A Guide to Transitioning to ISO 27001:2022

ISO/IEC 27001 and ISO/IEC 27002 were both updated in 2022. Their previous editions were published in 2013.

In the intervening nine years, the world of cybersecurity changed dramatically. Mobile device usage exploded, especially in terms of BYOD [bring your own device], as did remote working.

Both fuel arguably one of the biggest changes – and challenges – in cybersecurity: Cloud uptake.

Naturally, the modern ISMS (information security management system) must account for such changes – which is why we desperately needed the updates to both standards.

In this blog

  • Key changes to ISO 27001
  • The new controls in Annex A
  • What links ISO 27001’s Annex A and ISO 27002
  • The attributes in ISO 27002:2022
  • How to start transitioning
  • Key transition dates

What has changed in ISO 27001:2022?

ISO 27001 is broadly divided into two parts:

  1. The main ISMS requirements: Clauses 4–10
  2. A reference control set: Annex A

Clauses 4–10 saw minor changes only, largely just aligning ISO 27001 to other recent ISO management systems.

However, Annex A was completely overhauled. This reflects the significant changes made to ISO 27002:2022, which was published before ISO 27001:2022 (February vs October 2022).

What is the link between Annex A and ISO 27002?

ISO 27002 sets out an internationally recognized control set, along with guidance on how to implement those controls.

Annex A of ISO 27001 captures the names of the controls in ISO 27002, and provides them as a reference control set around which you build an SoA (Statement of Applicability).

Organizations implementing ISO 27001 don’t have to use the Annex A controls. However, if you use a different control set, you must map them against Annex A in your SoA. That gives auditors a clear point of reference.

The key thing is to implement the controls for one of the following reasons:

  • It’s necessary as part of a risk response
  • To meet the requirement(s) of an interested party

If you exclude any controls from Annex A, you must document justifications for doing so.

What’s new in Annex A?

Annex A in ISO 27001:2022 is structured differently compared to the 2013 version.

Previously, the Standard grouped the Annex A controls around 14 control objectives, each reflecting an area of security, for example:

  • Access control
  • Asset management
  • Information security policies

The 2022 version of Annex A groups the controls into 4 themes to reflect more widely understood information security domains:

  1. People
  2. Physical
  3. Technological
  4. Organizational

Now, Annex A also contains fewer controls: 93, not 114.

This is largely because many 2013 controls have been merged. That said, the 2022 Standard also introduced 11 new controls.

What are the new Annex A controls?

Annex A contains the following new controls:

  • Web filtering
  • Data masking
  • Secure coding
  • Threat intelligence
  • Information deletion
  • Monitoring activities
  • Data leakage prevention
  • Configuration management
  • Physical security monitoring
  • ICT readiness for business continuity
  • Information security for use of Cloud services

Note that, while Annex B of ISO 27002:2022 marks these as ‘new,’ many link to controls from the 2013 control set. We point out these links, and much more, in this free green paper:

Free PDF download: ISO 27001 and ISO 27002 – Transitioning to the 2022 standards

  • An overview of the key changes to both ISO 27001:2022 and ISO 27002:2022
  • Explanations of the new controls and noteworthy merged controls
  • Explanations of the ISO 27002 attributes
  • A transitioning checklist
  • And more

What are the ‘attributes’ in ISO 27002:2022?

Another big change in ISO 27002:2022 is the introduction of five ‘attributes’:

  1. Control type
  2. Security domains
  3. Cybersecurity concepts
  4. Operational capabilities
  5. Information security properties

These help identify how to apply the Annex A controls effectively. Among other things, they look at:

  • How a control modifies a risk – preventive, detective, and/or corrective
  • The information security characteristic it’s trying to preserve: confidentiality, integrity, and/or availability
  • To what stage within cyber defense in depth the control falls: identify, protect, detect, respond, and/or recover

How do I start my transition?

An excellent place to start is with a gap analysis. This is, in effect, an audit of your current ISMS against the requirements of ISO 27001:2022 to identify all non-compliant areas.

Transition plan

From there, you can create a transition plan. Among other things, this sets who is responsible for each aspect of each change you must make to your ISMS.

We’re emphasizing ‘each aspect of each change,’ as it’s important not to overlook details like:

  • Updating all your documentation
  • Providing transition training to all relevant staff

Transition training

Here’s what Alan Calder, ISO 27001 pioneer and Group CEO, had to say on the matter:

A key ISO 27001 requirement is that those doing work within the ISMS must be appropriately qualified to do so [in the Standard’s language, “competent”].

Relying on existing qualifications, based on the 2013 Standard, will automatically trigger nonconformities during an audit. So, make sure all your practitioners and auditors take and pass a transition exam that qualifies them to work with the 2022 Standard.

You’ll also need to update your staff awareness training in line with ISO 27001:2022.

Risk assessment

Next, review your risk assessment. If you’re using ISO 27005 for guidance, bear in mind this standard was also updated in 2022.

As you review your assessment, consider the applicability of the Annex A controls. Again, you can select controls from any appropriate source – just make sure they’ll achieve your risk management objectives – but you must then map those controls against the ones in Annex A.

After establishing your new controls, make sure you update your SoA and risk treatment plan.

What is the transition period for ISO 27001:2022?

The deadline to transition is October 31, 2025 – so, a three-year transition period.

We’re almost halfway through that period. At this stage, certification bodies have already ceased offering recertification to the 2013 Standard. This means that organizations due to recertify between now and October 31, 2025 must make the transition now.

As Alan Calder pointed out:

Some 60,000 organizations worldwide are yet to transition. Avoiding eleventh-hour disasters requires a strategic approach: Certification bodies won’t be able to accommodate a last-minute flood of recertifications.

That means that many organizations will, at the end of October 2025, find themselves out on a limb if they don’t plan.

Looking to effortlessly select Annex A controls?

CyberComply allows you to automate, review, and repeat risk assessments.

Reduce the time spent on risk assessments by up to 80%, and automate the creation of key documents for an ISMS, including the SoA.

Take advantage of CyberComply’s built-in library of controls to treat risks.

We originally published a version of this blog in November 2022.