Everything you need to know about the transition to ISO 27001:2022 

Posted on October 14, 2024 by Louise Howland

On Tuesday, 25th October 2022, ISO released the updated ISO 27001:2022 Information Security Standard. With this update, organisations currently certified under ISO 27001:2013 will need to take action to transition to the new standard by 31^st October 2025, otherwise your certification will become invalid after this date.  

As part of the transition to the new standard, a transition audit must be undertaken by your certification body. The deadline for this transition audit to be completed is 31^st July 2025. Therefore, it is imperative not to delay reviewing what you need to do to successfully transition to the 2022 standard and remain ISO 27001 certified.  

In this blog, we’ll cover what the recent changes mean for your organisation, why you should prioritise this transition, and how to ensure your certification remains valid. 

What is ISO 27001? 

ISO 27001 is a globally recognised standard that outlines the requirements for an information security management system (ISMS). It provides a systematic approach to managing sensitive company information, ensuring that your organisation is equipped to handle data securely and mitigate risks related to cybersecurity threats.  

What you need to do if you hold ISO 27001:2013 certification 

If your organisation is currently certified under ISO 27001:2013, there are specific steps you need to take to maintain your certification: 

• Understand the changes: Some controls have been removed, merged with others, or new ones added. Annex A has also seen a complete restructure. You may need to train your staff on the changes to ensure that they can be addressed.  

• Conduct a gap analysis: You should compare your current ISMS with the new requirements to identify the gaps and actions you need to take to meet the new standard.  

• Update your ISMS: Make the necessary identified changes to your ISMS.  

• Complete an internal audit: Run an internal audit to verify that the changes you have made now align with the 2022 requirements.  

• Complete the transition audit: Your certification body must conduct a transition audit before 31^st July 2025 to verify that your ISMS meets the new requirements of ISO 27001:2022. The transition audit can take place during a surveillance audit, a recertification audit, or as a stand-alone assessment. Keep in mind that this will generally require additional audit time to complete. 

Why should you prioritise this transition? 

Transitioning to ISO 27001:2022 is more than just a compliance exercise; it’s an opportunity to enhance your organisation’s information security posture. As cyber threats become increasingly complex, the updated standard provides a framework that is better suited to address modern risks. This transition will not only help protect your data but also strengthen your credibility with clients and partners by demonstrating your commitment to the highest standards of information security. 

Adopting the latest version of ISO 27001 will also make it easier to align with other evolving data protection regulations, giving your organisation a head start in meeting future compliance requirements. Staying up-to-date with ISO standards is a strategic advantage that sets you apart from competitors who may not prioritise their cybersecurity measures. 

How can ramsac help? 

Transitioning to ISO 27001:2022 is a critical step for organisations looking to stay ahead in today’s data-driven world. By understanding and preparing for these changes now, you can ensure your organisation continues to meet the highest standards of information security. 

ramsac can assist you at all stages of transition, from reviewing your existing ISMS and performing a gap analysis, to helping you with the internal audit ahead of your certification body’s transition audit. If you need assistance navigating this transition, just get in touch with us at ramsac—we’re here to guide you through every step of the process. 

How can we help you?

We’d love to talk to you about your specific IT needs, and we’d be happy to offer a no obligation assessment of your current IT set up. Whether you are at a point of organisational change, unsure about security, or just want to sanity check your current IT arrangements, we’re here to help.

Get in touch