Home Resources Blog November 2023

Everything you need to transition to ISO 27001:2022

30 November 2023
5-minute read

Unsure about the ISO 27001:2022 (Information Security Management) transition? Enhance your understanding with ISO consultants and Associate Partner Programme (APP) members, Blackmores.

A brief overview of the ISO 27001:2022 transition

As many businesses know by now, the ISO 27001 (Information Security Management) standard has been updated from the 2013 version to the 2022 version. ISO 27001:2022 involves several changes to bring the standard up to date and simplify the use of controls.

Before delving into the fine print of ISO 27001:2022, it’s important to know that all current certificates (ISO 27001:2013) have until 31st October 2025 to transition.

2025 might seem like a while away. However, the Blackmores team recommends all businesses start reviewing and updating their information security management system as soon as possible – with an objective to transition in 2024.

Alongside ensuring compliance with the latest best practices, ISO 27001:2022 is significantly more in line with modern technologies. So, by reviewing the 2022 standard version now, you may find security gaps that ISO 27001:2013 didn’t account for when it was first introduced.

Read on to discover what the transition means for information security management systems.

Why has the ISO 27001 standard changed?

All standards undergo regular reviews to make sure the content remains appropriate. These standards then get reissued about every 7-8 years.

The last issue of ISO 27001 (Information Security Management) was in 2013. IT technology and security have changed significantly since then, causing some of the controls in 2013 to be uncomfortably out of date.

With various changes in place, it’s vital for businesses to get up to speed with ISO 27001:2022.

For your understanding: high-level changes to ISO 27001

At a very high level, the changes include 56 controls merged into 24 newly titled controls, alongside 11 completely new controls.

Also, all controls have been placed into four themed sections instead of the 14 control groups in ISO 27001:2013. These are:

  • Organisational 

  • People 

  • Physical 

  • Technological 

What ISO 27001 clauses have been changed?

Several ISO 27001 (Information Security Management) clauses have been updated, including:

  • 4.2 Understanding the needs and expectations of interested parties

  • 4.4 Information security management system

  • 5.1 Leadership

  • 6.1.3 Information security risk treatment

  • 6.2 Information security objectives and planning to achieve them

  • 6.3 Planning of changes 

  • 9.3.2 Management review inputs

Further clarifications have been added for: 

  • 6.1.3 Information security risk treatment – statement of applicability

  • 7.4 Communication

  • 8.1 Operational planning and control

  • 9.1 Monitoring, measurement, analysis and evaluation

  • 9.2.2 Internal audit programme

Alongside clause changes, several controls have been added – keep reading to find out more.

What ISO 27001 controls have been added?

11 new controls have been added to ISO 27001:2022 – as follows:

Organisational controls

  • A.5.7 Threat intelligence

  • A.5.23 Information security for use of cloud services

  • A.5.30 ICT readiness for business continuity

Physical controls

  • A.7.4 Physical security monitoring

Technological controls

  • A.8.9 Configuration management

  • A.8.10 Information deletion

  • A.8.11 Data masking

  • A.8.12 Data leakage prevention

  • A.8.16 Monitoring activities

  • A.8.23 Web filtering

  • A.8.28 Secure coding

Get up to speed with the new controls to enjoy a more seamless ISO 27001:2022 transition.

A five-phase approach to the ISO 27001:2022 transition

The Blackmores team recommends a phased approach to tackling your ISO 27001:2022 transition.

#1: Planning phase

The first phase is to plan out timescales for your ISO 27001:2022 transition.

You may be able to combine your transition visit with your next surveillance, in turn giving you a definitive date to work towards. However, this might not be possible if your surveillance visit is soon, as you need time to implement the required changes for ISO 27001:2022.

Don’t forget to inform leadership and personnel running the information security management system about the expected changes. This allows you to plan for key stakeholders to help with the implementation.

#2: Discovery phase

The next phase is to identify gaps between your ISO 27001:2013 management system compared to the latest version (ISO 27001:2022).

Conducting a gap analysis is the easiest way to spot gaps in terms of compliance with the new controls.

#3: Implementation phase

Addressing the outcomes of the gap analysis is the main aspect of the implementation phase.

For example, new controls you may not have considered seriously before (such as data masking, threat intelligence and web filtering) now require formally documented measures in place.

During this phase, there are also pieces of existing documentation that need updating, including:

  • Your statement of applicability

  • Risk assessment

  • Objectives

  • Action plans

  • Monitoring and measurement (reviewing what you are monitoring and measuring/how these are recorded)

  • Internal audit schedule/programme (to include the new controls)

#4: Communication phase

Once the implementation phase is complete, you must communicate these changes to the wider business.

A communications plan should be agreed upon beforehand to make everyone aware of:

  • New procedures

  • New documentation

  • Updates made to existing documentation

Any applicable awareness training around the new controls should be undertaken during this phase. Make sure you compile evidence of this training, ready for your certification body visit.

#5: Review phase

Your business will need to conduct internal audits against ISO 27001:2022, ahead of your certification body visit.

These ensure that you have successfully implemented the new controls, with all the necessary evidence to hand. Internal audits can be done by members of your team, or you can enlist the help of an independent third party to assist.

The final phase is a visit from your certification body to confirm your ISO 27001:2022 transition.

How is Blackmores helping clients with ISO 27001:2022?

“The ISO 27001:2022 transition can seem daunting, but it doesn’t have to be. If you need a guiding hand or access to awareness training covering the 11 new controls, there is a suite of ISO 27001 transition tools available. To find out more, visit our isologyhub over at Blackmores.”

For consulting services offered by Blackmores or any of NQA’s other Associate Partner Programme (APP) consultants, get in touch via sales@nqa.com.

Final thoughts from NQA

NQA thanks Blackmores for this informative piece about the ISO 27001:2022 (Information Security Management) transition.

Kickstart your transition to ISO 27001:2022 with NQA. Visit our information security page.

If you’re a consultant and would like to write content for NQA, please email our marketing team.

Thinking of joining our Associate Partner Programme (APP) in the UK? Visit our Consultant Area.