Contact Us
Search Icon

Suggested region and language based on your location

    Your current region and language

    Office, meeting and documents of business people, clients or team for legal matters, taxes, audit or accounting
    • Blog
      ICT

    Transition to the ISO/IEC 27001:2022 standard: what you need to know

    The ISO/IEC 27001:2022 updates strengthen information security. Explore the changes and guidance for a smooth transition by 31st October 2025.

    The Information Security Management System standard has been revised. By 31st October 2025 is the deadline for  all organizations to transition their ISMS to align to the updated standard, ISO 27001:2022.

    Here, we explore the primary reasons behind the ISO/IEC 27001 revision, what are the key changes, and what the transition to the new standard involves. We also guide you through the key steps involved in the transition.

    Why is the standard for Information Security Management System being updated?

    According to McKinsey & Company’s Cybersecurity in a Digital Era report more and more businesses rely on digital services for back-office and customer-facing activities, digital threats to information security are also evolving. The ISO 27001 revision includes updates that better reflect modern business practices and remain competitive.

    These are the ISO 27001:2022 key changes

    The new ISO 27001:2022 standard introduces several important updates to streamline compliance and better address today’s information security challenges:

    • Simplified structure – the requirements for the standard have been streamlined from 14 to just four key areas: Organizational, People, Physical and Technological.
    • Updated 27001 controls – the controls listed in the standard have decreased from 114 to 93. Some have been merged, some removed, new ones introduced, and others updated.
    • Concept of attributes included – aligning with common digital terminology, five attributes have been introduced: Control type, Information security properties, Cybersecurity concepts, Operational capabilities, and Security domains.

    Time is ticking on the transition period, but don’t panic, our step-by-step guide will help you on your transition journey.

    1. Buy a copy of ISO/IEC 27001:2022 and the associated control list in ISO/ IEC 27002:2022

    Compare your current ISMS with the updated requirements to identify gaps or areas for improvement.

    1. Develop an action plan and update your ISMS

    Create a timeline for addressing the gaps identified and complete all necessary updates  ahead of your forthcoming assessment visits and well before the 31st October 2025 deadline. BSI Training Academy has a range of ISO 27001 Transition courses to help you prepare. Find out more here.

    1. Engage with your certification body
      Contact your certification body to ensure planned assessment and transition visits are booked and the resource is confirmed. Aim to complete your transition visit a couple of months ahead of the deadline to allow time for unplanned delays.

    2. Engage another certification body

    Struggling to confirm dates with your certification body? Certificates not transitioned by 31st October 2025 will expire and you will need to start the certification process again. At BSI, we have the capacity to support your transition and your ongoing ISMS journey. We also. have a mapped out transfer and transition process for you to follow.

    Understanding the risks of missing the ISO/IEC 27001:2022 transition deadline

    • Cybersecurity threats are evolving continuously: as cited in the revised standard, more and more businesses have moved towards cloud computing and embraced digital transformation, which has the potential to uncover new vulnerabilities for attackers to exploit.
    • The updated controls in ISO/IEC 27001:2022 specifically address these risks, including enhanced security for cloud environments, data privacy, and emerging technologies.

    Non-compliance can be costly: companies who have not transitioned will find their certificates expire on 31st October 2025. This could cause compliance issues and contractual issues, which may result in loss of business, fines, or legal consequences.

    Begin your transition today

    Our experienced team has already helped thousands of organizations globally to transition seamlessly to the new ISO/IEC 27001:2022 standard. This is a result of our  comprehensive support, which includes gap analysis, training and certification audits.

    Need to transfer your ISO 27001:2013 certification?

    We can help you transfer your certification from other certification bodies.

    Contact us today to begin your transition to the new standard [Get in touch].