.
This is a live page which is updated every month with new information as it appears in the public domain. Bookmark this resource page for all the updates on ISO 27001:2022
The Definitive ISO 27001:2022 Resource Page

ISO 27001:2022 Updates: Everything You Need To Know

What are the updates in 2022 to ISO 27001 and ISO 27002? What do these mean for your organisation? How does it affect businesses which are certified or planning to get certified?

93 Controls

Reduced from 114 in ISO 27001:2013

4 Themes

Controls are now grouped under themes rather than clauses

5 Attributes

Controls have 5 attributes for easier categorisation

3 Years

For organisations to transition to ISO 27001:2022

Your guide to transitioning from ISO 27001:2013 to ISO 27001:2022

Everything about ISO 27001:2022 & how to transition from the 2013 version

What is ISO 27001 and ISO 27002? 

2022 has been one of the most critical years for global cybersecurity. Services at several centres of the UK’s NHS were affected by a cyber attack on a supplier. One of Australia’s leading medical insurance providers was hit by an attack that compromised intimate personal information of nearly all its customers. 

Ransomware attacks were at an all-time high. And in a first for the industry, the former CISO of a listed company, was convicted for the organisational response to a data breach.    

If anyone needed any reminders about handling sensitive information with utmost caution or improving their security operations, this year has definitely taken care of that. 

The Information Security Management Standard (ISMS) ISO 27001 and its accompanying ISO 27002 standards were originally published in 2005. They were published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). 

The goal was to enable organisations to implement a stronger cybersecurity framework. This could improve risk management and better protect critical infrastructure and sensitive data. 

The ISO 27001 certification is a demonstration of the fact that the business’s information security management system (ISMS) is aligned with global best practices. 

Being ISO 27001 certified also lays a foundation for other compliance requirements with laws like the EU GDPR and the NIS Directive. This is not only important for your business reputation and credibility. It can also save compliance costs in case you are breached and/or attacked. 

ISO 27001 defines the requirements for building the foundation of an ISMS (Information Security Management System). ISO 27002 provides guidance & details on implementation of Annex A controls. 



What are the Business Benefits of being ISO 27001 certified?

Why have there been updates in ISO 27001 and ISO 27002?

ISO 27001 2013 vs. 2022 revision – What has changed?

How do the changes impact my business’s existing certification ?

My business is already in the process of applying for ISO 27001:2013. How do the new changes impact me?

Should I hold my application till the certification bodies start giving ISO 27001:2022 certification?

How much time is provided to upgrade/transition our certification from 2013 to 2022?

What should the approach to upgrading to the latest version be?

How can our Virtual Cyber Assistants help you upgrade to the updated version of ISO 27001:2022?

Is there a repository of all important links for the new version of ISO 27001?

What are the Business Benefits of being ISO 27001 certified?

By now you probably have a broad perspective of how beneficial it can be to be ISO 27001 certified. This section offers a closer look at some immediate benefits:

  • You can implement a structured framework for risk management and treatment. 
  • You can enjoy a certain peace of mind pertaining to the overall security posture of your business. 
  • Demonstration to your clients, partners, customers and government of your commitment to cybersecurity. 
  • You could avoid getting heavily penalised in case of an attack due to slipshod security practices. 
  • It helps you to determine risks in your supply chain and treat them accordingly. You will ensure that you are not vulnerable to supply chain attacks which are very rampant these days. 
  • It’s a great opportunity to alter the organisational mindset and make everyone understand the importance of cybersecurity. To get certified, you’ll probably need to train your staff in better Incident Response and Ransomware Response.



 

Why have there been updates in ISO 27001 and ISO 27002?


ISO 27001 was first published in 2005 and it was later revised in 2013. The information security management standard has been updated again in 2022. It is now being commonly referred to as ISO 27001:2022. 

First off, let’s address the elephant in the room - Why have the standards been updated? 

The answer lies pretty much in your news headlines. Just take a look at this list of cyber- attacks in October 2022. You’ll get a pretty good idea of how dangerous the cyber landscape is getting every day. 

Cyber criminals are always working on new tactics and techniques to attack your business, your data and your crown jewels. As we shift more and more to the digital world, the threat landscape increases by the minute. Add the anonymity that cryptocurrency offers to ransomware criminals and you have a cybersecurity disaster brewing every day. 

And no, this is not fear mongering - it’s the truth! 

The ISO 27001 standard and its code of practice the ISO 27002 have been updated to address this new ominous reality. The update is intended to ensure that businesses evolve their cyber postures and update technologies in sync with the escalating information security risks.  
  

To the Top


 

ISO 27001 2013 vs. 2022 revision – What has changed?

First things first, it is important to note that ISO 27001:2013 is not extremely different from ISO 27001:2022. There isn't a complete overhaul for sure. However, some of the controls have been updated and others have been merged. Basically, the controls have been reduced from 114 to 93 in the new update. 

The controls are now also clubbed as 4 themes rather than the earlier 14 categories. These themes are - People, Technological, Organisational and Physical. 

