Please ensure Javascript is enabled for purposes of website accessibility

ISO 27001:2022 Transition Information Guide and FAQs

Section 1 – Transition requirements

Section 2 – FAQs

Section 1

Why has it been decided to issue a new version of ISO 27001?

Management system standards are reviewed as a minimum on a 5 yearly basis to ensure they remain relevant and up to date with business needs and challenges. For information security management systems, technology is a rapidly changing area and so are the threats, and as such, the minimum controls needed for security, cybersecurity and privacy also need to evolve to remain current.

What are the main differences in content between the old and new version?

 Summary of main changes in clauses:

  • 2c Additional requirement. This requires the definition of which interested party requirements will be addressed through the information security management system.
  • 4 Information security management system – This new clause requires that processes and ‘their interactions’ are identified, aligning with ISO 27001.
  • 1.3 Annex A contains a list of possible rather than comprehensive list of controls – organisations will need to consider if there are additional controls required.
  • 2 Information Security objectives – Objectives must be documented, available and monitored. 
  • 3 Planning of changes – changes to the ISMS must be planned and such planning is to be documented.
  • 1 Operational planning and control – It is now explicitly stated that outsourced ‘products and services’ must be covered as well as processes. 
  • 1 Monitoring, measurement, analysis and evaluation – Methods to evaluate and monitor your controls should produce comparable and reproducible results. 
  • 3 Management review – management review must now consider the needs and expectations of interested parties. 

 Summary of main changes in Annex A Controls:

  • The number of controls has decreased from 114 to 93.
  • Decreased sections from 14 to 4.

The new sections within Annex A are:

5 – Organisational controls

6 – People controls

7 – Physical controls

8 – Technological controls

  • 24 controls have been merged.
  • 58 controls have been updated.
  • 11 new controls have been added.

The new controls within Annex A are:

       5.7 – Threat intelligence

       5.23 – Information security for use of cloud services

       5.30 – ICT readiness for business continuity

       7.4 – Physical security monitoring

       8.9 – Configuration management

       8.10 – Information deletion

8.11 – Data masking

8.12 – Data leakage prevention

8.16 – Monitoring activities

8.23 – Web Filtering

8.28 – Secure coding

 Important Note: - there are other changes within the wording of ISO 27001:2022 within the clauses and the controls which may impact the compliance of an organisation’s ISMS. Organisations seeking to transition are required to undertake their own gap analysis and address changes as applicable. Please see section below on ‘What will a transition audit include’.


Important Transition dates and deadlines

There are a few dates that organisations need to note in relation to certification to ISO 27001:2022.

  • New ISO 27001 Certificates: From 30th April 2024 (18 months after the publication of ISO 27001:2022) all initial certifications are to be completed against the ISO 27001:2022 version. The initial audit will follow initial audit processes.
  • Existing ISO 27001:2017 certificates: By 31st October 2025 (3 years after publication of ISO 27001:2022) all organisations must have completed the transition to the updated version ISO 27001 and hold an updated certificate. All ISO 27001:2017 certificates will have an expiry date no later than 31st October 2025.


How to transition to ISO 27001:2022

Organisations that currently hold a valid ISO27001:2017 certificate with Centre for Assessment will be required to have a transition audit to update their certificate. It has been determined by the International Accreditation Forum (IAF) that additional audit time will be required to effectively assess a client’s management system against the new/changed requirements of the new standard. The transition duration will be based on size and complexity, and will also depend on the transition option chosen, please see below. The actual time required will be confirmed in writing prior to your transition audit.

Please note, major non-conformances found at a transition audit may result in the need for further audit time in a follow up audit. This will be confirmed at the time.

To support our clients and ensure a smooth transition, Centre for Assessment have made the 2 following options available to all existing ISO27001:2017 certificate holders.

The transition audit options are as follows:

Option 1:

A standalone transition audit – this is an additional assessment activity which is separate from the ongoing maintenance of the existing approval. The standalone transition visit can be conducted at any time and does not need to be linked to a scheduled visit.

Option 2:

Transition at an existing scheduled audit e.g. surveillance or recertification – transition can be undertaken at the same time as a scheduled audit. It must still be regarded as an additional audit activity and planned as such and must not impact ongoing maintenance or recertification audit activity.


Step-by-step guide to the transition process:

  • Step one (Client) – Complete the 27001:2022 transition application form and submit this to Centre for Assessment as soon as possible, and at least 4 months prior to your transition audit taking place.
  • Step two (Head Office) – Centre for Assessment’s head office staff will review the application and inform you of the cost’s involved, which will be sent to you along with an ISO 27001 Client Transition Checklist Template.
  • Step three (Auditor) – Centre for Assessment’s auditor will contact you and agree the date for the transition audit.
  • Step four (Client) – Complete the 27001 Client Transition Checklist Template including details of actions taken and evidence demonstrating compliance and have the completed document ready for the transition audit. Please note that failure to complete the Checklist will result in a chargeable cancellation of the transition audit.
  • Step five (Auditor) – Centre for Assessment’s auditor will complete the transition audit and identify any findings requiring a Continual Improvement Record to be completed. Note: If the transition audit identifies major non-conformances a further audit may be required.
  • Step six (Client) – If applicable, you should complete and return the Continual Improvement Record to the Auditor, along with evidence of correction and corrective action.
  • Step seven (Auditor) –Upon receipt, Centre for Assessment’s auditor will review the Continual Improvement Record and evidence for acceptance. If additional actions are required, you will be asked to resubmit. Once accepted, this document and associated evidence will be passed to Centre for Assessment head office for a certification decision.
  • Step eight (Head Office) – Centre for Assessment’s head office will undertake a panel technical review and make a certification decision.
  • Step nine (Head office) – upon a successful outcome of the transition audit, Centre for Assessment will issue you with a ISO 27001 certificate. See notes below on issue of certificates.


What will a transition audit include:

  • A review of the completed ‘Client Transition Checklist.
  • An audit of the changes made to the ISMS in order to comply with new or changed requirements, and their implementation and effectiveness;
  • An audit of the implementation and effectiveness of the new or changed controls, as applicable;
  • If applicable, the updating of the risk treatment plan;
  • A review of the updating of the statement of applicability.


Maintenance of ISO 27001:2017 certificates

Centre for Assessment is required to maintain your existing certification until a transition process has been successfully completed and a UKAS accredited certificate issued to the 2022 version of the standard. Please see below for details on our accreditation transition with UKAS.


Issue of certificates

Centre for Assessment will be undertaking transition audits of clients whilst going through our own transition process with UKAS. We will not be able to issue accredited ISO 27001:2022 certificates until we have completed the transition with UKAS. In the interim, we will issue an unaccredited ISO 27001:2022 certificate and replace it with an accredited certificates once accreditation is achieved. At the same time, your ISO 27001:2017 UKAS accredited certificate will remain valid until replaced by the accredited 2022 version.

Certificates issued to ISO 27001:2022 to relace ISO 27001:2017 will have the same certificate expiry as would have been applicable based on their last certification decision and current certification cycle (and not the end of the transition period).

The only exceptions to the above will be clients who hold unaccredited certification with us in technical or geographical areas for which we are not currently accredited by UKAS for the scheme.

Frequently Asked Questions (FAQs)


proud to be part of The Growth Company