How to transition from ISO 27001:2013 to ISO 27001:2022

Since its introduction in October 2005, the international standard on information security, ISO, has been updated several times. The latest update, ISO 27001:2022, was published in October 2022 and represents a response to the fast-changing technology industry, the increasing sophistication of cyberattacks, and the audacity of cyber criminals.

Do you need to take action?

One of the questions we encounter the most is – why do I need to move to ISO 27001:2022? Currently there is a transition period during which your organisation can continue to be certified against ISO 27001:2013. However, by the cut-off date of October 2025, you can only be certified against the new 2022 version. It means that you need to start acting now, if you haven’t already, to remain certified to the standard.

Upgrade from ISO 27001 2013 to ISO 27001 2022

ISMS - Information Security

Key differences between ISO 27001:2013 and ISO 27001:2022

The new version – ISO 27001:2022 – is an improved and modernised standard that is also more flexible. The changes make it easier to adapt to and customise for different businesses based on their processes and operations.

The actual changes within the accreditation are moderate – language and terminology changes to clauses 4 to 10 and the introduction of a few clauses and subclauses. There have been major changes to Annex A. This includes the addition of 11 new controls and the restructure of existing controls. There are now 93 (versus 114 in ISO 27001: 2013) that have been grouped into four control sections:

  • People Controls
  • Organisational Controls
  • Technological Controls
  • Physical Controls

The new controls that have been added include:

  • Threat intelligence
  • Information security for the use of cloud services
  • ICT readiness for business continuity
  • Physical security monitoring
  • Configuration management
  • Information deletion
  • Data masking
  • Data leakage prevention
  • Monitoring activities
  • Web filtering
  • Secure coding

The implementation guidance for each control has been revised to reflect the world as it is today, bringing in new and advanced security ideas and concepts.

ISO 27001 2022 compliance

Get ISO 27001 certification

How will transitioning to ISO27001:2022 benefit your business?

The changes to the standard might not be significant, but they do serve to make the accreditation stronger – and also make sure your information security management is equally strong. With that in mind, the real question (another one we have been asked many times by our clients) is how will these changes affect your business?

You will need to plan to implement the new controls and guidance. You do not have to bring in an external consultant, but you will need to start with a gap analysis. If you bring in external expertise, it will not only save you time but also allow you to consider new control designs, take a fresh look, simplify current processes, and identify automation opportunities.  

Steps to move from ISO 27001:2013 to ISO 27001:2022

Between now and Oct 2025 you will need to:

  • Understand the changes to the standard and the new requirements
  • Work with your staff to ensure they understand the changes and organise training where needed
  • Assess your current ISMS – identify any gaps that have resulted from the new requirements
  • Develop a transition plan – using the results from your gap assessment
  • Implement the necessary changes
  • Document and maintain your ISMS
  • Conduct an internal audit to ensure you are ready for external transition audit
  • Notify your certification body and undergo a transition audit – before 25 July 2025


ISO 27001 transition process steps

Requirements of ISO 27001

Key dates to remember when moving to ISO 27001:2022 certification

  • 25 October 2022 – new version released
  • 31 October 2022 – transition period of three years begins
  • 01 May 2024 – Organisations undergoing ISO27001 certification for the first time will be using ISO 27001:2022
  • 31 July 2025 – All transition audits must be conducted
  • 31 October 2025 – End of transition period and ISO 27001:2013 accreditation no longer valid

What is a transition audit?

As upgrading to the new standard involves a change in scope, your certification body will conduct a transition audit.

The transition audit is to give the certification body assurance that you have effectively implemented the new controls and that your organisation is compliant with the requirements of the new standard.

This will be in addition to your annual surveillance audits and 3-year recertification audits.

Some certification bodies offer a pre-audit. This is not required if you have already conducted an internal gap assessment and an internal audit.

The number of days for the transition audit will depend on each certification body’s internal processes, but usually, it is one day. We would strongly advise getting in touch with your certification body and scheduling it now, as they will get extremely busy nearer to the cut-off date of 25th July 2025.

ISO 27001 Audit

ISMS - Information Security Management System

What’s next for your information security?

