ISO 27001:2022 Transition Support
If your business is still certified to ISO 27001:2013 Information Security, the countdown is officially on. You’ve got until 31st October 2025 to complete your transition to ISO 27001:2022. After that, your current certification will no longer be valid.
With less than six months to go, and audit calendars filling fast, waiting too long could mean missing your window, even if everything is in place.
Here, we provide an overview of the key changes, the transition process, and how we can support businesses like yours through the process.
How has ISO 27001 changed?
This standard is now officially called ISO/IEC 27001:2022 Information Security, Cybersecurity and Privacy Protection, a name that better reflects the world we live in today. It highlights how the standard has evolved to keep pace with the digital age, recognising the close relationship between information security, cybersecurity and privacy.
One of the biggest changes to ISO 27001:2022 is the overhaul of Annex A, the section that lists the security controls used to manage your information security risks.
The number of controls has been streamlined, reducing from 114 to 93, and they’re now grouped into four key control groups for easier understanding and implementation:
- A.5 Organizational Controls: 37 controls
- A.6 People Controls: 8 controls
- A.7 Physical Controls: 14 controls
- A.8 Technological Controls: 34 controls
Although the total number of controls has reduced, only 35 of the existing controls remain unchanged. To better reflect the information security challenges that we face today, the remainder have either been updated or created:
- 57 controls have been merged into 24 controls
- 23 controls have been renamed
- 1 control has been divided into two
- 11 brand new controls have been added
These new controls address real issues that businesses face every day, such as threat intelligence, cloud services, data masking and web filtering.
This update brings ISO 27001 in line with today’s information security challenges, making it easier for businesses to build a management system that’s not only compliant but effective and relevant in the real world.
What happens if you miss the deadline?
Missing the transition deadline could have serious consequences for your business.
After 31st October 2025, an ISO 27001:2013 certificate will no longer be valid, meaning you will be out of certification. As a result, this could impact your ability to:
- Meet client and contractual requirements
- Bid for tenders where ISO 27001 is mandatory
- Demonstrate ongoing compliance in regulated industries
With less than six months to go, now’s the time to get started. Acting early means less last-minute stress and, most importantly, helps protect your ISO 27001 certification and everything it supports in your business.
Our clients
have already completed their transition to ISO 27001:2022
successfully passed their ISO 27001:2022 audit first time
How long does the transition to ISO 27001:2022 take?
That depends on the size and complexity of your organisation, as well as how much work is needed and the resources you have available. Some organisations move quickly, while others may need a little more time. The key is to start as early as possible to allow plenty of time for any challenges you may face.
Most of our certification clients have already completed the transition to ISO 27001:2022. If you’re not currently certified by ISO QSL, that’s not a problem. We can still support you through the process. This is especially helpful if you’re working with a UKAS accredited provider and want support gaining and maintaining compliance as well as driving continuous improvement.
What challenges should we expect?
Common challenges in upgrading an ISO management system include resource constraints, resistance to change, lack of understanding of new requirements, and time pressures.
With a clear plan, the right support, and early engagement, these challenges are all completely manageable.
One challenge that is becoming more urgent is audit availability, especially if you’re UKAS accredited. As more businesses look to complete the transition to ISO 27001:2022, calendars are filling fast. Even if your management system is compliant, delays in booking your transition audit could still hold you back.
How can we make the transition easier?
With less than six months to go and limited audit availability, the best thing you can do is start now.
Here’s how to stay ahead of the last-minute rush and make your transition smoother:
- Book your transition audit ASAP. Even if you’re still working through the changes, getting a date in the diary gives you a goal to work towards and secures your spot before availability runs out.
- Start your upgrade assessment. Whether it’s through your auditor or with support from a consultant like ISO QSL, a GAP analysis will show you exactly what needs updating.
- Make a plan and get your team involved. Assign clear responsibilities, communicate what’s changing, and build in time for any training or documentation updates.
- Lean on expert support. If you’re not sure where to start, or just want to make the process easier, we can help guide you every step of the way.
The sooner you begin, the less pressure you’ll feel as the deadline approaches, and the better your chances of keeping your certification intact.
“It was a pleasure working with Julia, who is an experienced and very knowledgeable auditor. She’s provided us with additional, valuable information that will help with the smooth transition to the new ISO 27001:2022 standard”.
Global Language Services Limited
What is the process for upgrading to ISO 27001:2022?
Upgrading to ISO 27001:2022 might feel like a huge task, but with the right plan and support, it’s completely manageable. Here’s what the transition process typically involves, step by step.
