ISO 27001:2013 TO ISO 27001:2022 TRANSITION PLANNING GUIDE

ISO/IEC 27001:2022 HAS REPLACED ISO/IEC 27001:2013

TRANSITION TO ISO 27001:2022: REQUIRED STEPS FOR CERTIFIED ORGANISATIONS

In October 2022, the ISO/IEC 27001 Standard was updated with several changes to the structure. ISO/IEC 27001:2022 is the latest version of the Standard, which replaced the previous version – ISO/IEC 27001:2013 - and the changes reflect a modernised approach to managing and dealing with information security risks. In the previous version, Annex A was divided into 14 categories, which correspond with the guidance of ISO 27002.

The ISO 27001:2013 controls were made up of 14 clauses, containing 114 different controls. In ISO/IEC 27001:2022, there are now 93 controls, grouped into four themes:

• People (8 controls – ISO 27001 6.1-6.8)
• Organisational (37 controls – ISO 27001 5.1-5.37)
• Technological (34 controls – ISO 27001 8.1-8.34)
• Physical (14 controls – ISO 27001 7.1-7.13)

Organisations currently certified under ISO 27001 must transition to the revised standard before 31st July 2025. All transition audits should be conducted by this date.

After 31st October 2025 the transition period will end and certificates for ISO/IEC 27001:2013 will no longer be valid. After this date, all ISO/IEC 27001:2013 certifications will expire or should be withdrawn, and any organisation with an expired ISO/IEC 27001:2013 certification will be subject to a full initial audit.

 

Transition Options

The transition may be conducted in one of three ways: via special audit, routine surveillance, or full recertification audit.

Special Audit: a separate audit for clients who would like to complete their transition as a one-off event

Routine Surveillance: a progressive approach for clients who would like to complete their transition during their scheduled ISO/IEC 27001:2013 surveillance audits

Recertification Audit: for clients who wish to complete their transition during their scheduled ISO/IEC 27001:2013 recertification audit

HOW INSICON CAN HELP TRANSITION TO ISO/IEC 27001:2022

Key steps for a smooth transition include:

• Conducting a gap analysis.
• Implementing changes to the ISMS.
• Updating the Statement of Applicability.
• Amending the Risk Treatment Plan as needed.
• Introducing and managing new controls.

Insicon has a number of clients who have gone through ISO 27001:2013 to ISO 27001:2022 transition. We can work with you to review your current posture, and advise on any gaps, as well as lead the process to get you ready for the ISO 27001:2022 recertification.

Of course, Insicon can also help you start your ISO 27001 certification journey from scratch, or work with you senior leaders and Executives on an overarching cyber security posture review.