ISO 27001:2022 Update Guide: Control Changes & Transition Timeline Complete Analysis
ISO 27001:2022 Update Guide: Control Changes & Transition Timeline Complete Analysis
In October 2022, ISO 27001 released a major update after 9 years.
If your company holds a 2013 version certificate, you must complete the transition by October 31, 2025.
Time is running out.
This article will tell you what changed in the 2022 version and how to prepare for the transition.
For a complete introduction to ISO 27001, see ISO 27001 Complete Guide.
Update Background and Timeline
Why the Update
ISO 27001:2013 has been in use for 9 years.
During these 9 years, the security threat landscape has changed dramatically:
| 2013 Situation | 2022 Situation |
|---|---|
| Cloud was just starting | Cloud is mainstream |
| Mobile devices not widespread | Remote work is normal |
| Ransomware was rare | Ransomware attacks are rampant |
| Data breaches were occasional | Data breaches are frequent |
| Supply chain attacks were rare | Supply chain attacks are major threats |
The old controls could no longer effectively address new types of threats.
Update Timeline
| Date | Event |
|---|---|
| February 2022 | ISO 27002:2022 released first |
| October 2022 | ISO 27001:2022 officially released |
| April 2023 | Certification bodies start offering 2022 version audits |
| October 31, 2025 | All 2013 version certificates become invalid |
Transition Deadline (October 2025)
This is the most important date: October 31, 2025.
Before this date:
- All 2013 version certificates must be converted to 2022 version
- Or certificates will automatically become invalid
Impact on organizations:
- Customers may no longer recognize your certificate
- Cannot participate in tenders requiring ISO 27001
- Need to go through full certification process again (more expensive)
Recommended timeline:
| Your Current Status | Recommendation |
|---|---|
| Haven't started preparing | Start immediately |
| Certificate expires in 2025 | Can transition during recertification |
| Certificate expires after 2025 | Can apply for transition audit early |
Main Changes to Clause Text
The clause text (Clause 4-10) changes are minor, mainly adjustments and clarifications.
Clause 4-10 Key Adjustments
| Clause | Changes |
|---|---|
| Clause 4.2 | Added requirement that "interested party needs can be addressed through ISMS" |
| Clause 4.4 | Explicitly mentions need to consider "processes and their interactions" |
| Clause 5.3 | Enhanced explanation of "ISMS-related role responsibilities" |
| Clause 6.2 | Objectives planning requires more monitoring capability |
| Clause 6.3 | New: Planning of ISMS changes |
| Clause 7.4 | "How to communicate" requirements more explicit |
| Clause 8.1 | Emphasizes "process criteria" and "change control" |
| Clause 9.3 | Management review input adds "changes in interested party needs" |
| Clause 10.1 | Combines nonconformity handling with continual improvement |
Key point: The clause text changes mainly simplify and clarify wording; the core framework hasn't changed.
New "Planning for Changes" Requirement
Clause 6.3 is a completely new requirement.
Key content:
When ISMS needs changes, organizations must make changes in a "planned manner."
Items to consider:
- Purpose of the change and potential consequences
- ISMS integrity
- Resource availability
- Allocation of responsibilities and authorities
Plain language: You can't just change things at will; you need planning and assessment before acting.
Enhanced Risk Treatment Explanation
Clause 6.1.3 risk treatment requirements are more explicit.
2022 version requirements:
- Risk treatment options must link to risk assessment results
- When selecting controls, "consider" Annex A (not "compare against")
- Controls can come from any source, not limited to Annex A
Meaning: Organizations can more flexibly choose controls, as long as they effectively address risks.
Annex A Control Changes
This is the biggest change in the 2022 version.
Four Theme Reclassification
The 2013 version organized 114 controls into 14 chapters. The 2022 version reclassifies them into 4 major themes.
| Theme | Number of Controls | Coverage |
|---|---|---|
| Organizational Controls | 37 | Policies, roles, assets, access, suppliers |
| People Controls | 8 | Screening, training, awareness, termination |
| Physical Controls | 14 | Physical security, equipment, media |
| Technological Controls | 34 | Authentication, encryption, network, development, monitoring |
| Total | 93 |
Why this classification?
