ISO 27001 Transition: What Now?
On October 25, 2022, ISO/IEC 27001 (commonly called ISO 27001) was updated for the first time since 2013. Many organizations still haven’t modified their information security management system (ISMS) to conform to the new standard. Where does your business stand?
In this post, we’ll walk through the changes companies need to make and the associated deadlines so you can determine the right next step for your organization.
ISO 27001:2022 vs. ISO 27001:2013
First, let’s review the nine biggest changes in ISO 27001:2022:
- Updated Context and Scope: ISO 27001:2022 places increased emphasis on an organization’s internal and external context, including stakeholders and processes that impact the ISMS.
- Statement of Applicability (SoA): Organizations should revise their Statement of Applicability (SoA) to incorporate a mapping of the new 2022 controls (the actual SoA requirements are essentially the same).
- Controlled Changes to the ISMS: Clause 6.3 emphasizes the management of controlled changes in a structured and systematic way within the ISMS, ensuring changes do not compromise information security.
- Enhanced Operational Planning and Control: Clause 8.1 requires organizations to establish criteria for actions outlined in Clause 6 and systematically manage these actions. This clause underscores the importance of a structured approach to overseeing operational processes, including those involving third-party relationships.
- Reorganization and Reduction of Annex Controls: The new standard condenses annex controls from 114 to 93 to align more effectively with the evolving hybrid and remote work environments, acknowledging the need for a more focused and adaptable approach to information security controls.
- Introduction of New Controls: 11 new controls in the annex section formally address emerging threats and challenges, including threat intelligence, information security for the use of cloud services, ICT readiness for business continuity, and more.
- Recategorization of Controls: Controls have been restructured into four primary categories — organizational, people, physical, and technological — to improve clarity and simplify the structure.
- Emphasis on Needs and Expectations of Interested Parties: Clause 9.3 calls for management review to account for changes in the needs and expectations of stakeholders, underscoring the importance of aligning the ISMS with evolving stakeholder priorities and requirements.
- New Controls for Current Challenges: New controls aim to keep the standard current and relevant, covering areas such as threat intelligence, web filtering, and secure coding.
See a detailed breakdown of the changes.
ISO 27001 transition timeline
Organizations have until October 31, 2025 to transition to ISO/IEC 27001:2022, but that doesn’t mean you should put it off. Here’s a quick summary of the transition timeline:
- October 31, 2022: The transition period began.
- May 1, 2024: All new (first-time) ISO 27001 certifications should be on the 2022 version.
- July 31, 2025: All transition audits (for recertification and surveillance audits) should be completed.
- October 31, 2025: The transition period ends. All ISO 27001:2013 certifications will expire at this time.
Determine your organization’s next steps
Wondering what your business needs to do next to be ready for the 2025 transition deadline? Consider what steps have been taken so far and proceed accordingly.
For example, if your organization has yet to take any action, the first step is to make a plan. Consider how much time your team needs to perform all the necessary actions described in the following section. Work with your audit partner to make a unique plan that works with where you are in the ISO cycle.
One important factor to consider is budget — what resources will your team require to complete all necessary tasks by the October 31, 2025 deadline? Make sure you build anticipated costs into upcoming budgets so that company leadership and the specific teams involved can anticipate them.
If you’re ready to transition but not sure where to start, the rest of this article will give you a better idea of what you need to do next. As you begin the transition process, lean on your audit partner to ensure a seamless transition before the deadline.
How to update Your ISO 27001 Certification to the 2022 standard
If your organization is currently certified against the 2013 version of ISO 27001, there are several steps that must be taken in order to achieve certification under the new version.
Purchase the ISO/IEC 27001:2022 standard
Every organization that seeks certification must purchase the official published ISO 27001 standard from the ISO. ISO products come with a single-user license, so documents cannot be shared between organizations (or provided by auditors).
Perform a gap assessment
There are 11 brand-new controls in ISO 27001:2022, so organizations should expect to find gaps in their ISMS under the 2013 version of the standard. A gap assessment will help you map your existing security controls to the 2022 version and identify what changes are necessary. Based on the level of compliance expertise your organization has, this gap assessment can be performed internally or with the help of a third party.
Implement new security controls
Once the gap assessment is complete, your team should focus on implementing new controls or modifying current controls as needed based on what gaps were identified. Make sure you give your organization enough time to plan for these changes and implement them effectively before scheduling your transition audit.
Update the statement of applicability
The statement of applicability (SoA) is a required document for ISO 27001 certification. The SoA states which Annex A controls your business has applied in order to reduce information security risk. Because of the changes between the 2013 and 2022 versions of the standard, your SoA will need to be updated to consider the newly added and reorganized annex controls.
Revise the risk treatment plan
Now that you have identified the relevant risks to your organization (via the gap assessment), your formal ISO 27001 risk treatment plan should be revised accordingly. This document should detail what steps your organization has taken to address each of the information security risks that have been detected.
Schedule your transition audit
Remember, all ISO 27001:2022 transition audits should be completed by July 31, 2025 to ensure that all certification decision can be made prior to the October 31, 2025 deadline. Ideally, you should schedule your transition audit before July 2025 to account for any unforeseen challenges and avoid unnecessary pressure on employees.
ISO 27001 transition FAQs
What is the most challenging aspect of the transition?
It will vary from company to company depending on the controls already in place. With that said, the reorganization of controls in the new version of the standard necessitates changes to documentation, which will require time and effort to overhaul.
Can my organization complete the transition audit during a surveillance year?
Yes, if your organization is due for a surveillance audit (rather than a full recertification audit), the transition audit can be added on. Keep in mind that this will expand the scope of the surveillance audit, so talk with your audit partner to determine the necessary time and resources required.
Is ISO 27001:2013 still globally recognized during the transition period?
Yes, if your company has an active ISO 27001:2013 certification, it will still be considered active until its expiration date or the end of the transition period (whichever comes first). As an added measure, your organization might consider adding the new 2022 controls to your statement of applicability. That way, if any stakeholders question you regarding the transition, you can easily demonstrate your organization’s readiness and the progress you are making toward certification under the 2022 standard.
Get started on your ISO 27001 transition today
At A-LIGN, we are committed to helping our clients maintain the highest standards in information security. Our team is actively issuing the 2022 version of ISO 27001, and our experts are ready to guide your organization through the process.
Don’t wait until the last minute. Reach out to A-LIGN today to make a transition plan before the 2025 deadline arrives.
Get started by downloading our ISO 27001 checklist.