Standards do not appear fully formed. They are built from decades of accumulated experience, hard lessons from real incidents, and the slow, unglamorous work of consensus-building across national standards bodies, security practitioners, and industry groups. ISO 27001 is no exception.
Understanding where ISO 27001 came from — what problems it was originally designed to solve, how it has responded to an evolving threat landscape, and what the 2022 revision changed — gives you a much clearer picture of why the standard is structured the way it is today. It also helps you avoid the common mistake of treating it as a bureaucratic relic rather than a living framework that has been continuously refined for over three decades.
It Started in Britain, Not Geneva
Most people assume ISO standards are born in Switzerland, in the offices of the International Organization for Standardization. ISO 27001's story is different. Its roots are entirely British, emerging from a very specific problem in the early 1990s: UK companies doing business together had no common language for talking about information security requirements.
In 1989, the UK Department of Trade and Industry commissioned a study on information security practices across British industry. What they found was fragmented and inconsistent — every company handled security differently, there was no agreed baseline, and vendor relationships were full of uncertainty about who was actually protecting what. The study led to the development of an internal DTI code of practice, which was shared among a small group of large UK organizations as a starting point for harmonization.
That informal document would eventually become, through several years of consultation and revision, the British Standard BS 7799 — published by the British Standards Institution in 1995. It was the first comprehensive, publicly available code of practice for information security management in the world.
The Full Timeline at a Glance
Here is the complete lineage of ISO 27001, from its 1989 precursor to the current 2022 edition that all organizations must now certify against:
| 1989 | DTI Code of Practice (UK) | The UK Department of Trade and Industry publishes the first formal code of practice for information security management — the earliest ancestor of what would become ISO 27001. |
| 1995 | BS 7799 Part 1 | The British Standards Institution (BSI) publishes BS 7799, a comprehensive code of practice for information security. It establishes the foundational concepts that remain in ISO 27001 today. |
| 1998 | BS 7799 Part 2 | BSI releases Part 2, introducing the concept of an Information Security Management System (ISMS) and the first auditable specification against which organizations could be certified. |
| 2000 | ISO/IEC 17799:2000 | Part 1 of BS 7799 is adopted as an international standard by ISO, giving the framework global reach for the first time. It focuses on the code of practice for controls. |
| 2005 | ISO/IEC 27001:2005 | Part 2 of BS 7799 is reborn as ISO/IEC 27001:2005 — the first fully international, certifiable ISMS standard. The 27000 series namespace is born. Adoption begins growing globally. |
| 2013 | ISO/IEC 27001:2013 | Major revision aligns ISO 27001 with the High Level Structure (Annex SL), enabling integration with other ISO management systems. Annex A is restructured into 14 domains with 114 controls. |
| 2022 | ISO/IEC 27001:2022 | The current version. Annex A is restructured into 4 domains with 93 controls (11 new). Introduces attributes and themes for easier control mapping. Clause 6.3 adds explicit change management. |
| 2026 | Where We Are Now | Organizations certified to the 2013 version must transition to ISO 27001:2022 by October 2025. The 2022 edition is now the only valid basis for new certifications globally. |
The BS 7799 Era: 1995–2005
BS 7799 Part 1 (1995) — The Code of Practice
The original BS 7799 was structured as a code of practice — a set of recommended controls and guidance for information security management. It was comprehensive for its time, covering topics like access control, physical security, incident management, and business continuity. But it was guidance, not a specification. You could not be audited against it and certified.
This limited its practical impact. Organizations could use it as a reference, but there was no way to verify compliance or use it as a basis for vendor trust. The market needed something stronger.
BS 7799 Part 2 (1998) — The ISMS Specification
The British Standards Institution answered with Part 2 in 1998: a specification document — written in the language of "shall" rather than "should" — that defined requirements for an Information Security Management System. This was the pivotal moment in the standard's history. For the first time, organizations could build an ISMS against a defined specification and have it independently audited and certified.
