icon
Have any questions?
Free: +63 96295 88435

Blogs

Uncategorized

What’s new in ISO/IEC 27001:2022: Philippines Guide

by January 14, 2026

The release of ISO/IEC 27001:2022 marked the first major update to the world’s most widely adopted information security standard in nearly a decade. For organizations in the Philippines—especially those subject to the Data Privacy Act of 2012 (DPA) and oversight by the National Privacy Commission (NPC)—this update is more than a cosmetic refresh. It changes how security controls are grouped, introduces new controls for modern threats, and raises the bar on how you demonstrate “reasonable and appropriate” security measures.

This guide breaks down what changed in ISO 27001:2022, what it means in the Philippine context, and how your organization can approach the transition strategically instead of treating it as a checkbox exercise.

What Is ISO 27001 and Why the 2022 Update Matters

ISO 27001 is the international standard for building and maintaining an Information Security Management System (ISMS)—a structured framework of policies, processes, and controls used to protect information.

The previous version, ISO/IEC 27001:2013, served as the foundation for many Philippine organizations in banking, BPO, fintech, healthcare, higher education, and government-linked entities. However, the threat landscape has changed dramatically since 2013:

  • Cloud and SaaS have become default

  • Remote and hybrid work are normal

  • Ransomware, supply chain attacks, and API abuse are mainstream risks

  • Data privacy enforcement has tightened, including in the Philippines

ISO 27001 updates the standard to align with these realities and with the newer ISO/IEC 27002:2022 (the guidance document on controls). For Philippine companies, especially those aligning with the DPA and NPC circulars, the new controls help address modern attack vectors and cloud-heavy environments that older implementations often glossed over.

High-Level Changes from ISO 27001:2013 to 2022

At the clause (management system) level, the structure remains familiar (the Annex SL framework). The biggest changes are in Annex A, where the controls live.

From 114 Controls to 93 Controls

The number of Annex A controls has changed:

  • Old structure (2013): 114 controls in 14 domains

  • New structure (2022): 93 controls in 4 themes

Controls have been merged, renamed, rephrased, and reorganized to reduce overlap and reflect current practices.

Four New Control Themes

Annex A is now organized into four high-level themes:

  1. Organizational controls (A.5)

  2. People controls (A.6)

  3. Physical controls (A.7)

  4. Technological controls (A.8)

This makes it easier to map controls to governance structures, HR, facility management, and IT/security operations—which is particularly useful for Philippine companies aligning ISO 27001 with DPA compliance and internal corporate governance.

 Introduction of 11 New or Significantly Updated Controls

While the count decreased overall, several new controls were introduced that are directly relevant to today’s threat landscape, especially for:

  • Cloud services

  • Threat intelligence

  • Secure development

  • Data masking and protection

  • Business continuity and resilience from an information security perspective

We’ll unpack these in more detail below.

Key New and Updated Controls You Need to Know

Below are some of the most important new/updated controls in ISO 27001:2022 and why they matter for Philippine organizations.

Threat Intelligence (A.5.x – Organizational)

The new Threat Intelligence control formalizes the process of collecting, analyzing, and using information about emerging threats, vulnerabilities, and attack techniques.

Why this matters in the Philippines:
Many local organizations only respond to incidents reactively. With rising phishing campaigns, ransomware, and sector-specific attacks (e.g., banks, e-wallets, BPOs), having a formal threat intelligence process allows your ISMS to:

  • Monitor regional and industry-specific threats

  • Update controls and awareness campaigns based on current attack methods

  • Provide evidence to the NPC that you’re not operating on outdated assumptions

This is especially relevant for organizations processing large volumes of personal data, where failure to monitor threats could be seen as negligence under the DPA.

Information Security for Use of Cloud Services (A.5.x – Organizational)

This new control explicitly addresses cloud governance. It goes beyond technical hardening and requires:

  • Defining criteria for selecting cloud providers

  • Managing shared responsibilities (customer vs provider)

  • Ensuring contractual and security requirements for cloud services

Why this matters in the Philippines:
A huge number of companies now use cloud-based HR systems, CRMs, email, and storage. Under the DPA, you remain responsible as a Personal Information Controller (PIC) even when using third-party processors. ISO 27001:2022’s cloud control helps you:

  • Show that you vetted your cloud providers

  • Implement data protection clauses in contracts

  • Align cloud risk management with NPC guidance on outsourcing and cross-border data transfers

ICT Readiness for Business Continuity (A.5.x – Organizational)

This control integrates IT and security into business continuity planning (BCP). It focuses on ensuring that information and supporting assets can be restored at acceptable levels after disruption.

Why this matters in the Philippines:
Between typhoons, power interruptions, connectivity issues, and now cyber incidents, business continuity is more than a document requirement—it’s a survival need. For DPA compliance, being able to restore availability and integrity of personal data is a key obligation.

ISO 27001:2022 pushes organizations to:

  • Align BCP with information security risks

  • Test recovery scenarios that involve data and systems, not just physical sites

  • Ensure that DR/BCP plans factor in cloud, remote work, and third parties

Data Masking (A.8.x – Technological)

Data masking is now explicitly highlighted as a control. It refers to methods for obscuring personal or sensitive data in non-production environments or where full visibility is not necessary.

Why this matters in the Philippines:
Many companies still use real personal data in development, testing, or training environments. This significantly increases exposure—especially where those environments are less controlled.

Data masking supports DPA principles like:

  • Data minimization

  • Need-to-know access

  • Reducing risk in case of test environment breaches

It’s particularly important for banks, fintechs, BPOs, and healthcare providers who often maintain multiple environments across vendors and locations.

Web Filtering and Secure Web Use (A.8.x – Technological)

ISO 27001:2022 acknowledges that the web is a major attack vector and adds clarity around web content filtering, safe browsing, and controlling access to risky sites.

