iso 27001 2022

Transition to ISO 27001:2022

May 21st, 2024 Posted in ISO 27001

In October 2022, ISO 27001:2013 was replaced with ISO 27001:2022 following a major restructure of the standard and a raft of updates. You may be wondering how to transition to the new ISO 27001:2022 standard. You’re in the right place, this article explains how to do it, who should transition to ISO 27001:2022, and when you should do it.

Who should transition to the new ISO 27001:2022 standard?

If you are yet to certify to ISO 27001, or are only starting your ISO 27001 journey, then you will, by default, be certifying to the new 2022 standard. However, if your organisation is already certified to the ISO 27001:2013, then you will have to transition to the new version by the deadline.

When should you upgrade to 27001:2022?

To maintain your certification, you must upgrade to the revised standard by 31 October 2025. After this date, ISO 27001:2013 certifications will no longer be valid. Whilst you still have time to make the upgrade, we advise you to act sooner rather than later, for the following reasons:

As the digital landscape is constantly changing, the updates to ISO 27001 will help your organisation protect areas and technologies that may not have been widespread, and therefore were not considered at the time the previous edition was published. ISO 27001:2022 now includes specific requirements around the management of cloud services, and their providers, and reinforces the requirements of data protection legislation through a new set of information management controls including data masking and data leakage prevention. The list of key changes is widely available.

Beyond this, certifying to ISO 27001 is fast becoming a necessity for organisations when it comes to securing new business. As a result, accredited, reputable ISO consultancies, like Evalian, are increasingly in demand to provide support to organisations that wish to maintain their ISO 27001 certification by upgrading to the new standard. As the time draws nearer to the deadline, the demand will further increase, meaning longer lead times.

Further to that, the demand on UKAS accredited Certification Bodies will also increase, meaning it may become difficult to get the certification in the time you would like to achieve it.

Note that you do not need to wait until your recertification audit to upgrade to ISO 27001:2022. It can coincide with one of your surveillance audits or even be a standalone activity.

How long will the transition take?

If you have a robust and mature security control framework already in place, then the upgrade should take days rather than weeks. It is a relatively smooth process if you have the right support, depending on your resources and who you have available internally to help drive the project. Note, however, that the changes required to your ISMS may go beyond policy and procedure amendments and may require technological changes. In this case, the upgrade may take much longer.

How much will the upgrade cost?

Should you decide to engage with a specialised consultancy for support, we would suggest a minimum of 4 days for us to help you amend existing policies and create the new ones required to support the new requirements. This could obviously change depending on the size of your organisation, the level of support you require, your certification scope, and the maturity of your management system.

Certification bodies will typically charge from half to two days in addition to your scheduled surveillance or recertification audit to ensure that the new requirements are being met. This will be a one-off charge: it does not mean that all future audits will be systematically extended by up to 2 days.

Finally, be prepared for internal costs: you will need internal resources to help manage the upgrade, and you may have to invest in additional technology to help meet some of the new requirements.

To learn more about full ISO consultancy costs, read our comprehensive guide to ISO 27001 costs.

Preparing to transition to ISO 27001: 2022

In order to start the transition to the new standard, we recommend that you take the time to review all of the amended and new ISO 27001:2022 clauses and controls and determine how these changes will impact your organisation and ISMS.

In most cases, the implementation of the new or amended clauses and controls will require a review of your existing policies and procedures and, potentially, the development of new ones. It is also possible that new software or hardware solutions may need to be implemented in support of the new requirements.

We recommend that you get in touch with your Certification Body sooner rather than later to secure an auditor on a date and at a time that is convenient to you.

Need help to start your Upgrade?

Transitioning over to the new standard needn’t be a daunting process. We can support you in your upgrade to the new standard in as little as 4 days (providing you have the right support and resources in place within your organisation, see information above). Our experienced ISO consultants have successfully transitioned several clients over to the new ISO 27001 standard, and have several more clients in the process of doing so.

MYCOM OSI recently upgraded to ISO 27001:2022 with the support of Evalian’s ISO team:

Transitioning over to the new standard needn’t be a daunting process. Our experienced ISO consultants have successfully transitioned several clients over to the new ISO 27001 standard, and have several more clients in the process of doing so.

MYCOM OSI recently upgraded to ISO 27001:2022 with the support of Evalian’s ISO team:

“The Evalian team’s expertise in all aspects of information security management was evident and incredibly reassuring. They were adept at tailoring their strategies to our specific organisational needs, demonstrating not only their deep understanding of the ISO standards but also an impressive ability to apply them effectively across different business contexts.

It was their guidance and thorough preparation that led us to successfully upgrade to the ISO 27001:2022 certification. The level of detail and diligence they brought to our project was instrumental in enhancing our overall security posture and compliance.”

Ready to start the process of certifying to the new ISO 27001:2022 standard? Get a fast quote from our expert team.

Evalian is committed to protecting and respecting your privacy. By proceeding with your inquiry, you agree to the terms of our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.


Image by storyset on Freepik

Daniel Djiann Evalian Limited 250x250

Written by Daniel Djiann

Daniel consults on ISO 27001, ISO 22301, ISO 9001 and business continuity. He has specialised in organisational resilience for much of his career, working as a consultant and in-house for multi-national organisations. He is also Head of our ISO & Business Continuity Practice. He is an ISO 27001 and ISO 22301 Lead Auditor and a Member of the Business Continuity Institute, MBCI.