ISO 27001:2022 Transition Guide: What Changed & How to Upgrade

Transition Timeline & Deadlines

ISO 27001:2022 was published on October 25, 2022, replacing ISO 27001:2013. All existing certifications must transition to the 2022 version by the deadline.

Key Dates

• October 25, 2022: ISO 27001:2022 published
• February 2023: Certification bodies began offering 2022 audits
• April 2024: New certifications only against ISO 27001:2022
• October 31, 2025: All 2013 certificates become invalid

What Happens If You Miss the Deadline?

If your organization does not complete transition by October 31, 2025:

• Your ISO 27001:2013 certificate becomes invalid
• You cannot claim ISO 27001 certification
• You must undergo full initial certification (Stage 1 + Stage 2) against ISO 27001:2022
• Customer contracts requiring ISO 27001 may be affected

Changes to Main Clauses (4-10)

The good news: changes to the main ISMS requirements (Clauses 4-10) are relatively minor. The structure and intent remain the same.

Clause 4: Context of the Organization

Change: New clause 4.4 explicitly requires determining "the processes needed and their interactions."

Action: Document your ISMS processes and how they interact (process map recommended).

Clause 5: Leadership

Change: Minor wording clarification—no substantive changes.

Action: Review policy for alignment; typically no changes needed.

Clause 6: Planning

Change: Clause 6.2 now requires objectives to be monitored and documented. Clause 6.3 is new: "Planning of changes."

Action: Ensure objectives have metrics and monitoring processes. Document your ISMS change management approach.

Clause 7: Support

Change: Clause 7.4 now requires determining how to communicate (not just what, when, and who).

Action: Update communication procedures to include communication methods.

Clause 8: Operation

Change: Clause 8.1 now requires "criteria for processes" and "control of processes" including externally provided processes.

Action: Document criteria for operational processes and how outsourced processes are controlled.

Clause 9: Performance Evaluation

Change: Minor wording refinements. Monitoring and measurement requirements are clearer.

Action: Review monitoring approach; likely no changes needed.

Clause 10: Improvement

Change: Clause order changed (10.1 is now continual improvement, 10.2 is nonconformity). No substantive changes.

Action: Update document references if numbered by clause.

New Annex A Structure

The most significant change is the restructuring of Annex A controls. The 2013 version had 114 controls in 14 domains. The 2022 version has 93 controls in 4 themes.

Control Count Comparison

New Four-Theme Structure

• 5. Organizational Controls (37 controls): Policies, roles, processes, supplier relationships
• 6. People Controls (8 controls): Screening, awareness, responsibilities, remote working
• 7. Physical Controls (14 controls): Physical security, equipment, utilities
• 8. Technological Controls (34 controls): Technical security measures, development, operations

Control Attributes (New Feature)

ISO 27002:2022 introduces five attributes to categorize each control:

• Control Type: Preventive, Detective, Corrective
• Information Security Properties: Confidentiality, Integrity, Availability
• Cybersecurity Concepts: Identify, Protect, Detect, Respond, Recover
• Operational Capabilities: Governance, Asset management, etc.
• Security Domains: Governance and Ecosystem, Protection, Defence, Resilience

11 New Controls Explained

These controls address modern security challenges and practices:

5.7 Threat Intelligence

Requirement: Collect, analyze, and use threat intelligence relevant to information security threats.

Implementation: Subscribe to threat feeds, monitor industry alerts (CISA, sector ISACs), integrate into risk assessment process.

5.23 Information Security for Use of Cloud Services

Requirement: Establish processes for acquisition, use, management, and exit from cloud services.

Implementation: Cloud security policy, vendor assessment criteria, shared responsibility documentation, exit strategy.

5.30 ICT Readiness for Business Continuity

Requirement: Plan, implement, maintain, and test ICT systems for business continuity requirements.

Implementation: ICT-specific BCP, DR procedures, RTO/RPO definitions, testing schedule.

7.4 Physical Security Monitoring

Requirement: Continuously monitor premises for unauthorized physical access.

Implementation: CCTV, intrusion detection, monitoring procedures, incident response for physical breaches.

8.9 Configuration Management

Requirement: Establish, document, implement, monitor, and review configurations.

Implementation: Configuration standards, baseline management, hardening guides, drift detection.

8.10 Information Deletion

Requirement: Delete information when no longer required, meeting legal and contractual requirements.

