How to transition from ISO 27001:2013 to ISO 27001:2022

Since its introduction in October 2005, the international standard on information security, ISO, has been updated several times. The latest update, ISO 27001:2022, was published in October 2022 and represents a response to the fast-changing technology industry, the increasing sophistication of cyberattacks, and the audacity of cyber criminals.

Do you need to take action?

One of the questions we encounter the most is – why do I need to move to ISO 27001:2022? Currently there is a transition period during which your organisation can continue to be certified against ISO 27001:2013. However, by the cut-off date of October 2025, you can only be certified against the new 2022 version. It means that you need to start acting now, if you haven’t already, to remain certified to the standard.

Upgrade from ISO 27001 2013 to ISO 27001 2022

Key differences between ISO 27001:2013 and ISO 27001:2022

The new version – ISO 27001:2022 – is an improved and modernised standard that is also more flexible. The changes make it easier to adapt to and customise for different businesses based on their processes and operations.

The actual changes within the accreditation are moderate – language and terminology changes to clauses 4 to 10 and the introduction of a few clauses and subclauses. There have been major changes to Annex A. This includes the addition of 11 new controls and the restructure of existing controls. There are now 93 (versus 114 in ISO 27001: 2013) that have been grouped into four control sections:

People Controls
Organisational Controls
Technological Controls
Physical Controls

The new controls that have been added include:

Threat intelligence
Information security for the use of cloud services
ICT readiness for business continuity
Physical security monitoring
Configuration management
Information deletion
Data masking
Data leakage prevention
Monitoring activities
Web filtering
Secure coding

The implementation guidance for each control has been revised to reflect the world as it is today, bringing in new and advanced security ideas and concepts.

How will transitioning to ISO27001:2022 benefit your business?

The changes to the standard might not be significant, but they do serve to make the accreditation stronger – and also make sure your information security management is equally strong. With that in mind, the real question (another one we have been asked many times by our clients) is how will these changes affect your business?

You will need to plan to implement the new controls and guidance. You do not have to bring in an external consultant, but you will need to start with a gap analysis. If you bring in external expertise, it will not only save you time but also allow you to consider new control designs, take a fresh look, simplify current processes, and identify automation opportunities.

Steps to move from ISO 27001:2013 to ISO 27001:2022

Between now and Oct 2025 you will need to:

Understand the changes to the standard and the new requirements
Work with your staff to ensure they understand the changes and organise training where needed
Assess your current ISMS – identify any gaps that have resulted from the new requirements
Develop a transition plan – using the results from your gap assessment
Implement the necessary changes
Document and maintain your ISMS
Conduct an internal audit to ensure you are ready for external transition audit
Notify your certification body and undergo a transition audit – before 25 July 2025

Key dates to remember when moving to ISO 27001:2022 certification

25 October 2022 – new version released
31 October 2022 – transition period of three years begins
01 May 2024 – Organisations undergoing ISO27001 certification for the first time will be using ISO 27001:2022
31 July 2025 – All transition audits must be conducted
31 October 2025 – End of transition period and ISO 27001:2013 accreditation no longer valid

What is a transition audit?

As upgrading to the new standard involves a change in scope, your certification body will conduct a transition audit.

The transition audit is to give the certification body assurance that you have effectively implemented the new controls and that your organisation is compliant with the requirements of the new standard.

This will be in addition to your annual surveillance audits and 3-year recertification audits.

Some certification bodies offer a pre-audit. This is not required if you have already conducted an internal gap assessment and an internal audit.

The number of days for the transition audit will depend on each certification body’s internal processes, but usually, it is one day. We would strongly advise getting in touch with your certification body and scheduling it now, as they will get extremely busy nearer to the cut-off date of 25^th July 2025.

ISMS - Information Security Management System

What’s next for your information security?

As with any new standard, there is bound to be a measure of uncertainty or confusion. There is also the perception that the deadline is a long time away. But as with any deadline, it creeps up more quickly than you anticipate, so the best thing is to make a start as soon as you can. Keep in mind, that the move from ISO 27001:2013 to ISO 27001:2022 certification is a necessary one, and one that can only benefit your business.

Also keep in mind that you don’t need to make the transition alone – at RightCue we have the experience and expertise to get you through your accreditation journey, whether you’re starting at the very beginning, or need help in moving to the new standard.

