ISO 27001:2022 Transition
- Andy Whillance
- Mar 5
- 2 min read
2025 is the last year that companies have to transition to the new version of ISO 27001. All certificates need to be transferred to this new version before 1st November 2025.
Certification bodies will assess this transition during either your next surveillance or renewal visit, usually adding a day on to the existing audit time to review how an organisation has incorporated new and changed requirements.
Changes to the standard itself (clauses 4-10) are fairly minimal, requiring slight changes to how your context is described (clauses 4.1 and 4.2), a requirement to ensure that changes to your management system are planned and controlled (clause 6.3) and a focus on a process approach (clause 4.4 and 8.1). These changes are fairly straightforward, and don't require huge changes to an existing management system.
Annex A has been significantly changed in ISO 27001:2022, although it is mostly just a reordering and restructuring of most controls found in ISO 27001:2013. The 18 control areas organised by topic (e.g. Access Control, Supplier Management) have gone, with controls now organised into four areas - Organisational Controls, Human Controls, Physical Controls and Technical Controls). The number of controls has also reduced from 114 to 94, although this is mostly as a result of merging older controls, and simplification of some topics such as Access Management.
There are 12 new controls that an organisation should consider:
Threat Intelligence
Information security for use of cloud services
ICT readiness for business continuity
Physical security monitoring
User endpoint devices
Configuration Management
Information deletion
Data masking
Data leakage prevention
Monitoring activities
Web filtering
Secure Coding
If you would like any assistance during your transition activities, please get in touch and we can make the process simple.
Comments