top of page

ISO 27001:2013 to
ISO 27001:2022 Transition

Business Consultation

ISO/IEC 27001:2013 to ISO/IEC 27001:2022 Transition Overview

In October 2022, the ISO/IEC 27001 Information Security Management System standard received its first update since 2013.

 

ISO 27001 Clauses Changes

Minor changes were applied to the ISO/IEC 27001 Clauses related to:

  • Greater emphasis on the context and scope of the ISMS,

  • Updates to the Statement of Applicability (SOA),

  • Increased focus on management control of changes that impact the ISMS and

  • Requirement for implementation of a structured approach to operational planning and control.

 

ISO 27001 Annex A Changes

The most significant change to the standard was the realignment and reduction of the existing Annex A controls as well as the introduction of eleven (11) new Annex A controls centered around:

  • Threat Intelligence

  • ICT Readiness for Business Continuity

  • Information Security for Use of Cloud Services

  • Physical Security Monitoring

  • Configuration Management

  • Information Deletion

  • Data Masking

  • Data Leakage Prevention

  • Monitoring Activities

  • Web Filtering

  • Secure Coding

 

ISO/IEC 27001:2022 Transition Timeline

Organizations currently certified under the ISO/IEC 27001:2013 standard have until October 31, 2025, to transition their ISMS to the ISO/IEC 27001:2022 version of the standard.  

 

The transition timeline includes:

  • October 31, 2022: The transition period began. 

  • May 1, 2024: All new (first-time) ISO 27001 certifications should be on the 2022 version.

  • July 31, 2025: All transition audits (for recertification and surveillance audits) should be completed.

  • October 31, 2025: The transition period ends. All ISO 27001:2013 certifications will expire at this time.

 

Transition Gap Assessment

  • Based on the eleven (11) new Annex A controls, organizations may have gaps in their ISMS previously certified under the 2013 version of the ISO/IEC 27001 standard.

 

  • Organizations should perform a gap assessment to map their existing controls to the 2022 version of the standard to help identify changes required for their ISMS.

 

Cream City Compliance can assist your organization in performing the gap assessment and identifying next steps to achieve compliance with the 2022 version of the ISO/IEC 27001 standard.

​

bottom of page