Still certified to ISO/IEC 27001:2013? Now is the time to start your transition to ISO/IEC 27001:2022 to future-proof your information security management system. In this blog post, I explain the changes and what you need to do for a smooth transition by the 31 October 2025 deadline.
With complex cybersecurity threats, data privacy obligations, and digital transformation challenges, the need for a robust and up-to-date information security management system (ISMS) has never been greater. The updated ISO/IEC 27001:2022 standard provides the latest internationally recognised framework to help organisations safeguard their information assets, adapt to evolving threats, and build stakeholder trust.
ISO 27001:2022 "Information security, cybersecurity and privacy protection — Information security management systems — Requirements" is the latest version of the standard and was released in October 2022. It is replacing ISO 27001:2013 and the three-year transition period ends in October 2025.
The 2022 revision of ISO/IEC 27001 updates the 2013 version and introduces several enhancements that make it more relevant to today’s complex business and IT environments. Changes to ISO 27001 include:
• Streamlined controls: The new Annex A for ISO 27001:2022 standard has been reduced from 114 to 93 controls, reorganised into four clear themes: Organisational, People, Physical, and Technological.
• BS EN ISO/IEC 27001:2023+A1:2024 has 11 new controls: These cover key topics such as threat intelligence, data masking, web filtering, information deletion and cloud service security, etc to reflect better today's complex operational environments.
• Improved support for digital and remote operations: New controls support resilience in areas such as remote working, business continuity, and secure software development.
• Merging of controls: The new Annex A for ISO 27001:2022 standard has also merged 57 controls from ISO 27001:2013 standard into 24 controls.
• Introduction of key innovative attributes act like metadata tags assigned to each control - Identification of control type, its information security properties, cybersecurity concepts, operational capability and security domains. I believe these are designed to improve usability, implementation and alignment with the business requirements.
• Changes of Clause 6.1.3 of ISO 27001:2022 - apart from reducing the number of controls from 114 to 93, and the introduction of new controls and attributes, the new standard now requires explicit risk owner approval for residual risks. Organisations must compare selected controls with Annex A and justify differences in the SoA and be more aligned with modern risk-based management expectations and ISO High-Level Structure (Annex SL).
• Changes in Clause 4.2C of the ISO 27001:2022 standard: putting emphasis on the organisation to identify which of the requirements of the interested parties would be addressed through the information security management system.
• Changes to Clause 5.3 of the ISO 27001:2022 standard: requires the organisation to include explicit responsibility for ISMS conformance and performance reporting, fully aligns with (the high-level structure for all ISO management system standards and now requires a designated person to report on ISMS performance.
• Changes to Clause 6.2 of ISO 27001:2022: explicitly requires a plan for achieving objectives, including resources, responsibilities, timelines, and evaluation. The organisation must now define how results will be evaluated, not just measured. The objectives in the new requirement explicitly require that objectives be consistent with the information security policy and to be communicated to relevant parties.
• Enhanced terminology and structure: aligned more closely with Annex SL, the standard improves consistency across ISO management systems, such as ISO 9001 and ISO 14001, like the introduction of new clause 6.3 Planning of Change.
• Other changes are also made in Clause 8.1, 9.2.1, 9.3.1, 9.3.2 C, 9.3.3 and 10.
Need a clear roadmap for your migration? Tick off each phase below to stay on track for the 31 October 2025 deadline.
☐ Identify internal and external information-security and cyber-security issues.
☐ Map which of those issues impact your climate-change obligations.
☐ List interested parties and the ISMS requirements they impose.
☐ Define how your ISMS will address those parties’ concerns (including climate matters).
☐ Confirm you have an up-to-date Information Security Policy.
☐ Confirm you have an Access Control Policy.
☐ Document your operational procedures from an information-security perspective.
☐ Perform an information-security risk assessment on physical and information assets.
☐ Apply the controls in ISO 27002:2022; complete your Statement of Applicability.
☐ Classify each risk by Confidentiality, Integrity and Availability (CIA) and by privacy impact.
☐ Conduct a DPIA or PII assessment where required.