Part 2 also introduced the Plan-Do-Check-Act (PDCA) cycle as the operational model for the ISMS — a concept borrowed from quality management that emphasized continual improvement rather than one-time implementation. That philosophy remains embedded in ISO 27001 today, though the explicit PDCA language was removed in the 2013 revision in favor of the generic High Level Structure approach.
| HISTORICAL NOTE | The first BS 7799 Part 2 certifications were issued in 1998–1999, primarily to large UK financial institutions and telecoms companies. By 2003, approximately 200 organizations worldwide were certified — a number that would grow to over 50,000 by the time ISO 27001:2022 was published. |
Going Global: ISO 17799 and ISO 27001:2005
By the late 1990s, BS 7799 had attracted international attention. The controls-focused Part 1 was submitted to ISO for adoption as an international standard, and in 2000 it was published as ISO/IEC 17799:2000. This gave the code of practice global reach, but the certifiable management system standard — Part 2 — remained a British standard only.
That changed in 2005. After a multi-year process involving national standards bodies from across the world, ISO/IEC 27001:2005 was published — the first fully international, certifiable information security management system standard. BS 7799 Part 2 was simultaneously withdrawn, replaced by its international successor.
The 2005 publication also launched the ISO 27000 series namespace — a family of related standards that would expand significantly over the following years to cover topics including risk management (ISO 27005), audit guidelines (ISO 27007), sector-specific guidance (ISO 27011 for telecoms, ISO 27017 for cloud), and the controls guidance companion (ISO 27002).
| Why the namespace matters: When you see references to ISO 27001, ISO 27002, ISO 27017, ISO 27018, etc., they are all part of the same family. ISO 27001 is the certifiable management system standard — the others are supporting guidance documents. Only ISO 27001 certification exists; you cannot be 'certified to ISO 27002'. |
The 2013 Revision: Integration and Rationalization
Eight years after the 2005 publication, ISO released a major revision: ISO/IEC 27001:2013. This was the most significant structural change the standard had undergone, driven by two primary forces.
The first was the introduction of the High Level Structure — also known as Annex SL or the harmonized approach for ISO management system standards. ISO recognized that organizations were increasingly running multiple management systems simultaneously: quality (ISO 9001), environment (ISO 14001), business continuity (ISO 22301), and information security. Each had a different structure, which made integration unnecessarily complex. The High Level Structure gave all these standards a common framework of ten clauses, shared definitions, and identical core text for common requirements.
ISO 27001:2013 was the first major security standard to adopt this structure, which is why its clauses 4 through 10 look familiar to anyone who has worked with ISO 9001 or ISO 14001. The practical benefit for organizations is substantial: an integrated management system covering quality, environment, and security can now be audited simultaneously against a single unified structure.
What Changed in Annex A
The 2013 revision also rationalized the controls in Annex A, reorganizing them from the original 11 domains and 133 controls in the 2005 version into 14 domains and 114 controls. Several controls were merged, some were split, and the overall structure was made more logical. The companion standard ISO 27002 was updated simultaneously to provide detailed implementation guidance for each control.
ISO 27001:2013 became the dominant version globally and remained so for nearly a decade. Most of the world's current ISO 27001 certificates were issued under the 2013 version — though as of October 2025, all transition periods have closed, and the 2022 edition is now the only valid basis for certification.
The 2022 Revision: Modern Threats, Cleaner Structure
ISO/IEC 27001:2022 was published in October 2022, with the companion ISO 27002:2022 having been released earlier that year in February. The revision was driven by a recognition that the threat landscape had changed dramatically since 2013 — cloud computing had become dominant, remote work had become normalized, supply chain attacks had emerged as a major vector, and threat intelligence had become a serious operational discipline.
The changes to the normative clauses (4–10) were relatively modest — the most notable addition being Clause 6.3, which introduced an explicit requirement to plan for changes to the ISMS in a controlled manner. The major changes were in Annex A.
