Since its introduction in October 2005, the international standard on information security, ISO, has been updated several times. The latest update, ISO 27001:2022, was published in October 2022 and represents a response to the fast-changing technology industry, the increasing sophistication of cyberattacks, and the audacity of cyber criminals.

Do you need to take action?

One of the questions we encounter the most is – why do I need to move to ISO 27001:2022? Currently there is a transition period during which your organisation can continue to be certified against ISO 27001:2013. However, by the cut-off date of October 2025, you can only be certified against the new 2022 version. It means that you need to start acting now, if you haven’t already, to remain certified to the standard.

ISO 27001 transition

Key differences between ISO 27001:2013 and ISO 27001:2022

The new version – ISO 27001:2022 – is an improved and modernised standard that is also more flexible. The changes make it easier to adapt to and customise for different businesses based on their processes and operations.

The actual changes within the accreditation are moderate – language and terminology changes to clauses 4 to 10 and the introduction of a few clauses and subclauses. There have been major changes to Annex A. This includes the addition of 11 new controls and the restructure of existing controls.

There are now 93 (versus 114 in ISO 27001: 2013) that have been grouped into four control sections:

  • People Controls

  • Organisational Controls

  • Technological Controls

  • Physical Controls

ISO 27001 transition process

The new controls that have been added include:

  • Threat intelligence

  • Information security for the use of cloud services

  • ICT readiness for business continuity

  • Data masking

  • Configuration management

  • Information deletion

  • Monitoring activities / Physical security monitoring

  • Data leakage prevention

  • Web filtering

  • Secure coding

The implementation guidance for each control has been revised to reflect the world as it is today, bringing in new and advanced security ideas and concepts.

ISMS - information security management system

Steps to move from ISO 27001:2013 to ISO 27001:2022

Between now and Oct 2025 you will need to:

  • Understand the changes to the standard and the new requirements.

  • Work with your staff to ensure they understand the changes and organise training where needed.

  • Assess your current ISMS – identify any gaps that have resulted from the new requirements.

  • Develop a transition plan – using the results from your gap assessment.

  • Implement the necessary changes.

  • Document and maintain your ISMS.

  • Conduct an internal audit to ensure you are ready for external transition audit.

  • Notify your certification body and undergo a transition audit – before 25 July 2025.

Key dates to remember when moving to ISO 27001:2022 certification

  • 25 October 2022 – new version released
  • 31 October 2022 – transition period of three years begins
  • 01 May 2024 – Organisations undergoing ISO27001 certification for the first time will be using ISO 27001:2022
  • 31 July 2025 – All transition audits must be conducted
  • 31 October 2025 – End of transition period and ISO 27001:2013 accreditation no longer valid
ISO 27001 2022 audit

What is a transition audit?

As upgrading to the new standard involves a change in scope, your certification body will conduct a transition audit.

The transition audit is to give the certification body assurance that you have effectively implemented the new controls and that your organisation is compliant with the requirements of the new standard.

This will be in addition to your annual surveillance audits and 3-year recertification audits.

Some certification bodies offer a pre-audit. This is not required if you have already conducted an internal gap assessment and an internal audit.

The number of days for the transition audit will depend on each certification body’s internal processes, but usually, it is one day. We would strongly advise getting in touch with your certification body and scheduling it now, as they will get extremely busy nearer to the cut-off date of 25th July 2025.

What’s next for your information security?

As with any new standard, there is bound to be a measure of uncertainty or confusion. There is also the perception that the deadline is a long time away. But as with any deadline, it creeps up more quickly than you anticipate, so the best thing is to make a start as soon as you can. Keep in mind, that the move from ISO 27001:2013 to ISO 27001:2022 certification is a n