Transitioning to ISO 27001:2022: A Guide by TÜV UK

In October 2022, the ISO 27001 standard for Information Security Management Systems got a major update. If your organisation is certified under the 2013 version, you have until October 31, 2025, to transition to the new ISO 27001:2022 standard. This update is more substantial than the previous one and we’re here to help you navigate the changes smoothly.

The digital world is evolving and so are the threats to information security. The new ISO 27001:2022 standard reflects these changes, ensuring that your organisation stays competitive and secure. The update aligns with modern business practices and addresses today’s information security challenges.

1. Management System Clauses: While these have remained largely consistent, there are some important additions:

• Clause 4.2: Now requires you to document how your ISMS meets the needs of interested parties.
• Clause 4.4: You must demonstrate an understanding of your management system processes and their interactions.
• Clause 6.3: Introduces the need for planned changes to your ISMS, using change management processes.
• Clause 8.1: Adds requirements for defining and implementing criteria for processes to ensure consistency.

2. Annex A Controls: This section has seen the most significant changes:

• The number of controls has been reduced from 114 to 93, with some merged and 11 new ones added.
• New controls include Threat Intelligence, Information Security for Cloud Services, Physical Security Monitoring, Information Deletion, Data Masking, Data Leakage Prevention, and Web Filtering.

Here’s a simple, actionable plan to help you transition to ISO 27001:2022:

1. Understand the Changes: Familiarise yourself with the new requirements and controls. Pay special attention to the new clauses and Annex A controls.
2. Conduct a Gap Analysis: Compare your current ISMS with the new standard to identify gaps. This will help you understand what needs to be updated.
3. Develop an Action Plan: Create a timeline to address the gaps. Ensure all necessary updates are completed well before the October 2025 deadline.
4. Engage with Your Certification Body: Schedule assessment visits and confirm resources. Aim to complete your transition a few months ahead of the deadline to avoid any last-minute issues.
5. Stay Proactive: Regularly review and update your risk assessments to incorporate new threat intelligence. This dynamic approach will help you stay compliant and secure.

Transitioning to ISO 27001:2022 might seem daunting, but with the right approach, it can be a smooth process. By understanding the changes, planning effectively, and using available resources, your organisation can successfully transition to the new standard. Remember, the goal is to enhance your information security management system and keep your organisation safe in an ever-evolving digital landscape.

For more information or assistance with your transition, feel free to contact us. We’re here to support you every step of the way.