ISO 27001:2013 placed information-security awareness, education and training under Annex A.7.2.2. The 2022 revision reorganised the entire control set; the awareness-related controls now sit at A.6.3 (Information security awareness, education and training) and A.6.5 (Responsibilities after termination or change of employment).
For organisations transitioning from the 2013 to the 2022 version of the standard, the awareness scope is broadly equivalent in intent — the substantive expectations have not shifted dramatically — but the control numbering changes and the Statement of Applicability must be updated accordingly.
Our ISO 27001 reporting was updated to the 2022 control set in early 2025. Customers running the old 2013-aligned reports were migrated automatically; the platform retains the historical reports against future audit queries while producing the current reports against the 2022 standard.
A second consideration: the 2022 standard places greater emphasis on the main-body clauses 7.2 (Competence) and 7.3 (Awareness) than the previous version. Auditors are increasingly asking for evidence against these clauses alongside the Annex A controls. The clauses are short but the evidence requirement is real; documentation that the workforce is aware of "the relevance and importance of their activities" and how they contribute to the ISMS is now standard audit territory.
If you are transitioning, validate that your awareness platform's ISO 27001 reporting maps to the 2022 control set including main-body clauses, not just the prior 2013 Annex A.