AboutStandardsBlog ✦ AI AssessmentGet a Quote →
Home  /  Blog  /  ISO 27001:2022 Transition Guide

ISO 27001:2022 Transition — What You Need to Know Before the Deadline

The transition period for ISO/IEC 27001:2022 has entered its final phase. Organisations certified to the 2013 version must act now to update their Information Security Management Systems and maintain certification. This guide covers every critical change, the new Annex A control structure, and a practical step-by-step transition roadmap.

ISO 27001 ISMS Transition

 ·  8 min read

Why the 2022 Revision Matters

ISO/IEC 27001:2022 replaced the 2013 edition in October 2022. The International Accreditation Forum (IAF) established a three-year transition window, meaning all existing ISO 27001:2013 certificates must be transitioned to the 2022 version by 31 October 2025. After that date, any certificate still referencing the 2013 standard is considered invalid.

This is not a minor administrative update. While the core management system clauses (4 through 10) received relatively modest changes, Annex A underwent a complete restructuring. The previous 114 controls across 14 domains have been consolidated into 93 controls across just four themes. Eleven entirely new controls were introduced, reflecting the evolving threat landscape around cloud computing, threat intelligence, data masking, and secure development lifecycles.

For organisations that treated their ISMS as a static compliance exercise, this transition is a significant undertaking. For those with a mature, risk-driven approach, it is an opportunity to streamline and modernise their security controls.

Key Changes in the Management System Clauses

The management system requirements in Clauses 4 through 10 align with the Harmonised Structure (HS) used across all ISO management system standards. The 2022 revision introduces several targeted changes:

  • Clause 4.2 — Interested Parties: Organisations must now explicitly determine which requirements of interested parties will be addressed through the ISMS. This requires documented analysis, not just a stakeholder list.
  • Clause 4.4 — ISMS Scope: The standard now requires organisations to identify the processes needed for the ISMS and their interactions. This pushes towards process-based thinking rather than purely document-based compliance.
  • Clause 6.2 — Objectives: Information security objectives must now be monitored, and the organisation must explicitly document how monitoring is performed. A static objectives register no longer satisfies the requirement.
  • Clause 6.3 — Planning of Changes: This is a new sub-clause. When the organisation determines the need for changes to the ISMS, those changes must be carried out in a planned manner. This formalises change management at the management system level.
  • Clause 8.1 — Operational Planning and Control: Organisations must establish criteria for security processes and implement controls in accordance with those criteria. The emphasis has shifted from documenting processes to demonstrating that criteria-based controls are in place and effective.
  • Clause 9.1 — Monitoring and Measurement: The revised clause requires organisations to evaluate their information security performance and the effectiveness of the ISMS. The evaluation methods must be defined and produce comparable, reproducible results.
  • Clause 9.3 — Management Review: The management review inputs now explicitly include changes in the needs and expectations of interested parties relevant to the ISMS. This ties directly back to the new requirement in Clause 4.2.
  • Clause 10 — Improvement: The ordering has changed. Continual improvement (10.1) now comes before nonconformity and corrective action (10.2), signalling that improvement should be proactive, not solely reactive.

The New Annex A Structure: Four Themes Instead of Fourteen

The most visible change is the reorganisation of Annex A. The 2013 version had 14 control categories (A.5 through A.18) containing 114 controls. The 2022 version restructures these into four thematic groups:

Theme Controls Description
A.5 Organisational 37 Policies, roles, responsibilities, threat intelligence, asset management, access control, supplier relationships, compliance, and information security in project management.
A.6 People 8 Screening, employment terms, awareness, training, disciplinary process, responsibilities after termination, confidentiality agreements, and remote working.
A.7 Physical 14 Physical security perimeters, entry controls, securing offices, physical security monitoring, protection against environmental threats, working in secure areas, clear desk/clear screen, equipment siting, and maintenance.
A.8 Technological 34 User endpoint devices, privileged access, information access restriction, secure authentication, capacity management, malware protection, vulnerability management, configuration management, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding.