Upgrade assessment
It all starts with an upgrade assessment. This is often carried out by your auditor or a trusted ISO consultant like ISO QSL. This is also known as a GAP analysis and involves comparing your current ISO 27001:2013 management system against the updated requirements of ISO 27001:2022.
The goal here is to understand what’s already in place, what needs updating, and what’s missing. The amount of work required will depend on how closely your current system aligns with the new standard.
Implementing the changes
Next, it’s time to complete the work identified during your upgrade assessment. This could include:
- Updating your policies and procedures
- Revising your Statement of Applicability to reflect the new Annex A controls
- Providing staff training on the updated requirements
If you’re working with ISO QSL, we’ll give you a clear list of recommendations to work through. You won’t be left to figure things out alone, we’ll guide you every step of the way with tailored advice, hands-on support, and access to our exclusive client portal. It’s packed with helpful templates and resources that are fully aligned with ISO 27001:2022, making the process smoother from start to finish.
Once the changes are in place, you’ll need to complete an internal audit to ensure everything is working as it should. If needed, we can support you with this too.
Certification audit
Once you’re confident you are compliant with the new requirements, it’s time for your certification audit. This is carried out by your certification body and assesses whether your management system meets the ISO 27001:2022 requirements. If all goes well, you’ll be awarded your updated ISO 27001 certificate.
Step 1
Upgrade assessment
First meeting with your auditor who will identify gaps in compliance and areas where you may require additional support.
Step 2
Implementing the changes
You’ll then be given time to complete the recommendations and update policies, procedures, and documentation to align with ISO 27001:20022.
Step 3
Certification audit
Once the requirements of the new Standard have been met, you’ll be ready for your certification audit.
Step 4
Maintain compliance
We can continue to support you with maintaining compliance with ISO 27001:2022 and identify future improvement opportunities.
Why work with ISO QSL?
We’ve already supported almost all of our ISO 27001:2013 clients through their transition to ISO 27001:2022, with the vast majority passing their audit the first time. So, we know what works, and more importantly, how to make it work for you.
We provide a flexible and hands-on approach. We’ll guide you through every step, making the process simple, manageable, and as stress-free as possible. If challenges do arise, you won’t be facing them alone. Our experienced client care team will be on hand throughout the process to support you.
You’ll also get exclusive access to our client portal, packed with resources to save you time and make the process easier, including templates that align with the new ISO 27001:2022 requirements, like the updated Statement of Applicability.
If your team needs help understanding the changes, we can support them too. We offer staff training to get everyone up to speed and confident with the new requirements.
FAQs
ISO Standards are regularly updated to reflect industry best practices, regulatory changes, and new risk management approaches. Upgrading to ISO 27001:2022 isn't just about staying compliant, it's about ensuring your information security management system reflects today's risks, technologies, and ways of working. It's a chance to strengthen your resilience, improve processes, and stay ahead of the curve.
The previous version of ISO 27001 came out in 2013, and for a long time, it did the job just fine. But a lot has changed since then. From the rise of cloud computing and remote working to evolving cybersecurity threats and privacy laws. The 2022 update brings the standard right up to date, giving you a better framework to manage modern risks and technologies.
There is a three-year window to complete the transition, and the deadline is fast approaching. You must complete the transition by 31st October 2025. After this date, ISO 27001:2013 won't be valid anymore, which means you'll be out of certification.
If you haven't transitioned by 31st October 2025, your ISO 27001:2013 certificate will no longer be valid. Loss of certification could have serious consequences on your business operations, contracts, and regulatory compliance. It is therefore recommended you complete the process as soon as possible.
Your ISO 27001:2013 certificate remains valid up until 31st October 2025, as long as you continue to meet its requirements. But after that, only the 2022 version will be recognised. To stay certified, you'll need to complete the upgrade before the deadline.
All key personnel should be involved, including senior management, compliance officers, internal auditors, and department heads. Employee involvement is also crucial to ensure smooth implementation and adherence to updated procedures.
You can, but it's not easy and can lead to non-compliance. Understanding the revised requirements, updating your documentation and training your team all take time and expertise. Without the right guidance, you may overlook key changes or run into delays. That's why many businesses choose to work with an ISO consultant like us. We make the process simpler, faster and much less stressful.
That's where we come in. At ISO QSL, we help you every step of the way. We offer internal support, training, consultancy, and guidance to help you achieve a seamless transition to ISO 27001:2022. You can also refer to our client portal for templated documents, specific ISO guidance documents online and industry forums for additional insights.