Why this matters in the Philippines:
Social media usage, messaging apps, and casual browsing are widespread behavior in local workplaces. Phishing and malware typically arrive via:

  • Malicious links

  • Compromised websites

  • Drive-by downloads

Formal web filtering and secure browsing policies reduce a huge portion of user-driven attack surface, directly supporting both ISO 27001 and DPA-compliant defenses.

Secure Coding and Application Security (A.8.x – Technological)

Controls related to secure development have been modernized. There is stronger emphasis on:

  • Secure coding practices

  • Security testing (SAST, DAST, code review)

  • Managing vulnerabilities across the software lifecycle

Why this matters in the Philippines:
Local software development shops, fintechs, and platforms that store or process personal data are increasingly building custom applications. Many of the breaches investigated globally trace back to insecure development practices.

Integrating secure coding into the ISMS helps you:

  • Align with NPC expectations for “reasonable security”

  • Reduce exploitable vulnerabilities before deployment

  • Provide assurance to clients (especially foreign ones) that your tech stack is built with security by design

What Stays the Same: ISMS Core Requirements

While controls were reorganized, the core ISMS structure remains largely intact:

  • Context of the organization

  • Leadership and commitment

  • Risk assessment and risk treatment

  • Statement of Applicability (SoA)

  • Internal audit

  • Management review

  • Continual improvement

For Philippine organizations already certified to ISO 27001:2013, this means the foundation of your ISMS is not obsolete. You are not starting from scratch; you are updating and realigning your controls and documentation to match the new Annex A and new control expectations.

Impact on Philippine Organizations: DPA Compliance and NPC Expectations

Stronger Mapping Between ISO 27001 and DPA Security Requirements

ISO 27001:2022’s clarified controls allow a more direct mapping to:

  • DPA requirements on organizational, technical, and physical measures

  • NPC advisory on breach management, privacy impact assessments (PIAs), and outsourcing

For example:

  • Threat intelligence, web filtering, secure development tie into preventing data breaches.

  • Cloud governance and ICT continuity support accountability for third-party and disaster-related risks.

  • Data masking and improved access controls support data minimization and least privilege.

When an incident occurs, being aligned with ISO 27001:2022 helps demonstrate that your controls are modern, risk-based, and aligned with well-recognized standards.

Higher Expectations for Evidence and Operationalization

NPC investigations and compliance checks increasingly look for evidence that controls are implemented, monitored, and reviewed. ISO 27001:2022 reinforces:

  • Documented and tested incident response

  • Regular risk assessments and updates

  • Monitoring and logs for critical systems

  • Clear roles, responsibilities, and competence

For Philippine firms, this means that simply having a policy manual and appointing a DPO is no longer sufficient. The 2022 update reflects a world where cloud, remote work, and new threat vectors are standard—and regulators will expect you to have responded to that reality.

Transitioning from ISO 27001:2013 to 2022: A Structured Approach

If your organization in the Philippines is already certified (or aligned) to ISO 27001:2013, here’s a practical way to manage the transition.

 Step 1: Gap Assessment Against the New Annex A

Perform a gap analysis between your current controls and the new 93-control structure:

  • Map your existing controls to the new control list

  • Identify areas where you already meet the intent of new controls but haven’t documented them

  • Highlight genuine gaps—e.g., threat intelligence, cloud governance, data masking

This helps distinguish documentation updates from new work.

Step 2: Update Risk Assessment and Statement of Applicability

Your risk assessment needs to reflect:

  • Modern threats (cloud, ransomware, remote work, supply chain)

  • Updated business processes and technologies

Then, update your Statement of Applicability (SoA) using the 93 controls. This document becomes central to audits and NPC discussions because it explains:

  • Which controls you implemented

  • Which ones you excluded

  • Why those decisions are risk-justified

Step 3: Integrate New Controls into Daily Operations

For new or significantly updated controls (e.g., threat intelligence, cloud governance, data masking, ICT readiness), don’t treat them as annexes in a manual. Instead:

  • Assign owners and define responsibilities

  • Integrate them into existing processes (change management, vendor management, BCP, SDLC)

  • Define KPIs or measures where appropriate

This will make passing both ISO surveillance audits and DPA/NPC-related inquiries much easier.

Step 4: Train Key Stakeholders on the 2022 Changes

Management, IT, security, and process owners should understand:

  • What changed in ISO 27001:2022

  • How it affects their responsibilities

  • How it ties into DPA obligations and NPC expectations

For example, developers need to understand secure development controls, while procurement should know about cloud service selection criteria. Training turns the standard from an “ISO document” into embedded organizational practice.

Step 5: Plan the Formal Certification/Transition Audit

If formally certified:

  • Coordinate with your certification body about the transition timeline

  • Update your ISMS documentation and evidence set

  • Ensure at least one internal audit covers the new controls before the transition audit

If not formally certified but aligned, treat this as a chance to bring your ISMS up to current best practice and position yourself for certification if/when needed.

Conclusion: ISO 27001:2022 as a Modern Anchor for Security and Privacy in the Philippines

ISO 27001:2022 is more than a version bump; it is a recognition that information security in 2026 and beyond is shaped by cloud services, remote work, advanced threats, and integrated business continuity. For organizations in the Philippines subject to the Data Privacy Act and NPC oversight, the updated standard offers a modern, globally recognized anchor for:

  • Establishing robust governance

  • Managing security risks in complex digital environments

  • Demonstrating “reasonable and appropriate” measures under the DPA

  • Earning and maintaining trust from regulators, customers, and partners

Organizations that adapt early will find it easier to handle both ISO audits and DPA-related inquiries because their ISMS will reflect today’s risks and controls—not those of 2013.

Tags:
Translate »