☐ Set, monitor and record your ISMS objectives; communicate them to relevant parties.
☐ Put in place procedures for substantial changes (infrastructure, roles, processes).
☐ Deliver cyber-security awareness training and maintain a training matrix.
☐ Complete onboarding checks (DBS / BPSS) for new starters.
☐ Update operational controls to reflect the new Annex A structure.
☐ Include metrics on new controls and risks in your performance evaluations.
☐ Conduct your internal audit against ISO 27001:2022.
☐ Hold a management review covering the updated Annex A controls.
☐ Log non-conformities on new/changed controls and action improvements.
All organisations certified to ISO/IEC 27001:2013 must transition to the 2022 version by the end of October 2025. If your organisation fails to meet this deadline, you will no longer be ISO 27001 certified and may lose the right to display the certification mark. So, you can see why it’s important that your organisation should complete the transition process to ISO 27001:2022 (the latest version) by this deadline.
1. Reviewing your current management system, security posture and assisting your organisation in updating control sets so that they align with the latest threat landscape, to help you manage modern risks such as ransomware, supply chain attacks, and cloud vulnerabilities more effectively. In my auditing experience, I have seen many ISMS built incorrectly or which work ineffectively.
2. Providing concise and bespoke advice on changes and how these can be implemented and audited to reduce the complexity of maintaining your ISMS.
3. Assessing your current operations, to help you align with new ISO 27001:2022 requirements. If efficiencies need to be made by integrating with another ISO standard, we’ll provide that structure to improve your compatibility with other ISO standards, making it easier to implement an Integrated Management System (IMS) across different domains like quality, environment, health and safety or business continuity.
4. Helping you to understand new controls, such as ICT readiness for business continuity, to ensure your organisation is better prepared to handle disruptions, outages, and cyber incidents. These are key areas that must be addressed as in my experience, many organisations overlook the root cause of business information continuity issues. Subsequently, they spend an enormous amount of money reinventing the wheel or buying off the shelf platforms to suit their needs.
5. Offering prudent advice on alignment with ISO/IEC 27001:2022 which can enhance your organisation’s credibility with internal and external stakeholders such as employees, clients, partners, and regulators especially in heavily regulated sectors with stringent security expectations.
Acting early gives you the time to plan, implement, train staff, and work with us and our auditors without pressure, avoiding last-minute nonconformities or certification gaps. Contact us to find out how we can help you save time and money.
Transitioning does not require rebuilding your ISMS from scratch. It requires a more subtle approach to match the new requirements detailed under the ISO 27001:2022 standards. Here's how we will support your transition to ISO/IEC 27001:2022:
1. Perform a pre-audit assessment (also known as a gap analysis): Compare your existing ISMS to the new ISO 27001:2022 requirements and ISO 27002:2022 Annex A controls.
2. Update your risk assessment: Reassess your risks considering the new control set and operational realities with correct mitigation / treatment plan. Whilst conducting ISO 27001 audits across many different industries, I've seen how a thorough information / cybersecurity risk assessment and treatment plan directly reduces breaches and security impacts on organisations’ IT infrastructure.
3. Revise the Statement of Applicability (SoA): Review your existing Statement of Applicability and amend to reflect new, merged, and withdrawn controls.
4. Update documentation and processes: Assist you in aligning your existing policies and procedures to the new structure and terminologies.
5. Deliver training and awareness sessions: Enable your staff to understand new requirements and controls.
6. Conduct internal audits: Assist you with internal auditing of the new controls in your audit programme ahead of external assessments to ensure your transition is smooth and painless.
7. Report: Provide you with a detailed report and help you transition to the new standard.
Rather than waiting for the 2025 deadline, act now to ensure a smoother, more strategic migration to ISO 27001:2022 enabling your organisation to build resilience, retain trust, and stay competitive in a fast-changing digital world.
Contact our experienced ISO 27001 auditors who will guide you through the process and help you achieve certification efficiently and effectively.
Site Selector
Global
Americas
Asia
Europe
Middle East and Africa
