If you’re still certified to ISO27001:2013 you have until 31st October 2025 to transition to ISO 27001:2022. After this deadline, organisations that haven’t switched to the new version will have their certification withdrawn.
What are the key changes?
While the core clauses in the 2022 standard remain the same, additional subclauses and clarifying notes have been added in some areas. The most significant change is Annex A, where controls have been reorganised. Some controls have been merged, renamed or removed, while new ones have been introduced. Overall, there are fewer controls, now grouped into four categories: People, Organisational, Technological, and Physical.
How do I transition?
To begin, we recommend performing a gap analysis to assess how your current management system compares to the new standard.
From there, you can develop an implementation plan to address any gaps. Your Statement of Applicability (SoA) will need to be updated, and your risk assessment should be revised to reflect changes in the controls. For example, the introduction of the Threat Intelligence control might require team training or the implementation of new policies and procedures.
Next, conduct internal audits to verify that you’ve successfully addressed any gaps. If you don’t already have one scheduled, you’ll also need to conduct a management review to ensure leadership is informed and supportive of the changes.
Finally, we suggest scheduling your external audit as early as possible to avoid a backlog closer to the deadline. By planning in advance, you can better allocate resources and time.
How can Relatable Security help?
Transitioning can feel like a big task, especially when everyone has their regular responsibilities. You may recall the effort involved in achieving certification to the 2013 standard, and it can be challenging to find the time for this transition. That’s where we can assist.
We can conduct a gap analysis, provide a detailed work plan, and offer guidance throughout the process. Once you’ve completed the necessary changes, we’ll return to perform an internal audit to ensure everything is in place, helping you enter your external audit with confidence that you’ll maintain your certification.