27001 Pack

Further Resources

Quick answer. Further Resources — in our experience, the short answer is bespoke generation cited to primary sources beats generic templates. Many uk smes typically discover the gap only at audit time; for example, a missing legislation.gov.uk reference. Bespoke generation closes the gap pre-emptively.

Keep reading

Compliance

SOC 2 Type II Policy Checklist

All five Trust Service Criteria mapped to the policies your auditor needs to see.
Compliance

NIST CSF 2.0 Changes and Policies

The new GOVERN function, six core areas, and the policies you need to update.
Security

10 cybersecurity policies every SME needs

The minimum set Cyber Essentials and ICO breach assessments expect you to have in place.

How to structure ISO 27001:2022 policies

Quick answer. ISO 27001:2022 reorganises Annex A into 4 themes (organisational, people, physical, technological) covering 93 controls. Effective policies map clause-by-clause to these controls and version-stamp at generation so auditors can trace each control to its policy. Bespoke generation typically replaces a £5,000–£15,000 consultancy engagement with a one-off £400 pack — a 12× to 38× cost reduction with the same audit-readiness.

References and primary sources

Quick answer. The guidance above is cross-referenced against the primary-source documents below. Each link resolves to an official regulator or standards-body publication so the chain stays intact end-to-end.

In our experience, the documents that survive enterprise vendor review and ICO audits cite primary sources clause-by-clause. Many uk smes typically discover policy gaps only when the buyer’s legal team challenges a generic phrase — for example, a missing legislation.gov.uk reference or an outdated ACAS Code citation. Bespoke generation closes the gap pre-emptively.