- More intuitive: Classified by "who is responsible"
- Better management: Four clear lines—organizational, people, physical, technological
- Easier to map to actual work
11 New Controls Detailed
The 2022 version added 11 new controls, reflecting the latest security threats:
| Number | Control | Description |
|---|---|---|
| 5.7 | Threat Intelligence | Proactively collect and analyze security threat information |
| 5.23 | Cloud Services Security | Acquisition, use, management, and exit of cloud services |
| 5.30 | ICT Readiness for Business Continuity | ICT systems supporting business continuity readiness |
| 7.4 | Physical Security Monitoring | Continuous monitoring of sensitive areas |
| 8.9 | Configuration Management | Security configuration management of hardware, software, services |
| 8.10 | Information Deletion | Secure deletion of information, ensuring it cannot be recovered |
| 8.11 | Data Masking | Masking of sensitive data |
| 8.12 | Data Leakage Prevention (DLP) | Measures to prevent sensitive data leakage |
| 8.16 | Monitoring Activities | Monitoring of system activities to detect anomalies |
| 8.23 | Web Filtering | Access filtering for external websites |
| 8.28 | Secure Coding | Security practices in software development |
Key item analysis:
Threat Intelligence (5.7) Not just passive defense—actively understand the latest threats. Example: Subscribe to CERT alerts, participate in security intelligence sharing communities.
Cloud Services Security (5.23) Dedicated controls for cloud usage. Manage from selecting providers, usage management, to exiting cloud services.
Data Leakage Prevention (8.12) DLP tool deployment, monitoring sensitive data flow.
Deleted and Merged Controls
The 2022 version didn't "delete" any controls; it "merged" them.
Merge example:
| 2013 Version | 2022 Version |
|---|---|
| A.8.2.1 Information classification | Merged into 5.12 Information classification |
| A.8.2.2 Information labelling | |
| A.8.2.3 Asset handling |
Why merge?
- Reduce duplication
- Simplify management
- Better match practical use
2013 vs 2022 Comparison Table
Due to space limitations, here's a partial important comparison:
| Theme | 2013 Version | 2022 Version |
|---|---|---|
| Access control | A.9 (14 items) | Distributed to organizational + technological controls |
| Cryptography | A.10 (2 items) | 8.24 Use of cryptography |
| Physical security | A.11 (15 items) | Physical controls (14 items) |
| Operations security | A.12 (14 items) | Distributed to technological controls |
| Communications security | A.13 (7 items) | 8.20, 8.21, 8.22 |
| Supplier relationships | A.15 (5 items) | 5.19-5.22 |
For detailed clause interpretation, see ISO 27001 Clause Detailed Guide.
Not sure which controls need adjustment? Book a gap analysis and let experts help you assess.
Organization Transition Guide
Transition Steps (5 Steps)
Step 1: Understand the Differences
First understand the differences between the 2013 and 2022 versions.
- Read this article (you're already doing it)
- Attend transition seminars
- Obtain ISO 27001:2022 standard document
Step 2: Conduct Gap Analysis
Inventory your current ISMS gaps against 2022 version requirements.
Items to review:
- Clause text correspondence
- Annex A control correspondence
- Statement of Applicability (SoA) updates
- Documentation system adjustment needs
Step 3: Develop Transition Plan
Based on gap analysis results, create an action plan.
| Item | Content |
|---|---|
| Scope confirmation | Is transition scope the same as original certification |
| Timeline planning | Completion time for each phase |
| Responsibility assignment | Who is responsible for what |
| Resource allocation | How much manpower and budget needed |
Step 4: Implement Improvements
Execute according to plan:
- Update documents (policies, procedures, SOPs)
- Implement new controls
- Update Statement of Applicability
- Conduct training
Step 5: Transition Audit
Apply to certification body for transition audit.
- Can be done together with surveillance audit
- Or apply for separate transition audit
- After passing audit, receive 2022 version certificate
Recommended Transition Timeline
Recommended timeline (mid-sized organization):
| Phase | Duration | Work Content |
|---|---|---|
| Gap analysis | 4-6 weeks | Inventory status, identify gaps |
| Plan development | 2-4 weeks | Plan timeline, allocate resources |
| Document updates | 6-8 weeks | Revise policies, procedures, SoA |
| Control implementation | 8-12 weeks | Implement new controls |
| Internal audit | 2-4 weeks | Verify improvement effectiveness |
| Transition audit | 2-4 weeks | Certification body audit |
| Total | 6-9 months |
Transition Budget Planning
Transition costs are lower than initial certification, but budget is still needed.
| Cost Item | Cost Range | Notes |
|---|---|---|
| Consulting guidance | $3,000-10,000 | If external assistance needed |
| Employee time | Internal cost | Document updates, training, etc. |
| Audit fees | 70-100% of original audit fee | Depends on audit method |
| Tools/systems | $0-6,000 | If new tools needed (e.g., DLP) |
Cost-saving tips:
- Transition during surveillance or recertification audit (save one audit fee)
- Self-prepare to reduce consultant dependency
- Prioritize essential items, improve others gradually
For detailed cost estimates, see ISO 27001 Implementation Cost Guide.
