ISO 27001:2022 Transition Guidance for Clients
NQA are half way through the transition period for ISO 27001:2022. From 1st May 2024, all initial (new) certifications will be to the ISO 27001:2022 edition. Also, all recertification audits are required to be to the 2022 edition.
If you have a recertification audit booked after 1st May 2024, this will be to the 2022 edition and the gap analysis document will need to be completed.
An overview of the changes
Changes within the body of the ISO 27001 standard have been made to better align with the harmonised structure for management system standards (i.e. Annex SL).
Of note, changes have been made in the following requirements:
-
4.2 Understanding the needs and expectations of interested parties
-
4.4 Information security management system
-
5.3 Organisational roles, responsibilities and authorities
-
6.2.d Information security objectives and planning to achieve them
-
6.3 Planning of changes
-
9.3.2.c Management review inputs
-
The Annex A controls have been regrouped from 14 control objectives to 4 broad themes that include: Organizational, People, Physical, and Technological Controls
-
The overall number of controls within Annex A stands at 93 controls compared to the 114 controls in the previous edition
-
However, several previous controls have been consolidated into broader new controls; and 11 new controls have been added, including:
-
Threat Intelligence
-
Information Security for use of Cloud Services
-
Physical Security Monitoring
-
Configuration Management
-
Information Deletion
-
Data Masking
-
Data Leakage Prevention
-
Web Filtering
-
Secure Coding
-
-
Additionally, ISO 27002:2022 identifies 5 control attributes to variously categorise controls; attributes include:
-
Control Type
-
Information Security Properties
-
Cybersecurity Concepts
-
Operational Capabilities
-
Security Domains
-
- ISO 27002:2022 also defines a purpose for each individual control to better explain the intent of each control
Your next steps
In order to ensure that clients are successful with their transition NQA advises the following steps:
Preparing for your ISO 27001 Transition
-
Organisations must transition their management system in accordance with the requirements to ISO 27001:2022 before their transition audit is conducted. This should include any documentation changes, along with evidence of any new or changed process requirements and a completed GAP analysis document in time for their audit.
-
Of note, organisations must conduct an internal audit and management review of the new/changed requirements prior to the NQA transition audit being conducted.
-
Organisations may have a transition gap assessment conducted by NQA prior to their official transition audit. This could be conducted in conjunction with an earlier ISO 27001:2013 surveillance, or at any other stand-alone time prior to their transition audit.
Useful tools and information
We have produced a Gap Guide and a Gap Analysis Tool to help with your transition, so please download these documents to learn more and to start your transition.
The other important date for your diary is:
-
31st October 2025 - Transition period ends
Certificates for ISO/IEC 27001:2013 will no longer be valid after this date.
Additional Support
The NQA team is here to support you throughout the transition process. If you have any questions or need any help we can support you with:
-
Pre-Assessment / Gap Analysis - NQA can provide a Pre-Assessment or Gap Analysis of your revised ISMS to determine the level of compliance of your ISMS to the requirements of ISO 27001:2022.
-
Webinars and blogs - NQA have hosted a number of webinars and blogs to support your transition. These will continue over the coming months.
-
Training - NQA offers a number of transition courses to ensure attendees have all the relevant information they need to ensure a smooth transition for their organization.
If you have any questions or need to speak to someone regarding your transition, please contact us.