current language
Japan available in the following languages:
or select your TÜV Rheinland region / country website:
TÜV Rheinland employee certifies IT security

ISO/IEC 27001:2022 Information Security Standard Update

Why has ISO/IEC 27001:2013 been updated to ISO/IEC 27001:2022?

ISO/IEC 27001 provides companies with a cybersecurity framework to manage risks and protect against threats. Compliance with this framework helps secure information assets such as financial information, personal data, and intellectual property. That includes information related to an organization’s business and employees, as well as their customers and suppliers.

Cybersecurity should now be at the top of every company agenda. Cyber incidents such as data breaches and ransomware are regularly making headlines. This is exacerbated by global political tensions. In addition, the majority of enterprises now rely on cloud-based infrastructures, and in many countries around one-third of the workforce now works remotely, at least part of the time. As a result of these changes, organizations are required to reassess their risks and countermeasures in a structured way, in the context of their ISMS. Since ISO/IEC 27001:2013 was published in 2013, the changes in ISO/IEC 27001:2022 were necessary to help address the above-mentioned developments.

The ISO/IEC 27001:2022 revision

ISO/IEC 27001:2022 identifies additional controls organizations can select to address many of the risks associated with the modern workplace today. These updates are included in Annex A, where the changes in controls reflect the earlier modifications in ISO/IEC 27002:2022. The results are 11 new controls, and one ISO/IEC 27001:2013 control deletion, with many of the others updated or merged. The transition-related changes can be summarised as shown below:

Annex A ISO/IEC 27001:2013 ISO/IEC 27001:2022
Controls11493
Control categories134
  • Organizational controls
  • People controls
  • Physical controls
  • Technological controls

The title of the ISO/IEC 27001:2022 standard has been updated to reflect the increased focus on cybersecurity and privacy protection. The new version also reflects changes to the workplace and the threat landscape, including those which have arisen due to increased remote working and the use of cloud storage. In addition, five attribute values have been introduced, which can be assigned to each Annex A control, allowing these to be sorted according to the designated attributes. This is intended to enable alignment and interoperability of ISO/IEC 27001:2022 with other cybersecurity best practices, such as the NIST publications.

Furthermore, ISO/IEC 27001:2022 also includes a minor re-alignment with the ISO High Level Structure referenced by other management system standards, such as ISO 9001:2015 and ISO 22301:2019. However, these changes clarify existing requirements, rather than adding significant new ones.

Transition times and timelines

Timeline for ISO/IEC 27001:2022

ISO/IEC 27001:2022 was released in October 2022. The transition timeline is three years. To maintain certification, all ISO/IEC 27001:2013 certificates need to be transitioned to ISO/IEC 27001:2022 before November 1, 2025. The transition audit can be carried out during scheduled audits during the three-year transition period or can be performed as an additional special audit.

The transition should ideally start sooner than later, to ensure completion within the 3-year transition period. This will enable adequate preparation to incorporate the needed changes into the ISMS.

The above statements must take into account two transition milestones, which are detailed below:

May 1, 2024 – All new initial certifications and recertification audits must adhere to ISO/IEC 27001:2022 after this date.

End of October 2025 – Transition period ends, after which ISO/IEC 27001:2013 certificates will no longer be valid.

  • ISO/IEC 27001:2022 transitions completed during surveillance or special audits will require an additional audit time of one day and maintain the existing validity date on certificates.
  • ISO/IEC 27001:2022 transitions completed during recertification audits will require an additional audit time of half a day, and result in certificates being renewed for another three-year period.
  • Additional audit time to assess an ISO/IEC 27001:2022 transition is stated to the International Accreditation (IAF) Forum MD 26:2022 Transition Requirements for ISO/IEC 27001:2022 document. Therefore these requirements apply to all certification bodies accredited by the IAF.

Recommended steps for the ISO/IEC 27001:2022 transition

Steps for the ISO/IEC 27001:2022 transition

How we can support

We can support ISO/IEC 27001:2022 with an initial or a transition audit:

  • ISO/IEC 27001:2022 training, providing an overview of key changes and the transition process.
  • Gap assessments, to provide an indication of how well an ISMS meets the ISO/IEC 27001:2022 requirements.
  • ISO/IEC 27001:2022 audits to transition your certification to the new version of the standard.

Unlocking ISO/IEC 27001:2022. Join our on-demand webinar for insights

Want to know more about ISO/IEC 27001:2022 transition or certification? Please join our on-demand webinar, to learn more about the steps required to achieve ISO/IEC 27001:2022 certification.

ON-DEMAND WEBINAR

ON-DEMAND WEBINAR

ISO/IEC 27001:2022 Revision – Requirements for Information Security, Cybersecurity and Privacy Protection
Watch it now: Register to get the link to the video and presentation!

Related topics

ISO 27001 Information Security

Discover deeper insights into information security, integrated IT security management systems and ISO/IEC 27001 certification on our dedicated page. Dive in now!

Explore more about ISO 27001

Contact

Get in contact with us!

Get in contact with us!