Home Resources Blog September 2023

The ISO 27001:2022 transition: Nearly one year on

25 September 2023
Learn everything you need to know about the ISO 27001:2022 (Information Security Management Systems) transition, with a handy timeline and Q&A section.

In October 2022, the latest version of ISO 27001 was released following the update of ISO 27002 the previous year.

Accredited certification bodies eager to certify the new standard underwent rigorous assessments to prove they were ready to issue certifications for the new version. NQA prepared for this milestone by updating internal processes, adjusting documentation and training auditors to ensure competence.

In the spring of 2023, NQA received sign-off from UKAS, setting us in motion to guide our valued clients through the ISO 27001:2022 transition.

Let’s take a breath and look into some of the learning gained over the past few months. We have compiled a list of some of the most common questions asked by our clients.

Found yourself here without an existing ISO 27001:2013 certification?

This article holds valuable information to help guide you straight to the ISO 27001:2002 version.

A quick re-cap of ISO 27001 (Information Security Management)

The world of information security is constantly evolving and has seen massive changes since the last version of the ISO 27001 standard was released in 2013.

Leading up to the publication of ISO 27001:2013, the primary threats included Denial of Service (DoS), malware, and spyware.

However, today's attackers have not only evolved but have also become more proficient, making their operations more professional.

Accelerated by the COVID-19 pandemic, threats to businesses and data have seen a shift towards more advanced methods of ransomware by actors such as organised crime gangs and nation-states.

Want to learn more about the changes made to ISO 27001:2022 compared to the 2013 version? Read a recent blog on the transition.

Timeline of the ISO 27001:2022 transition


The ISO 27001:2022 transition: Q&A

How long will the transition audit take?

Typically, the transition will take an extra day on top of your usual audit time. In some large or complicated cases, this time could increase.

Why is extra audit time required?

The additional day is part of the UKAS-mandated transition time to ensure:

  • All areas are covered in line with the new version of the standard.

  • Good, quality evidence is gathered to demonstrate your information security management system (ISMS) is working appropriately.

At what part of my audit cycle can I transition?

The transition to ISO 27001:2022 is best completed at your re-certification audit but can be completed during any of your surveillance visits. We can also complete a special visit to transition in certain circumstances.

What’s the last date I can complete the transition?

No ISO 27001:2013 certificate will be valid after 31 October 2025.

To give yourself time to transition and complete any corrective actions that may be identified, we suggest you aim to transition no later than the summer of 2025.

How do I demonstrate to the auditor that our ISMS is in line with ISO 27001:2022?

Follow the links at the bottom of this page and use our transitioning toolkit. Complete the Gap Analysis Tool to help you gather all the evidence you need.

What must I complete to transition to ISO 27001:2022?

A gap analysis tool is the easiest way to steer you through all the changes and additions to the ISO 27001:2022 standard.

If you complete our Gap Analysis Tool in line with the Gap Guide from the website, you should have all the evidence required.

What do I need to show the assessor at the ISO 27001:2022 transition audit?

At your transition audit, you must demonstrate your compliance with the 2022 version of the ISO 27001 standard by having your completed gap analysis tool available for review.

Do I have to use the NQA Gap Analysis Tool?

No, you don’t have to use our tool. You may have developed your own to use.

Just make sure it covers all the sections that the NQA Gap Analysis Tool does, as our assessors need to see that detail.

I haven’t yet been certified to ISO 27001 and have embedded my ISMS in line with the old standard version. What can I do?

We will certify new clients to the ISO 27001:2013 standard up to May 2024. You can then transition at your first surveillance visit a year later.

Does the auditor have to see evidence that #Attributes are used?

Use of the attributes is not mandated but can help you with the management of your ISMS. We have already seen customers use them to great benefit.

I’m almost ready to certify for ISO 27001:2013. Should I wait and change my ISMS in line with the 2022 version before getting certified?

The old standard (ISO 27001:2013) will still help you protect your assets so you can certify in line with your original plan (before June 2024) and start getting the advantages.

You can then transition at your next surveillance visit and have the new version (ISO 27001:2022) before the cut-off date of 31 October 2025.

If you choose to wait to gain certification, then make sure you log that as a risk.

What happens if I don’t transition to ISO 27001:2022?

If your surveillance audits have been completed in line with the rules, your certificate will remain valid until 31 October 2025. No certificates to ISO 27001:2013 will be valid from this date.

Transitioning from ISO 27001:2013 to ISO 27001:2022 may seem complex and confusing, but NQA is here to support you throughout the transition process and certification journey.

I would like more information. What should I do?

Upskill your knowledge of ISO 27001 and information security by enrolling on a training course.

Make the most of useful resources with our 'Mind-the-Gap' webinar and ISO 27001 Gap Guide.

For further questions and advice, contact our team of supportive experts today!