Of course, while the number of controls has decreased from 114, there are some additions too. The new controls are: 
  • Threat intelligence
  • Information security for use of cloud services
  • ICT readiness for business continuity
  • Physical security monitoring
  • Configuration management
  • Information deletion
  • Data masking
  • Data leakage prevention
  • Monitoring activities
  • Web filtering
  • Secure coding
To make the grouping and categorisation of controls easier, the controls have now also been given attributes. The attributes are: 
  • Control type 
  • Operational capabilities 
  • Security domains 
  • Cybersecurity concepts
  • Information security properties

 

To the Top


 

How do the changes impact my business’s existing certification?

Don’t worry about implementing the ISO 27001:2022 changes in a rush if you are already certified. ISO and IEC are likely to work with the certification bodies to allow a three-year transitionary period to businesses. During this time, certified organisations can update their management systems and synchronise them with the updated standard. 
For organisations that are already ISO 27001:2013 certified, the Statement of Applicability or SoA is expected to reflect the controls in the 2013 version. Of course you could refer to the ISO 27001:2022 updates. This will help you understand the new controls and plan your implementation or modification of existing controls.  
 

To the Top



My business is already in the process of applying for ISO 27001:2013. How do the new changes impact me? 

Are you already working on getting your ISO 27001:2013 certification? Don’t stress over the fact that all the work you’ve done so far has been wasted. 
In fact, certification bodies are unlikely to give ISO 27001:2022 certifications for at least 6 months from October, 2022.  
Also, ISO 27001:2013 will not be fully retired for at least three years so you’re good for now. 

To the Top


 

New call-to-action



Should I hold my application till the certification bodies start giving ISO 27001:2022 certification? 

 

No, you should certainly not delay your application process because of the updates to ISO 27001:2013. If you’ve already aligned your business with the guidance of ISO 27001:2013, it’s wise to go ahead and apply for certification. 
There are two reasons for this. One - there is little clarity at this stage when the certifications will begin for the new version of the standard. Second - waiting to get certified for at least another 6 months means you take longer to enjoy the benefits of certification discussed earlier. There is no significant reason to wait at this point.
 

How much time is provided to upgrade/transition our certification from 2013 to 2022?


Organisations which are already certified with the ISO 27001:2013 standard will be given a three-year transition period to upgrade their Information Security Management system. You can upgrade during your upcoming surveillance or re-certification audit.

It is important to keep an eye out for when the new certifications begin and then you might want to expedite your transition. Our Virtual Cyber Assistants can help you update or align your security processes to accommodate  the new compliance requirements and revised controls quickly and conveniently. 

Essentially, there’s no point in rushing to upgrade/transition to the new standard. But it is advisable to start thinking about it immediately. Start evaluating how you can better integrate your security processes with the ISO 27001:2022 standard.
 
However, on September 29, 2025, all existing ISO 27001 certificates issued under the 2013 revision will expire regardless of the expiration date on the certificate.

To the Top


 

What should our approach be to upgrading to the latest version?


Simply put - the approach should be methodical and not haphazard. There is still time for the ISO IEC 27001:2013 standard to fully retire. 

Start by conducting Gap/Readiness  assessments for your business. Then, familiarise yourself with the new controls as well as the categorisation attributes. This can help you focus on your implementations  better.

Here are some of first few steps you’ll have to look at while transitioning:  

  1. Conduct a Readiness assessment to deduce the required changes.
  2. Create an implementation plan for plugging the identified gaps.
  3. Review and update your ISMS documents and processes.
  4. Implement new controls or modify the existing controls as needed.
  5. Align your risk assessment & treatment with the modified and/or new implemented controls. 
  6. Update your statement of applicability: You’ll have to update your Statement of Applicability or SoA to reflect the new and merged controls. The new SoA will most likely be reviewed by all certification bodies at the time of the transition audit.  

To the Top


 

How can our Virtual Cyber Assistants help you upgrade to the updated version of ISO 27001:2022?     


Our Virtual Cyber Assistants can support you at all phases of the certification and/or transition. Our Virtual Cyber Assistants can:

  • Conduct Readiness Assessments.
  • Provide recommendations/guidance/support on aligning your cybersecurity posture to ISO 27001:2022 requirements.
  • Create, Review + Comment, Review + update your ISMS policies and supporting documentation.
  • Create a Risk Management framework and support in conducting Risk Assessments and defining Risk treatment plans.
  • Conduct Internal audits before the certification/transition audits to ensure compliance to all requirements
  • Support during external audits

    Our Virtual Cybersecurity Experts can also help you maintain your certification and cybersecurity posture by conducting periodic checks and reviews.

To the Top


 

 Useful Links to ISO 27001:2022 Resources

 

To the Top

 

Are you looking for help in getting ISO 27001:2022 certified or upgrading to the new version?

Why not find out more about our highly cost-effective & remote Virtual Cyber Assistant & Virtual Cyber Consultant services and see if they fit your requirements? 

Find out more about how we are assisting our clients to protect their organizations against cyber-attacks, ransomware attacks & strengthening their overall cybersecurity posture.