Common Transition Questions
Q1: Is a transition audit mandatory?
Yes. A transition audit by a certification body is required to receive the 2022 version certificate.
Q2: Can I skip surveillance audit and directly transition?
Yes, but confirm with your certification body. Usually recommended to transition during surveillance audit—it's more cost-effective.
Q3: Must all 11 new controls be implemented?
Not necessarily. Each control needs applicability assessment; if not applicable, explain the reason in the SoA.
Q4: Do I need cloud security controls if I have no cloud services?
If your company doesn't use any cloud services at all, you can mark it as "not applicable," but this is rare in modern organizations.
ISO 27002:2022 Supporting Update
Relationship Between 27002 and 27001
Many people confuse these two standards.
| Item | ISO 27001 | ISO 27002 |
|---|---|---|
| Nature | Requirements standard | Guidance standard |
| Certifiable | Yes | No |
| Content | ISMS framework + control list | Control implementation guidance |
| Pages | About 30 | About 150 |
Simply put:
- ISO 27001 tells you "what to do"
- ISO 27002 tells you "how to do it"
For more comparisons, see ISO 27001 vs 27002 Comparison.
27002 Update Highlights
ISO 27002:2022 was released in February 2022 (8 months before 27001).
Main changes:
-
Control Attribute Tags
Each control has attribute tags for easy searching and classification:
- Control types: Preventive, Detective, Corrective
- Security properties: Confidentiality, Integrity, Availability
- Cybersecurity concepts: Identify, Protect, Detect, Respond, Recover
- Operational capabilities: Governance, Asset management, Information protection, etc.
- Security domains: Governance and ecosystem, Protection, Defense, Resilience
-
Updated Implementation Guidance
Each control has more detailed:
- Purpose statement
- Guidance explanation
- Additional information
-
Complete Explanation of New Controls
The 11 new controls have complete implementation guidance in 27002.
How to Use Together
Practical recommendations:
-
Planning phase
- Use ISO 27001 as framework
- Reference ISO 27002 to understand control intent
-
Implementation phase
- Use ISO 27002 guidance to design specific approaches
- No need to copy exactly; adjust based on company situation
-
Audit phase
- Audit basis is ISO 27001
- But auditors reference 27002 to assess if your approach is reasonable
FAQ: Common Update Questions
Q1: When does ISO 27001:2022 become mandatory?
After October 31, 2025, all 2013 version certificates become invalid. Before then, both 2013 and 2022 versions are valid.
Q2: How long does a transition audit take?
Depends on organization size:
- Small/medium organizations: 1-2 days
- Large organizations: 2-4 days
Usually shorter than initial certification.
Q3: Controls went from 114 to 93—did it get easier?
No. Controls were "merged" not "deleted," and 11 new ones were added. Actual work may increase.
Q4: Can I go directly for 2022 version without 2013 certificate?
Yes. If you're newly implementing, go directly for 2022 version; no need to get 2013 first.
Q5: Is 2022 version friendly to small organizations?
Some improvements:
- More intuitive control classification
- Clearer clause wording
- But new controls may increase burden
Next Steps
The October 2025 transition deadline is approaching.
If you haven't started preparing, now is the best time.
Book a transition consultation to help you conduct gap analysis and plan your transition timeline.
Further Reading
- For complete standard introduction, see ISO 27001 Complete Guide
- For detailed clause interpretation, see ISO 27001 Clause Detailed Guide
- For 27002 comparison, see ISO 27001 vs 27002 Comparison
- For transition cost assessment, see ISO 27001 Implementation Cost Guide
References
Need Professional Cloud Advice?
Whether you're evaluating cloud platforms, optimizing existing architecture, or looking for cost-saving solutions, we can help
Book Free ConsultationRelated Articles
ISO 27001 vs ISO 27002: What's the Difference? Complete Comparison Guide
What's the difference between ISO 27001 and ISO 27002? Complete analysis of their positioning, certifiability, usage methods, plus introduction to the ISO 27000 family of standards.
ISO 27001ISO 27001 Clause Guide: Documentation Hierarchy, Controls & Implementation Guide [Complete Edition]
What does ISO 27001 contain? Complete guide to Clauses 4-10, Annex A controls, four-tier documentation system, helping you master the standard structure and implementation essentials.
ISO 27001ISO 27001 Complete Guide: Definition, Clauses, Implementation & Certification [2025 Latest]
What is ISO 27001? This article provides a complete analysis of the ISO 27001 information security management standard, including implementation costs, certification process, and 2022 version updates, helping enterprises quickly master ISMS implementation essentials.