Skip content

In October 2022, a new version of ISO 27001 was published, following the February 2022 update of ISO 27002. These updates reflect significant changes to the structure and focus of Annex A controls, including a reduction in the number of controls, reorganisation under four new themes, and the introduction of 11 entirely new controls. Organisations certified to ISO 27001:2013 are now required to transition to ISO 27001:2022 within a three-year period. To support this transition, we have outlined five clear steps to help organisations navigate the change effectively and ensure continued compliance.

 

Step 1: Understand the Changes to ISO 27001

In February 2022, ISO 27002 - the best-practice guidance for implementing controls - was updated to reflect the evolving cybersecurity landscape. As a result, a revised version of ISO 27001 was published in October 2022. 
Organisations certified to ISO 27001:2013 now have a three-year window to complete the transition. 

To fully grasp what’s changed, organisations should begin by reviewing the updated control structure and Annex A requirements. LRQA’s ISO 27001:2022 toolkit can help you explore the changes in detail and prepare for the transition.

 

Step 2: Revisit Your Risk Assessment and Identify Gaps

The next step involves conducting a comprehensive gap analysis of your existing information security management system (ISMS). This includes reviewing how your risk assessment aligns with the new control themes, structure, and your organisation’s current risk appetite. 

If you prefer expert support, LRQA offers dedicated gap analysis services. Alternatively, you can use the toolkit to self-assess your readiness and identify priority areas for remediation. 

 

Step 3: Implement the Required Changes 

Once gaps are identified, implement the required updates to your controls, policies, and ISMS documentation. These changes should be validated through an internal audit to confirm they meet the intent and requirements of ISO 27001:2022. 

Ensure all updates are in place before scheduling your certification audit to avoid any non-conformities or delays during the transition. 

 

Step 4: Schedule Your Transition Audit

Organisations should coordinate with their LRQA account team to book a transition audit. This can be done as a standalone visit or aligned with your existing audit calendar. Early scheduling helps ensure availability and provides ample time to resolve any findings before the deadline. 

 

Step 5: Complete the Audit and Address Any Findings

During the transition audit, LRQA will assess your ISMS against the ISO 27001:2022 requirements. The audit focuses particularly on how you’ve adopted the revised Annex A controls and whether they are implemented effectively. 

Following the audit, any critical issues will be outlined in a detailed report. Once resolved, your certification to ISO 27001:2022 will be issued. 

Download this guide to learn about the 5 steps your organisation can take to successfully transition to the new standard as well information on how LRQA can support you including our training and audit services.  

 

Achieving certification is an important milestone, but maintaining an effective ISMS requires ongoing effort. Organisations are encouraged to promote their certification to stakeholders and focus on continual improvement through internal reviews and updated threat intelligence strategies. 

 

LRQA Services to Support Your Transition 

LRQA offers a full range of services to support your move to ISO 27001:2022: 

  • Training – Courses for all experience levels, delivered via multiple learning styles 
  • Gap Analysis – Identify high-risk or non-compliant areas before your transition audit 
  • Transition Audit – Conducted in line with the 2022 standard, with a focus on Annex A controls 
  • Integrated Audits – For organisations operating more than one management system, integrated audits offer a streamlined, cost-effective approach to certification and ongoing surveillance