Implementation: Data retention schedules, deletion procedures, verification methods, documentation.

8.11 Data Masking

Requirement: Use data masking according to policies and access requirements.

Implementation: Masking rules for sensitive data, anonymization in non-production environments, PII protection.

8.12 Data Leakage Prevention

Requirement: Apply data leakage prevention measures to systems handling sensitive information.

Implementation: DLP tools, endpoint monitoring, email filtering, USB controls, cloud access security.

8.16 Monitoring Activities

Requirement: Monitor networks, systems, and applications for anomalous behavior.

Implementation: SIEM, log aggregation, alerting rules, baseline definitions, incident correlation.

8.23 Web Filtering

Requirement: Manage access to external websites to reduce malware exposure.

Implementation: URL filtering, category blocking, exception processes, user awareness.

8.28 Secure Coding

Requirement: Apply secure coding principles to software development.

Implementation: Secure coding standards, code review, SAST/DAST tools, developer training, OWASP guidance.

Merged & Renamed Controls

Several 2013 controls have been merged or renamed. Here are the most significant:

Step-by-Step Upgrade Plan

Phase 1: Assessment (Weeks 1-2)

• Purchase ISO 27001:2022 and ISO 27002:2022 standards
• Train ISMS team on 2022 changes
• Conduct gap analysis against new requirements
• Prioritize gaps based on effort and risk
• Create transition project plan

Phase 2: Documentation Updates (Weeks 3-6)

• Update ISMS scope and context documentation
• Revise information security policy if needed
• Create or update process documentation (Clause 4.4)
• Update objectives with monitoring requirements (Clause 6.2)
• Document change planning approach (Clause 6.3)
• Revise communication procedures (Clause 7.4)

Phase 3: Statement of Applicability (Weeks 5-8)

• Map existing controls to new 2022 numbering
• Assess applicability of 11 new controls
• Document justification for any exclusions
• Update SoA with new structure and control references

Phase 4: Control Implementation (Weeks 6-12)

• Implement new controls deemed applicable
• Update procedures for merged/restructured controls
• Train staff on new control requirements
• Collect evidence of control operation

Phase 5: Internal Audit & Management Review (Weeks 10-14)

• Update internal audit checklist for 2022 requirements
• Conduct internal audit against ISO 27001:2022
• Address any findings
• Conduct management review covering transition

Phase 6: Transition Audit (Weeks 12-16)

• Schedule transition audit with certification body
• Complete transition audit
• Resolve any nonconformities
• Receive updated certificate

Gap Analysis Checklist

Use this checklist to assess your transition readiness:

Main Clause Changes

• Clause 4.4: ISMS processes and interactions documented
• Clause 6.2: Objectives have monitoring requirements
• Clause 6.3: Change planning process documented
• Clause 7.4: Communication methods defined
• Clause 8.1: Process criteria and control of outsourced processes

New Controls Assessment

• 5.7 Threat Intelligence: Assessed and documented (applicable/excluded)
• 5.23 Cloud Services: Assessed and documented
• 5.30 ICT Readiness for BC: Assessed and documented
• 7.4 Physical Security Monitoring: Assessed and documented
• 8.9 Configuration Management: Assessed and documented
• 8.10 Information Deletion: Assessed and documented
• 8.11 Data Masking: Assessed and documented
• 8.12 Data Leakage Prevention: Assessed and documented
• 8.16 Monitoring Activities: Assessed and documented
• 8.23 Web Filtering: Assessed and documented
• 8.28 Secure Coding: Assessed and documented

Transition Audit Options

You can complete your transition audit in several ways:

Option 1: Standalone Transition Audit

A dedicated audit focused on transition changes. Best for organizations with recent surveillance audit.

• Duration: 1-2 days additional
• Timing: Any time before deadline
• Focus: Clause changes and new controls

Option 2: Combined with Surveillance

Transition assessed during scheduled surveillance audit. Most efficient approach.

• Duration: Add 1 day to normal surveillance
• Timing: At your next surveillance audit
• Focus: Normal surveillance plus transition elements

Option 3: Combined with Recertification

Transition during recertification audit. Good if recertification is due before deadline.

• Duration: Minimal additional time
• Timing: At scheduled recertification
• Focus: Full ISMS audit against 2022

Coordinate with your certification body early. Auditor availability for transition audits may be limited as the deadline approaches. Book your transition audit at least 3 months in advance.