What Changed in Annex A (2013 vs. 2022)
| Area | ISO 27001:2013 | ISO 27001:2022 |
| Annex A Domains | 14 domains | 4 domains (Org, People, Physical, Tech) |
| Total Controls | 114 controls | 93 controls (consolidated + 11 new) |
| New Controls | None | 11 new — incl. threat intelligence, cloud security, data masking, secure coding |
| Control Attributes | Not present | Introduced — cybersecurity concepts, operational capabilities, security domains |
| Change Management | Implicit | Clause 6.3 — explicit ISMS change planning requirement |
| Transition Deadline | Valid until Oct 2025 | Now the only valid certification basis |
The 11 New Controls
The eleven new controls introduced in the 2022 revision reflect exactly the areas where the 2013 version had aged most visibly. They cover:
- Threat intelligence — organizations must now actively gather and analyze information about relevant threats
- Information security for use of cloud services — explicit requirements for managing cloud provider relationships
- ICT readiness for business continuity — integrating security into business continuity planning
- Physical security monitoring — surveillance and access controls for physical environments
- Configuration management — formal management of hardware, software, and network configurations
- Information deletion — ensuring data is properly deleted when no longer needed
- Data masking — protecting sensitive data in non-production environments
- Data leakage prevention — controls to prevent unauthorized data exfiltration
- Monitoring activities — detecting anomalous behavior across networks and systems
- Web filtering — controlling access to external websites
- Secure coding — formal requirements for secure software development practices
| Bitlion 2026 Context: Several of these new controls map directly to requirements under Indonesia's UU PDP — particularly data deletion (Article 39), data masking for sensitive data processing, and data leakage prevention. Organizations implementing ISO 27001:2022 get meaningful UU PDP alignment as a byproduct, without having to build parallel control sets. |
Control Attributes: A New Way to Navigate Annex A
One of the less-discussed but genuinely useful innovations in the 2022 revision is the introduction of control attributes — a tagging system that allows organizations to view and filter the 93 controls through multiple lenses.
Each control in ISO 27002:2022 is tagged with five types of attributes: the control type (preventive, detective, corrective), information security properties (CIA), cybersecurity concepts from the NIST CSF (identify, protect, detect, respond, recover), operational capabilities (the security function the control addresses), and security domains (governance, ecosystem, protection, defence, resilience).
In practice, this means a CISO can filter Annex A by "all detective controls related to threat intelligence" or "all controls in the resilience domain" — a significant improvement over the flat list in the 2013 version. For organizations that need to map ISO 27001 controls to other frameworks like NIST CSF or Indonesia's regulatory requirements, the attribute system provides a structured basis for doing so.
The Transition: From 2013 to 2022
When ISO 27001:2022 was published, existing certified organizations were given a three-year transition window to update their ISMS and recertify against the new version. That window closed in October 2025. As of early 2026, all valid ISO 27001 certificates are based on the 2022 version.
For organizations that made the transition, the main work involved reviewing the new Annex A controls, updating the Statement of Applicability to address the 11 new controls and the reorganized structure, revising relevant policies and procedures, and implementing any new controls determined to be applicable based on the risk assessment.
For organizations starting fresh in 2026, the 2022 version is simply the standard — there is no legacy structure to reconcile. This is actually an advantage: the 2022 version is more logically organized, better aligned with the modern threat landscape, and more directly connected to regulatory frameworks that matter in Indonesian regulated industries.
| KEY POINT | If you are beginning an ISO 27001 implementation today, you are implementing the 2022 version. All documentation, all gap assessments, all audit preparation should reference ISO/IEC 27001:2022 and ISO/IEC 27002:2022 exclusively. |
Why This History Matters Practically
Understanding the evolution of ISO 27001 is not just intellectual background — it has direct practical implications for how you approach implementation.
First, much of the documentation, guidance, and implementation advice available online was written for the 2013 version. Controls are numbered differently, domain structures differ, and some recommended approaches have been superseded. If you are using a guide that references 14 Annex A domains or 114 controls, it predates the 2022 revision.
Second, the standard's history reveals its philosophy. ISO 27001 was built bottom-up from practitioner experience — it was not a theoretical framework imposed by academics or regulators. The controls in Annex A exist because real organizations faced real threats, and the standard evolved to address them. When you understand that lineage, the requirements feel less arbitrary.
Third, the standard's integration trajectory matters for how you build your ISMS. The move to the High Level Structure in 2013 was not cosmetic — it was a deliberate signal that ISO 27001 was designed to be integrated with other management systems, not siloed. Organizations that treat their ISMS as an isolated security program rather than part of an integrated management approach are missing the design intent.
Where the Standard Goes From Here
ISO standards are typically reviewed every five years, which means the next revision of ISO 27001 is likely to arrive around 2027. Based on current trends in the threat landscape and regulatory environment, likely areas of focus include artificial intelligence governance and security, more explicit treatment of operational technology (OT) and IoT security, expanded supply chain security requirements, and deeper integration with emerging privacy frameworks.
For organizations implementing ISO 27001 today, this is a reason to build your ISMS with adaptability in mind — not as a fixed artifact but as a living system. The standard has always been revised to address what the previous version missed. An ISMS designed for continual improvement will absorb those revisions far more easily than one built to satisfy a checklist.