Transitioning to ISO 27001:2022: What this means for your business

Back in 2023, we highlighted that the mandatory transition from ISO 27001:2013 to ISO 27001:2022 was going to come around quickly. But, in a world of competing priorities, we know it’s difficult to make information security top of the pile. If you still have some work to do, PGI’s ISO 27001 experts are here to guide you through this change with practical, expert-led support tailored to your needs.

Why the transition deadline matters

As a quick recap, if your organisation is currently certified to ISO 27001:2013, you have until 31 October 2025 to make the switch to ISO 27001:2022. That might sound like plenty of time, but the transition process can take several months depending on the size and complexity of your ISMS.

What's new in ISO 27001:2022?

While the foundational structure of ISO 27001 stays the same, the 2022 revision brings a few important updates. These reflect changes in the way businesses operate today, and the growing need to protect data across increasingly digital, decentralised environments.

Here are the key elements that have changed:

Annex A Control restructure

• The number of controls has been reduced from 114 to 93.
• These are now grouped into 4 themes: Organisational, People, Physical, and Technological.
• Several new controls have been introduced, including:
  • Threat intelligence
  • Data masking
  • ICT readiness for business continuity
  • Physical security monitoring
  • Secure coding

Modernised language and focus

• Terminology and phrasing have been updated for clarity.
• Increased focus on cloud security, remote working, and supply chain risks.
• Better alignment with other ISO standards like ISO 9001 and ISO 22301.

Enhanced performance and risk management

• Stronger emphasis on risk treatment planning
• More detailed guidance around performance evaluation and continual improvement

As an Information Security consultant, I believe these changes are a step in the right direction. They reflect a better alignment with today’s threat landscape and the way modern organisations actually operate especially when it comes to supply chain security, which has become one of the most critical risk areas in recent years. The streamlined controls are a win for implementation efficiency, which saves time and, importantly, money.

How PGI can support your transition to ISO 27001:2022

Transitioning to ISO 27001:2022 is not just about ticking boxes it’s about understanding how the changes impact your organisation and ensuring your ISMS remains effective and future proof (and importantly, useful for your organisation, because ISO 27001 should work for you, not the other way around).

Here’s how we can help:

• Gap Analysis: We will review your existing ISMS against the 2022 standard and highlight areas that need attention.
• Transition planning: We will work with you to create a practical roadmap that aligns with your business goals and timelines.
• Policy and Control updates: We help you revise or introduce new controls, update documentation, and ensure processes reflect the updated requirements.
• Training and awareness: We provide targeted training to ensure your teams are prepared and engaged, regardless of seniority.
• Audit readiness: Ahead of your certification audit, we will conduct a readiness review to ensure everything is in place, giving you confidence when it matters most.
   

Why work with PGI?

At PGI we don't just tick off a checklist. We combine deep technical knowledge with a clear understanding of business priorities. Our team includes experienced ISO 27001 Lead Auditors and Implementers, and we have supported organisations across critical sectors including Finance, Defence, Government, and Tech.

Start planning your transition to ISO 27001:2022 today

With the 31 October 2025 deadline fast approaching, now is the time to act. Whether you are looking for a light touch advisory service or hands on implementation support, we’re ready to help.

Get in touch with us today to get started.