Transitioning to the new ISO27001:2022

The new version of ISO27001 replaces the current ISO27001:2013. Find everything you need to know about the update below.

What has changed? 

The update includes a small number of technical fixes to the standard and the replacement of Annex A with the list of controls from the new ISO27001. The changes are only moderate and have been made primarily to simplify implementation.

ISO 27001:2022 key updates  

  • The main part of ISO 27001 (clauses four to 10) has not changed
  • Only the security controls listed in ISO 27001 Annex A have been update
  • The number of controls has decreased from 114 to 93
  • Controls are now placed in four sections instead of the previous 14
  • There are 11 new controls (none of the previous controls were deleted, but many were merged)
  • Only the security controls listed in ISO 27001 Annex A will be updated
  • Changes in ISO 27001:2022 Annex A will be fully aligned with changes in ISO 27002:2022

What do I need to do? 

As the changes are only moderate, we recommend avoiding adding new documents or deleting your existing documents.

The best way to comply with these changes is to:

  • Update your risk treatment process with new controls
  • Update your Statement of Applicability
  • Adapt relevant sections in your existing policies and procedures
  • Conduct a management review to ensure all areas are covered
  • Review your internal audits to confirm all new controls have been considered

Get support for your ISO27001 transition

Whatever the size of your organisation or industry, our team of governance, risk, and compliance specialists work with you to ensure a smooth transition to the new ISO27001:2022. We support you to create a robust ISMS as per the new ISO27001:2022 and identify any gaps in your existing ISMS.

Arrange your free consultation with us today.

Book now
Tracey Hannan-Jones
Tracey Hannan-Jones

Tracey is Phoenix's Lead GRC Consultant, with over 25 years' experience across Technical Information Security, Data Governance, and Compliance and Auditing.

See all posts by Tracey Hannan-Jones