As with any new standard, there is bound to be a measure of uncertainty or confusion. There is also the perception that the deadline is a long time away. But as with any deadline, it creeps up more quickly than you anticipate, so the best thing is to make a start as soon as you can. Keep in mind, that the move from ISO 27001:2013 to ISO 27001:2022 certification is a necessary one, and one that can only benefit your business.

Also keep in mind that you don’t need to make the transition alone – at RightCue we have the experience and expertise to get you through your accreditation journey, whether you’re starting at the very beginning, or need help in moving to the new standard.

Specifically with the transition to new standard, we can help you do a gap analysis not only against the new controls, but overall against the new guidance covering the new standard (ISO 27002:2022). Being an external party, we bring in a fresh perspective, coupled with our knowledge of current security tools and techniques. We support you with implementation based on work we have already done on the new standard and which many of our clients have already adopted. As we are not auditing our own work, we are independent and impartial, and can help you capture the resource requirement for such a transition more objectively.

Take a look at our first-rate ISO 27001 consultancy services, or get in touch with us to discuss how we can help your business.

ISO 27001 consultancy
What our clients think

“We began looking at how to get ISO 27001 certification and CSA Star Level 2. After an extensive search it became clear that while many companies stated they could deliver both, RightCue was the only business that met our requirements.

“The RightCue team were instrumental in the process – to be blunt, if there was no RightCue, we wouldn’t have been able to do this. Their knowledge of controls was outstanding, and they really understood our business.”


“We were keen to develop our IT security to the next level so we could expand our client base as well as giving existing clients further peace of mind. Working with RightCue has been a total pleasure. They are just lovely people and to us they are not only trusted advisors but they feel like part of our extended team.

"Working with RightCue has supported our growth as a business and given us the reassurance we need, knowing that our security and data protection is well developed and managed - that's thanks to RightCue.”


“In early 2021, the ATI established the FlyZero project, with ambitious targets and timeframes. RightCue were involved from the start, contributing ideas and sustainable solutions to keep the project data secure.

“RightCue are so supportive and helpful. They operate almost as a virtual CIO and worked with me on a long-term strategy for IT and security to ensure it remains fit for purpose as the business continues to grow.”


“Beyond the accreditations, RightCue have caused us to think harder. To develop a maturity for our cyber security – processes and ideas for the future, and to think beyond IT to the business implications. Would I work with RightCue again? Absolutely, without hesitation…’


“RightCue helped us to achieve our cyber security accreditations including Cyber Essentials and IASME. But it’s more than that - the protection and management of data is now very much at the centre of our business.

“The RightCue team are absolute stars. Nothing is too much trouble. if you need help with cyber security, you can’t go wrong with RightCue.”


"The team at Rightcue worked very closely with our internal team on our ISO27001 accreditation. They were extremely thorough and rigorous throughout the process, they acted professionally at all times and guided us through each step of the way to attain ISO27001. I would recommend Rightcue to help you achieve your security accreditations.”


"They don’t just do the job and leave. They are at the end of the phone and happy to advise and engage at any time if you need them. If you’re considering Cyber Essentials accreditation, I’d definitely recommend RightCue.”


"Whilst going for a computer security accreditation is never easy, the team at RightCue made it as painless as possible. They were clearly very knowledgeable and as helpful as they could be, given their role as a certification body…”


“There is no doubt working with RightCue saved me a hell of a lot of time. I didn’t have to spend ages researching solutions. I would say RightCue are a very dependable resource, and are reassuringly competent. A good choice if you’re looking to acquire security accreditations…’


“We have been hugely impressed with the team at RightCue. They are very approachable and incredibly knowledgeable...Achieving those accreditations was so much easier, by working with an experienced and accomplished team of professionals, such as RightCue…’


“Having confidence in recommending them to our clients has allowed us to concentrate on playing to our strengths.

All of the RightCue team are very helpful and very willing to go the extra mile. They are very committed to delivering a good service, and that’s why we are always happy to refer them.”


Get in touch with us

If you would like help with achieving your ISO 27001 accreditation, contact us to find out more about RightCue’s ISO 27001 consultancy services.

Not quite ready to get certified with ISO 27001? Take a look at our Cyber Essentials Plus services for SMEs instead.

+44 (0)1256 260 780