On 31 October 2025 the 2022 edition of ISO 27001 will supersede the previous versions and you’ll need to prove your compliance to the updated Standard.
Right now, October 2025 seems like a long way off, but you should make use of that time to make the necessary updates to get your organisation compliant, without a last-minute rush.
The changes in a nutshell
Importantly, the foundations of the Standard (established in the 2013 version) remain intact. There are still 11 clauses, but the controls have dropped from 114 to 93, and the number of sections in Annex A have also dropped from 14 to 4. It sounds like things are a bit more simplified, so compliance should be a breeze, right?
You definitely won’t need to re-invent the wheel (and we do our best to avoid unnecessary work where we can, because it’s better for everyone), but you will need to review your documentation and ensure it aligns with the updated controls. Especially the 11 new controls, which are:
- Web filtering
- Threat intelligence
- Secure coding
- Monitoring activities
- Data masking
- Configuration management
- Data leakage prevention
- Physical security monitoring
- Information security for the use of cloud services
- ICT readiness for business continuity
- Information deletion.
The certification process
When it comes to the Certification process, nothing has changed, including the requirements related to documentation, monitoring, measurement, analysis and evaluation. However, certification bodies must stop offering re-certification to the 2013 edition by 30 April 2024; so, even though it’s before the official deadline in 2025, you may need to comply with the 2022 edition much earlier than you thought.
Overcoming common challenges with certification and recertification
Accommodating these changes and integrating them into your organisation’s existing practices can pose challenges, but there are some things you can do to mitigate any potential issues:
Conduct a gap analysis and impact assessment early.
This will enable you to identify gaps between your current ISMS and the new requirements, and allow you time to fully understand the new changes and update your processes well before October 2025.
Provide training and awareness sessions to the team.
Getting an understanding of the changes to the standard will prepare your staff for the upcoming changes to your processes, and any new policies that will be implemented.
Develop a project plan and a timeline.
The transition doesn’t need to be difficult, a project plan will help you stay organised, and ensure you will achieve certification of the new standard by the deadline.
Focus on enhancing your ISMS rather than building from scratch.
There is no point re-inventing the wheel, we recommend updating your current processes, documentation, and policies to reflect the new version where possible.
Our experts can make your certification easy
Our consultants are ISO 27001 experts and their job is to make your certification process stress-free. The re-certification process can be time-consuming, but working with our team will give you peace of mind that your ISO 27001 certification is on track, allowing the you bandwidth to focus on your other priorities. Let’s talk about how we can help you.
Playing by the rules - Digital Threat Digest
The most serious argument I’ve ever had with a very good friend came when they challenged me to a game of Crash Team Racing, a spinoff from the Crash Bandicoot universe in which you race characters in go-karts.
Clickbait and crises: The rise of crisis-driven misinformation - Digital Threat Digest
On 02 December, a 7. 6 magnitude earthquake struck the Philippines; and almost immediately after, my X (formerly Twitter) feed was filled with posts about it.
What is an IT Health Check?
An IT Health Check is an annual assessment required for public sector organisations using the government’s Public Services Network (PSN).