Specifically with the transition to new standard, we can help you do a gap analysis not only against the new controls, but overall against the new guidance covering the new standard (ISO 27002:2022). Being an external party, we bring in a fresh perspective, coupled with our knowledge of current security tools and techniques. We support you with implementation based on work we have already done on the new standard and which many of our clients have already adopted. As we are not auditing our own work, we are independent and impartial, and can help you capture the resource requirement for such a transition more objectively.

Take a look at our first-rate ISO 27001 consultancy services, or get in touch with us to discuss how we can help your business.

What our clients think

“We began looking at how to get ISO 27001 certification and CSA Star Level 2. After an extensive search it became clear that while many companies stated they could deliver both, RightCue was the only business that met our requirements.

“The RightCue team were instrumental in the process – to be blunt, if there was no RightCue, we wouldn’t have been able to do this. Their knowledge of controls was outstanding, and they really understood our business.”

IMRAN MUSAWI . SOLIDATUS

“We were keen to develop our IT security to the next level so we could expand our client base as well as giving existing clients further peace of mind. Working with RightCue has been a total pleasure. They are just lovely people and to us they are not only trusted advisors but they feel like part of our extended team.

"Working with RightCue has supported our growth as a business and given us the reassurance we need, knowing that our security and data protection is well developed and managed - that's thanks to RightCue.”

JANINE BISHUN . ACASTER LLOYD CONSULTING LTD

“In early 2021, the ATI established the FlyZero project, with ambitious targets and timeframes. RightCue were involved from the start, contributing ideas and sustainable solutions to keep the project data secure.

“RightCue are so supportive and helpful. They operate almost as a virtual CIO and worked with me on a long-term strategy for IT and security to ensure it remains fit for purpose as the business continues to grow.”

ANN DYSIEWICZ . AEROSPACE TECHNOLOGY INSTITUTE

“Beyond the accreditations, RightCue have caused us to think harder. To develop a maturity for our cyber security – processes and ideas for the future, and to think beyond IT to the business implications. Would I work with RightCue again? Absolutely, without hesitation…’

DAVID BATHO . EXETER COLLEGE

“RightCue helped us to achieve our cyber security accreditations including Cyber Essentials and IASME. But it’s more than that - the protection and management of data is now very much at the centre of our business.

“The RightCue team are absolute stars. Nothing is too much trouble. if you need help with cyber security, you can’t go wrong with RightCue.”

DAN CURTIS-ALLEN . FROST & SULLIVAN

"The team at Rightcue worked very closely with our internal team on our ISO27001 accreditation. They were extremely thorough and rigorous throughout the process, they acted professionally at all times and guided us through each step of the way to attain ISO27001. I would recommend Rightcue to help you achieve your security accreditations.”

SIMON ADAMS . PRD TECHNOLOGIES LTD

"They don’t just do the job and leave. They are at the end of the phone and happy to advise and engage at any time if you need them. If you’re considering Cyber Essentials accreditation, I’d definitely recommend RightCue.”

PAUL AUGUSTUS . ROWANS HOSPICE

"Whilst going for a computer security accreditation is never easy, the team at RightCue made it as painless as possible. They were clearly very knowledgeable and as helpful as they could be, given their role as a certification body…”

RAY SMITH . MUSKETEER SOLUTIONS LTD

“There is no doubt working with RightCue saved me a hell of a lot of time. I didn’t have to spend ages researching solutions. I would say RightCue are a very dependable resource, and are reassuringly competent. A good choice if you’re looking to acquire security accreditations…’

BEN COPE . CREATE IT

“We have been hugely impressed with the team at RightCue. They are very approachable and incredibly knowledgeable...Achieving those accreditations was so much easier, by working with an experienced and accomplished team of professionals, such as RightCue…’

SHELLEY HAWLEY . STALIS

“Having confidence in recommending them to our clients has allowed us to concentrate on playing to our strengths.

All of the RightCue team are very helpful and very willing to go the extra mile. They are very committed to delivering a good service, and that’s why we are always happy to refer them.”

PAUL LLOYD . LLOYD TECHNOLOGY

Get in touch with us

If you would like help with achieving your ISO 27001 accreditation, contact us to find out more about RightCue’s ISO 27001 consultancy services.

Not quite ready to get certified with ISO 27001? Take a look at our Cyber Essentials Plus services for SMEs instead.

+44 (0)1256 260 780

EMAIL US

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.