Each control now has an associated set of attributes — control type (preventive, detective, corrective), information security properties (confidentiality, integrity, availability), cybersecurity concepts (identify, protect, detect, respond, recover), operational capabilities, and security domains. While organisations are not required to use these attributes, they provide a useful taxonomy for mapping controls to risk treatment plans and for communicating with stakeholders who may use different frameworks.

The 11 New Controls You Must Address

ISO 27001:2022 introduces eleven controls that had no direct equivalent in the 2013 version. Each reflects a specific gap identified through years of implementation experience and the changing threat landscape:

  • A.5.7 — Threat Intelligence: Organisations must collect and analyse information about threats to their information security. This means establishing processes to consume threat feeds, participate in sharing communities (ISACs), and integrate intelligence into risk assessments.
  • A.5.23 — Information Security for Use of Cloud Services: A dedicated control requiring organisations to establish processes for acquisition, use, management, and exit from cloud services. This includes defining security requirements for cloud providers and monitoring their compliance.
  • A.5.30 — ICT Readiness for Business Continuity: Goes beyond traditional business continuity planning to require that ICT systems are specifically prepared for disruption. Organisations must identify recovery time objectives and ensure ICT capabilities can meet them.
  • A.7.4 — Physical Security Monitoring: Premises must be continuously monitored for unauthorised physical access. This typically requires CCTV or equivalent surveillance, with defined monitoring procedures and retention policies.
  • A.8.9 — Configuration Management: Configurations of hardware, software, services, and networks must be established, documented, implemented, monitored, and reviewed. This addresses the widespread problem of configuration drift that leads to vulnerabilities.
  • A.8.10 — Information Deletion: Information stored in systems, devices, or other media must be deleted when no longer required. This control operationalises data minimisation principles and supports privacy compliance.
  • A.8.11 — Data Masking: Data masking must be applied in accordance with the organisation's topic-specific policy on access control, considering applicable legislation. This is critical for development and testing environments that previously used production data.
  • A.8.12 — Data Leakage Prevention: DLP measures must be applied to systems, networks, and endpoints that process, store, or transmit sensitive information. This formalises what many organisations were already doing informally.
  • A.8.16 — Monitoring Activities: Networks, systems, and applications must be monitored for anomalous behaviour, and appropriate events must be evaluated as potential security incidents. This effectively mandates security monitoring capabilities.
  • A.8.23 — Web Filtering: Access to external websites must be managed to reduce exposure to malicious content. This applies to all user endpoints with internet access.
  • A.8.28 — Secure Coding: Secure coding principles must be applied to software development. This includes coding standards, code review processes, use of approved libraries, and testing for security vulnerabilities.

Transition Timeline: Where We Stand

The IAF published MD 26:2022, which established the transition requirements for certification bodies and their clients. The key dates are:

  • October 2022: ISO/IEC 27001:2022 published. Transition period begins.
  • April 2024: Certification bodies should only conduct initial certification audits against the 2022 version. New certifications to the 2013 version are no longer issued.
  • 31 October 2025: All existing ISO 27001:2013 certificates become invalid. Organisations must have completed their transition audit before this date.

As of March 2026, the transition deadline has passed. If your organisation has not yet transitioned, your ISO 27001:2013 certificate is no longer valid. You will need to pursue recertification directly against the 2022 version, which involves a full Stage 1 and Stage 2 audit rather than a transition audit. This is more time-consuming and expensive than the transition path that was available before the deadline.

Organisations that missed the October 2025 deadline should contact their certification body immediately. Some bodies may offer expedited recertification pathways, but availability varies.

Step-by-Step Transition Roadmap

Whether you are transitioning (if somehow still in process) or recertifying from scratch, the following steps provide a structured approach:

Step 1: Conduct a Gap Analysis. Compare your current Statement of Applicability (SoA) against the new Annex A controls. Map each existing control to its 2022 equivalent. Identify the 11 new controls and assess your current maturity against each. Document gaps and prioritise them by risk exposure.

Step 2: Update Your Risk Assessment. The risk assessment methodology itself does not need to change, but the control set referenced in your risk treatment plan must be updated to reflect Annex A of ISO 27002:2022. Reassess risks where new controls (such as threat intelligence or DLP) may change the treatment strategy.

