How to Transition to ISO 27001:2022 Successfully
ISO 27001:2022 is now the globally required benchmark for information security management. All certifications and audits in 2025 must align with this standard.
If you’re upgrading from ISO 27001:2013 or starting fresh, understanding the structure, control updates, and required steps is critical.
This guide explains everything you need to manage a successful ISO 27001:2022 transition.
What Has Changed in ISO 27001:2022?
The most substantial update to ISO 27001:2022 involves Annexe A, now aligned with ISO/IEC 27002:2022. It introduces streamlined control language, reduces duplication, and responds to today’s digital security demands.
Key revisions include:
- 11 newly introduced controls
- 24 controls consolidated
- 58 revised controls
- 14 legacy categories restructured into 4 domains
This structural change simplifies control mapping, improving relevance and clarity.
Updated Control Categories in ISO 27001:2022
The 2022 edition organises all 93 controls under four domains:
- People (8 controls): Includes remote working, screening, and confidentiality agreements.
- Organisational (37 controls): Covers policies, return of assets, supplier security, and cloud services.
- Technological (34 controls): Addresses encryption, secure coding, monitoring, and information deletion.
- Physical (14 controls): Focuses on building security, access control, and equipment protection.
This restructuring helps organisations align controls with functional responsibilities and reduce implementation complexity.
New Controls in ISO 27001:2022
The 2022 revision adds 11 new controls that address current threat vectors and information environments:
- Threat intelligence
- Information security for cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Monitoring activities
- Web filtering
- Secure coding
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
These additions provide greater coverage of modern security practices, particularly in cloud-first environments.
ISO 27001:2022 Transition Timeline
The deadline to complete the transition to ISO 27001:2022 is 31 October 2025.
Milestones:
- Until October 2023: Certification audits were allowed against either version.
- After October 2023: Audits must comply with ISO 27001:2022.
- All new certifications since the standard’s publication must meet the 2022 criteria.
Organisations transitioning from the 2013 version should account for additional time to update documentation and undergo a transition audit.
For transition support, see our ISO 27001 checklists and tools.
ISO 27001:2022 Transition Checklist
Use this checklist to plan and execute your ISO 27001:2022 transition:
- Gap Analysis – Compare current ISMS documentation and controls with the ISO 27001:2022 requirements.
- Update the Statement of Applicability (SoA) – Map new controls and justify inclusions or exclusions clearly.
- Review Attributes and Control Purpose – Evaluate how the controls apply to your data classification and business risks.
- Resource Planning – Assign dedicated roles, secure training, and schedule document updates.
- Conduct an Internal Audit – Test compliance and effectiveness before the certification body audit.
If you’re unsure where to start, you can talk with an expert from our team.
Common Pitfalls in the ISO 27001:2022 Transition
Even experienced organisations face transition issues. Common challenges include:
- Outdated risk assessments
- Delayed documentation updates
- Incomplete justification in the SoA
- Control misalignment due to old templates
- Lack of staff training on new requirements
ISO 27001:2022 demands more than box-ticking. It requires integrated, documented risk management.
Get Help with your ISO 27001:2022 Certification
Sustainable Certification provides comprehensive ISO 27001:2022 support services, including:
- Gap assessments
- Documentation development
- Internal audit preparation
- Staff training
- Alignment with ISO/IEC 27002
For detailed service guidance and pricing, visit our get a quote page.
FAQ
What changed in ISO 27001:2022 compared to ISO 27001:2013?
ISO 27001:2022 introduces 11 new controls, merges 24, and updates 58. The revised Annexe A aligns with ISO/IEC 27002:2022. Control categories have been restructured from 14 into 4 domains: People, Organisational, Technological, and Physical. These updates reflect modern security risks and technology practices.
What is the final date to complete the ISO 27001:2022 transition?
All organisations must transition to ISO 27001:2022 by 31 October 2025. Certification audits conducted after that date will only be accepted under the 2022 version of the standard.
Do we need to recertify to meet ISO 27001:2022?
A full recertification is not required. Certification bodies conduct a transition audit to verify compliance with ISO 27001:2022. Organisations must update their Statement of Applicability, documentation, and internal practices before this audit.
How much does it cost to transition to ISO 27001:2022?
Costs vary depending on the size of the business, ISMS maturity, and current compliance level. Typical costs include a gap analysis, document updates, staff training, internal audits, and transition audit support. Sustainable Certification can help you scope the required resources and timelines accurately.
Is ISO 27001:2022 suitable for small businesses?
Yes. ISO 27001:2022 is scalable and effective for small to medium-sized enterprises. Its risk-based structure allows companies to implement controls that align with their context, regulatory exposure, and information security risks, without overextending resources.