When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.
The new version of the ISO27001 standard came out in October 2022, and we’re now beyond the date (1st May 2024) when initial certification can be to the 2013 version of the standard, so for new ISMSs it’s 2022 all the way. In this article we offer a seven step process to achieve the transition smoothly and effectively, based on our own knowledge of the new standard, and available guidance from certification bodies. We’re assuming you’re already certified to the 2013 version of the standard and are considering when and how to become certified to the 2022 version.
Before you can transition, you need to have as full an understanding as possible of the changes to the requirements of the standard. To help in this, we’ll give you a quick summary now.
It’s fair to say that this update has been driven almost exclusively by two forces; a desire to make the management system requirements match up with the latest Annex SL structure and wording, and the need to align Annex A of the standard with the 2022 version of the ISO27002 guidance.
Wording changes
Firstly, there are some wording changes in the following clauses:
Clause changes
There’s a new sub-clause 6.3 Planning of changes which deals with changes to the management system and requires any changes to be considered from the point of view of their purpose and consequences, the integrity of the ISMS, the resources available, and whether any changes to responsibilities and authorities are involved. This will require a simple planning process to be in place, with evidence that these areas have been considered. An easy way to show compliance with this additional clause is to manage the change from the 2013 version of the standard to the 2022 one using your new process.
Within Clause 9 (Performance evaluation) sub-clauses 9.2 (Internal audit) and 9.3 (Management review) have been further subdivided into 9.2.1 General, 9.2.2 Internal audit program, 9.3.1 General, 9.3.2 Management review inputs and 9.3.3 Management review results respectively. The two sub-headings in Clause 10 have been swapped around. This is mainly to aid readability and to match the latest definition of Annex SL (also known as the “Harmonized Structure”).
The new Annex A controls
But the main change in the 2022 version of ISO/IEC 27001 is the adoption of a new control set from the ISO/IEC 27002 guidance standard. This is included as Annex A of ISO/IEC 27001. Annex A in its new form consists of a total of ninety-three controls (there were previously 114), of which eleven are stated to be additions to the previous control set. Many controls from the previous version have been merged together, hence why there are now fewer controls than before, and yet also some new ones.
The number of control categories has been reduced from fourteen down to just four, which are:
If you need to understand how the old and new sets of controls relate to each other, this information is included at the back of the ISO/IEC 27002 guidance standard.
Officially you have until 31st October 2025 to move to the 2022 standard, but from everyone’s experience of such transitions previously, you’ll start to struggle to get an auditor the closer we get to that date. This means that it’s a good idea not to leave this until the last minute, but in the real world other factors may come into play to determine when you transition. These could include:
Having decided when you want to be audited to the new version, it’s then a case of meeting the new requirements.
Based on our quick summary of the changes above, there will be a number of things you’ll need to do to meet the new and changed requirements within the clauses of the management system. The main ones are going to be around the processes of the ISMS (in Clause 4.4), and the planning of changes (the new Clause 6.3).
Previously, the processes of the ISMS may have been taken for granted, with some clearly defined and others operating more vaguely in the background. For the 2022 version of the standard we now need to define them more clearly, including the ways in which they relate to each other. In simple terms, this may be via a diagram that shows each process as a box, with arrows between them showing information flow in a specified direction. You could go further than this and define attributes of each process such as inputs and outputs, process owners and process criticality. The level of detail of the processes could be as simple as the headings of the clauses of the standard, such as planning, operation and performance evaluation, but if you choose to be more specific that’s fine too. Don’t forget that to comply with the changes in Clause 8.1 you’ll need to establish criteria for the processes also. These could be basic measurements to be able to tell if each process is doing what it should.
For the planning of changes (Clause 6.3) we suggest a simple change management process which (as previously stated) you can use to manage the change to the ISMS from version 2013 to 2022 initially, so producing some immediately available evidence for audit.
Your risks may not have changed, but in ISO27001 terms the names of the controls you use to address them have. You’ll need to look at the Annex A controls you have specified for each risk and assess which of the new control set should be referenced instead. The ISO27002 guidance standard provides a useful mapping from the old control set to the new, so this may be a good reason to invest in a copy (as well as getting all of the detailed guidance on the updated control set). Don’t forget the eleven new controls and the risks they may help to treat. As a result of this exercise you should now have a new version of your risk treatment plan which is 2022 compliant.
Your current Statement of Applicability will refer to the 2013 control set, so you’ll need to produce a new version of this that lists the new 2022 controls instead. Using a combination of your updated risk assessment and some general knowledge about your environment, you then need to specify which of the ninety-three controls are applicable and which have been implemented.
The list of policies referenced by your Information Security Policy may need updating with the additional policies required for the new controls in Annex A of ISO/IEC 27001:2022.
This transition is a good opportunity to check through all of your ISMS documentation to find any other references you may have made to specific Annex A controls, and which will need to be amended.
Once you have completed the exercise to update your ISMS to the 2022 requirements, you’ll need to book in a transition audit with your certification body. Depending on who they are, they may insist on a transition review first, before adding a day or more on to your usual surveillance or recertification audit length. Because everyone is having to do the same, you may find that auditor availability becomes a problem, so the earlier you can get your request in, the better.
Your audit will then take place and, if the certification body is happy that you have addressed the new requirements adequately, a certificate will be issued to the new standard.
From experience of previous transitions of ISO27001 and other standards, this exercise shouldn’t be a nightmare; the changes to the management system are relatively minor but do require attention as they will be a significant focus of the audit. The mapping of 2013 controls to 2022 contained in ISO27002 will help a lot to smooth the way with Annex A and the Statement of Applicability and remember that this guidance document also contains new information that may help with your cyber defences. It was nine years between these versions of the standard, and eight between the previous ones, so this isn’t an exercise that will be coming around again any time soon. It’s really just a case of taking a deep breath and getting the job done.
For more guidance, download our free checklist for transitioning to ISo27001:2022.
Written by CertiKit’s CEO, Ken Holmes CISSP, CIPP/E. Ken is the primary author of CertiKit’s toolkit range, an ISO 27001 Lead Auditor and has helped to implement, operate and audit ISO certifications over a varied 30-year career in the Information Technology industry.
Originally published in June 2023 and updated in May 2024.
CertiKit provides solutions to help meet your ISMS implementation goals, including the ISO 27001 toolkit, ISO 27001 consultancy and internal auditing Services , and has helped more than 4000 organizations worldwide with their compliance.
For more guidance on implementing the ISO27001:2022 standard, we’ve put together a list of our best free resources including video guides, blogs and downloadable documents.