Let’s cut through the noise. You’re here because you either need to implement ISO 27001, audit it, or explain it to someone who’s panicking before a certification deadline. I’ve been in those meetings. The slides are always wrong.
Understanding ISO 27001: What It Is and What It Isn’t
First, let’s clarify what ISO 27001 actually is. It’s an international standard for information security management systems (ISMS). Not a checklist. Not a toolkit. A framework. The core of the standard—clauses 4 through 10—lays out the process for establishing, maintaining, and improving an ISMS. That’s the management side: scope, risk assessment, leadership commitment, internal audits, and continuous improvement. This part is mandatory for certification. Fail here, and no number of technical controls will save you.
Then there’s Annex A. This is where the so-called “domains” live. Or used to. In the 2013 version, Annex A listed 114 controls across 14 logical domains, such as Access Control, Cryptography, and Supplier Relationships. These domains helped organizations group similar controls together, making the standard easier to digest. But they were never part of the formal requirements—just a taxonomy.
And that’s exactly where people get tripped up. They memorize the 14 domains like they’re commandments. They build their ISMS around them. Then the 2022 update drops, and suddenly, the structure is different. Same goal, new scaffolding.
Because the 2022 revision didn’t just tweak the controls. It reorganized them completely. The 14 domains were scrapped. In their place: 93 controls grouped into 4 thematic areas. No more “Human Resource Security” as a standalone domain. No more “Physical and Environmental Security” as a monolithic block. The categories are broader, but the logic is tighter.
The 2022 Restructuring: Why the 14 Domains Are Gone
From 14 to 4: The New Thematic Areas
The biggest shift in ISO 27001:2022 is the reduction of Annex A controls from 114 to 93—and the collapse of 14 domains into 4 groups. These are:
Organizational (37 controls), People (8), Physical (14), and Technological (34). That’s it. Gone are the days of explaining why “Communications Security” deserves its own category. Now, those controls are scattered—some under Organizational, others under Technological, depending on context. That changes everything.
For example, A.8.10 (Monitoring Activities) used to sit under “Operations Security.” Now it’s under Organizational. Why? Because monitoring isn’t just a technical task—it’s a governance issue. The standard now reflects that. It’s a bit like how modern HR departments don’t just “handle payroll” but shape company culture—boundaries have blurred.
What Happened to the Old 14 Domains?
Let’s be clear about this: nothing was deleted. Almost all old controls were either kept, merged, or renamed. The 14 domains weren’t abolished because they were flawed. They were replaced because they encouraged siloed thinking. Take “Access Control” (A.9 in 2013). It focused narrowly on user permissions. But access isn’t just a technical setting—it involves onboarding, offboarding, training, and policy enforcement. So now, access controls are split: some under People (A.6), some under Technological (A.8), and others under Organizational (A.5).
The problem is, many consultants and templates still teach the 14-domain model. I find this overrated. It’s like using a 2007 roadmap to navigate a city that’s been redesigned. You’ll get somewhere—but not where you intended.
Annex A Controls: Structure and Practical Impact
Organizational Controls: The Backbone of Governance
The Organizational group is the largest, with 37 controls. These cover policies, risk treatment, supplier management, and incident response. A.5.7 (Threat Intelligence), for instance, is new. It didn’t exist in 2013. Why? Because in 2013, threat intelligence was a niche concern. Today, it’s table stakes. The inclusion reflects how external threats have evolved—from opportunistic attacks to coordinated ransomware campaigns.
And here’s the kicker: this section now includes business continuity planning (A.5.29 to A.5.31), which used to be separate. That makes sense—disaster recovery isn’t just about IT. It’s about contracts, communication plans, and executive decision-making. Hence, it’s now under Organizational. As a result: alignment between security and business leadership isn’t optional. It’s baked into the structure.
People, Physical, and Technological: The Remaining Pillars
The People controls (8 total) focus on awareness, roles, and responsibilities. A.6.3 (Remote Working) was expanded due to the pandemic. It’s no longer enough to say “train employees.” You must now address home office risks, personal device usage, and psychological factors. Data is still lacking on how many breaches originate from home networks—but we know the trend is up. One study from 2023 cited a 47% increase in phishing success rates in remote setups.
Physical controls (14) include everything from secure disposal to entry controls. A.7.4 (Equipment Security) now explicitly covers temporary offices and co-working spaces. That’s a small change with big implications for startups and distributed teams. And that’s where most small businesses fail—they assume “physical” means “server room,” not “employee’s kitchen table.”
Technological controls (34) are where engineers feel at home. They cover encryption, system logging, and configuration management. A.8.16 (Configuration Management) is stricter now. Default settings must be secure by design. No more shipping devices with admin passwords like “admin123”. Yet, even in 2024, 22% of IoT breaches stem from unchanged defaults. Which explains why this control is non-negotiable.
ISO 27001 vs. ISO 27002: Clarifying the Confusion
You can’t talk about domains without addressing ISO 27002. This is the sister standard that gives detailed guidance on implementing Annex A controls. In 2022, it was updated alongside 27001. But here’s the twist: ISO 27002 doesn’t use domains either. Instead, it follows the same 4-theme structure. What it does add is implementation examples, intent explanations, and references to other standards like NIST and CIS.
So why do people still refer to domains? Habit. Tradition. Bad training materials. ISO 27002:2013 listed controls by the old 14 domains. That version is obsolete. But it’s still widely circulated. Experts disagree on how fast organizations are adapting. Some say 60% of new implementations now follow the 4-theme model. Others claim the figure is closer to 35%. Honestly, it is unclear.
Frequently Asked Questions
Is ISO 27001 Mandatory?
No. But if you’re in finance, healthcare, or cloud services, you’ll likely be required to have it by clients or regulators. The UK’s NCSC recommends it for critical infrastructure. In Germany, some public tenders require certification. It’s not law—but it might as well be.
Can I Still Use the 14-Domain Model?
You can, but it’s risky. Certification auditors are trained on the 2022 structure. If your documentation uses outdated categories, you’ll spend hours justifying it. And that’s time you don’t have during a Stage 2 audit. Suffice to say: don’t make things harder than they need to be.
How Long Does Certification Take?
Typically 6 to 18 months. Small firms with simple IT environments can do it in 6. Enterprises with global operations? Closer to 18. The average cost ranges from $15,000 to $50,000—depending on scope, consultant fees, and audit complexity. One tech startup in Dublin spent €80,000 because they started with the wrong framework. They’re far from it.
The Bottom Line
So—how many domains are there in ISO 27001? Zero. The standard doesn’t define domains at all. What it does have is 93 controls grouped into 4 thematic areas. The old 14-domain model is obsolete. Clinging to it is like insisting on film cameras in the age of digital photography. It works, but you’re missing the point.
My personal recommendation? Stop thinking in domains. Start thinking in outcomes. Does your ISMS reduce risk? Can you prove it? That’s what auditors care about—not whether you filed A.9.2.3 under "Access Control" or “Organizational.”
And let’s be real: no one passes ISO 27001 because they memorized categories. They pass because they understand the logic behind the controls. The 2022 update didn’t just change structure—it demanded a shift in mindset. We’re not securing systems. We’re securing business processes. That’s the real takeaway.