Step 3: Revise Your Statement of Applicability. The SoA is the single most important document in your ISMS from an audit perspective. It must reference the 93 controls from the 2022 version, clearly state which are applicable and which are not (with justification), and describe how applicable controls are implemented.

Step 4: Update Policies and Procedures. Review all information security policies and procedures for alignment with the new control set. Pay particular attention to areas where new controls require new processes — threat intelligence gathering, cloud security management, configuration management, data masking, DLP, web filtering, and secure coding.

Step 5: Implement New Controls. For each of the 11 new controls that is applicable to your organisation, define the implementation approach, assign ownership, allocate resources, and set implementation timelines. Some controls (like A.8.16 Monitoring Activities) may require technology investment.

Step 6: Update Management System Documentation. Address the changes in Clauses 4-10, particularly the new Clause 6.3 requirement for planned changes, the updated monitoring requirements in Clause 9.1, and the revised management review inputs in Clause 9.3.

Step 7: Train Your Team. All personnel with ISMS responsibilities need to understand the changes. This includes internal auditors, who must be trained on the new control structure to conduct effective internal audits against the 2022 version.

Step 8: Conduct an Internal Audit. Before the certification or transition audit, perform a complete internal audit against the 2022 requirements. This is both a standard requirement and a practical necessity to identify any remaining gaps.

Step 9: Management Review. Hold a management review that addresses all the updated inputs required by Clause 9.3, including the results of the internal audit against the 2022 standard and the status of the transition project itself.

Step 10: Certification Audit. Engage with your certification body to schedule the transition audit (or recertification audit if past the deadline). Ensure all documentation is current and that evidence of control implementation is readily available.

Impact on Integrated Management Systems

Organisations that maintain integrated management systems — for example, combining ISO 27001 with ISO 9001, ISO 22301, or ISO 20000 — should note that the 2022 revision aligns more closely with the Harmonised Structure. This actually simplifies integration. The common clauses (context, leadership, planning, support, operation, performance evaluation, improvement) now use more consistent language across standards.

However, the timing of the transition must be coordinated with surveillance and recertification cycles for other standards. Work with your certification body to establish an integrated audit schedule that accommodates the ISO 27001:2022 transition without disrupting other certifications.

Common Pitfalls to Avoid

  • Treating it as a renumbering exercise: Simply remapping old control numbers to new ones misses the intent of the revision. The new controls address real gaps, and the restructured themes encourage a more holistic view of security.
  • Ignoring the attribute taxonomy: While not mandatory, the control attributes (preventive/detective/corrective, CIA properties, cybersecurity concepts) provide a powerful framework for communicating security posture to leadership and for identifying control gaps.
  • Underestimating technology requirements: Controls like A.8.16 (Monitoring Activities), A.8.12 (DLP), and A.8.23 (Web Filtering) may require new tooling. Budget for this early.
  • Neglecting internal auditor training: Internal auditors who are still working from the 2013 checklist will not conduct effective audits against the 2022 version. Invest in retraining.
  • Leaving the SoA to the last minute: The Statement of Applicability is the first document most auditors request. A poorly prepared SoA will set the wrong tone for the entire audit.

How BALTUM Supports Your Transition

BALTUM's international network of auditors and consultants has been supporting organisations through the ISO 27001:2022 transition since the standard was published. Our services include:

  • Gap Analysis: A structured assessment comparing your current ISMS against the 2022 requirements, delivered as a prioritised action plan with effort estimates.
  • SoA Revision Support: Expert guidance on updating your Statement of Applicability, including control mapping, justification drafting, and implementation evidence preparation.
  • Internal Auditor Training: Accredited training programmes that equip your internal audit team to audit against the 2022 control set.
  • Pre-Certification Review: A full readiness assessment conducted by experienced auditors to identify and resolve any remaining nonconformities before your certification body arrives.
  • Recertification Support: For organisations that missed the transition deadline, we provide an accelerated programme to achieve recertification against ISO 27001:2022 as efficiently as possible.

The transition to ISO 27001:2022 is not just a compliance obligation — it is a chance to strengthen your security posture with controls that reflect the modern threat landscape. Whether you are finalising your transition or starting fresh, the sooner you act, the smoother the process will be.