ISO 27001 is a globally recognised standard for information security management systems (ISMS). The standard is designed to help organisations manage and protect their sensitive information. The current version of ISO 27001 was published in 2013, and a new version, ISO 27001:2022, is expected to be released later this year.

If you are an existing ISO27001:2013 customer then you need to transition to the new ISO27001:2022 standard by September 2025.

  • Greater emphasis on risk management. This means that businesses will be required to identify, analyse, and evaluate risks in a more comprehensive manner. The standard is also likely to provide more guidance on how to implement a risk management framework, that is consistent with the business’s objectives and the context in which it operates.
  • More focus on information security controls. This will help organisations to better protect their sensitive information by implementing controls that are appropriate to their specific needs.
  • Increased alignment with other ISO standards. Now enabling organisations like yours to integrate their information security management system with other management systems, such as quality management, environmental management, and occupational health and safety management.
  • Enhanced guidance on compliance and certification. This will help you to better understand the requirements for achieving and maintaining ISO 27001 certification, as well as the benefits of certification.
  • More focus on outsourcing and cloud computing. Many companies are now outsourcing their information technology services or moving them to the cloud. The new version of the standard will likely provide guidance on how to manage the risks associated with these practices and ensure that sensitive information is protected.

The transition process for ISO27001:2022 will depend on whether your organisation is already certified to the current version of the standard, ISO27001:2013, or is implementing the standard for the first time. Here are some general guidelines for the transition process:

What is the transition process?

  • Familiarise yourself with the changes. Review the new requirements of ISO27001:2022 and assess how they differ from the current version of the standard.
  • Conduct a GAP analysis to identify any areas where your organisation’s current ISMS does not meet the new requirements of ISO27001:2022. This will help you to develop a plan for addressing any gaps and implementing the new requirements.
  • Update your ISMS to incorporate the new requirements of ISO27001:2022. This may involve updating policies, procedures, and other documentation, as well as implementing new controls.
  • Provide training to all relevant personnel to ensure that they are aware of the changes to the standard and how they impact their roles and responsibilities.
  • Once your organisation has implemented the new requirements of ISO27001:2022, you can arrange for a certification body to audit your ISMS and issue a new certificate.

In conclusion, ISO 27001:2022 is expected to bring significant changes to the information security management landscape. The new version of the standard will place a greater emphasis on risk management, provide more guidance on information security controls, increase alignment with other ISO standards, enhance guidance on compliance and certification, and focus more on outsourcing and cloud computing. Organisations should be prepared to adapt to these changes in order to effectively manage their information security risks and protect their sensitive information.

If you are still confused or would like more information or would like some help in implementing or transitioning to 2022 then please get in touch and our team of ISO27001 auditors and consultants can help.