Skip to content
graphical user interface, website

Transitioning from ISO 27001:2013 to ISO 27001:2022: A Comprehensive Guide

Published
Nov 25, 2024
By
Dan Mathewson
Share

ISO 27001 is an internationally recognized standard for information security management. As the cyber threat landscape evolves, so do the standards that help organizations protect their information assets. In October 2022, the International Organization for Standardization (ISO) released an updated version of ISO 27001, marking a shift from the 2013 version. This article provides a comprehensive guide to transitioning from ISO 27001:2013 to ISO 27001:2022. 

Understanding the Key Changes in ISO 27001:2022 

To properly implement ISO 27001:2022, organizations must understand the new standards. The most notable changes are as follows:  

Updated Annex A Controls: 

  • The most notable change is the update to Annex A, which now aligns with ISO 27002:2022. The number of controls has been reduced from 114 to 93, reorganized into four themes: organizational, people, physical, and technological. 
  • 35 controls remain the same, 23 controls have been renamed, 57 controls have been merged to form 24 controls, and there are 11 new controls that have been introduced to address emerging threats, such as cloud security, threat intelligence, and data masking. 

Clause Structure and Wording: 

  • Minor adjustments have been made to the wording and structure of the clauses to enhance clarity and usability. 
  • Emphasis has been placed on aligning the standard with modern information security practices and technologies. 

Focus on Organizational Context: 

  • There is greater emphasis on understanding the context of the organization and the needs and expectations of interested parties. 
  • There is enhanced focus on the alignment of the information security management system (ISMS) with the organization's strategic objectives. 

Risk Management: 

  • Clarifications and refinements have been made in the approach to risk assessment and treatment. 
  • The updated standard emphasizes a more flexible, outcome-based approach to managing information security risks. 

Understanding the updates from ISO 27001: 2013 to ISO 27001:2022 allows for more effective implementation and makes your organization’s transition that much more seamless.   

Steps to Transition from ISO 27001:2013 to ISO 27001:2022

 

ISO 27001

New processes and compliance requirements can often be intimidating as there are many internal and external factors to consider. Navigating the transition from ISO 27001:2013 to ISO 27001: 2022 is no exception, and many might find this transition daunting. To aid, the process has been broken into seven simple steps: 

1. Understand the New Standard: 

  • Start by thoroughly reviewing ISO 27001:2022 and ISO 27002:2022 to understand the new requirements and changes. 
  • Identify the differences between the 2013 and 2022 versions to understand what needs to be updated in your current ISMS. 

2. Conduct a Gap Analysis: 

  • Perform a gap analysis to compare your existing ISMS against the new requirements of ISO 27001:2022. 
  • Identify areas where your current practices do not meet the new standard and document the necessary changes. 

3. Update Annex A Controls: 

  • Review and update your Annex A controls to align with the new set of 93 controls. 
  • Test to see that all new controls relevant to your organization are implemented and that existing controls are updated or replaced as needed. 

4. Revise Documentation: 

  • Update your ISMS documentation, including policies, procedures, and records, to reflect the changes in the standard. 
  • Align all documentation with the updated clause structure and wording. 

5. Train and Communicate: 

  • Conduct training sessions for your information security team and relevant stakeholders to teach them the changes and their implications. 
  • Communicate the updates and their impact on the organization's information security practices to all employees. 

6. Review and Update Risk Management Processes: 

  • Revise your risk assessment and treatment processes to align with the new standard's requirements. 
  • Keep your approach to managing information security risks flexible and outcome-based. 

7. Perform Internal Audits: 

  • Conduct internal audits to verify that the updated ISMS meets the requirements of ISO 27001:2022. 
  • Address any non-conformities identified during the audits and implement corrective actions. 

Benefits of Transitioning to ISO 27001:2022 

Organizations that transition to ISO 27001: 2022 experience several benefits. Implementing the updated framework allows organizations to better position themselves in the cybersecurity sphere through enhanced technology, business, security, and management controls. Common benefits include:  

Enhanced Security Posture: The updated standard addresses emerging threats and technologies, helping organizations improve their overall security posture. 

Regulatory Compliance: Aligning with the latest standard keeps your organization in compliance with current regulatory and legal requirements. 

Increased Stakeholder Confidence: Achieving certification to the latest standard demonstrates your commitment to information security, building trust with clients, partners, and stakeholders. 

Improved Efficiency: The updated standard promotes a more efficient and effective ISMS, reducing redundancy and enhancing the alignment with organizational objectives. 

How EisnerAmper Can Help 

Transitioning from ISO 27001:2013 to ISO 27001:2022 is a critical step in maintaining a robust ISMS that addresses current and emerging threats. By understanding the key changes, conducting a thorough gap analysis, updating controls and documentation, and engaging with certification bodies, organizations can build and maintain a smooth and successful transition. Embracing the updated standard not only enhances security but also demonstrates a commitment to continuous improvement and stakeholder confidence. 

All organizations must transition from ISO 27001:2013 to ISO 27001:2022 before October 31, 2025. Now is the time to plan your approach. EisnerAmper professionals can help you navigate these changes and address certification requirements. Contact us below to discuss your next steps. 

What's on Your Mind?

a man wearing a suit and tie

Dan Mathewson

Dan Mathewson is a Senior Manager in the firm's Accounting & Audit group and has nearly 10 years of experience.

View Profile

Start a conversation with Dan

Explore More Insights

a couple of women smiling
Video

Strategies to Prevent and Detect Fraud, Waste, and Abuse in Government Programs

  • Fraud Awareness
Read More
a person in a space suit
On-Demand Webinar

Business Interruption Loss Calculation | The Cyber Playbook and Response Plan

  • Cybersecurity
Read More
a close-up of a key chain on a keyboard
Article

Understanding ISO 27701: The Global Standard for Privacy Information Management

Read More
Article

Internal Controls Over Compliance

  • Public Companies
  • Banking
  • SOX Compliance
Read More
a rainbow over a tall building
Article

Treasury Releases Final Rule on Outbound Investments

Read More
graphical user interface
Article

Understanding NIST Security Assessments: A Framework for Cybersecurity

  • Cybersecurity
Read More
diagram
Article

Understanding CIS 18 Security Assessments: Protecting Your Business with Critical Controls

Read More
close-up of hands working on a laptop
Article

A Guide to Cyber Hygiene Best Practices

  • Cybersecurity
Read More
a few people working on a project
Article

What is Agile Auditing?

Read More
Article

Understanding IT Security Audits: A Guide to Protecting Your Organization

  • Cybersecurity
Read More
graphical user interface
Article

Do You Have Cybersecurity Insurance? Here's Why You Might Need It

  • Cybersecurity
Read More
a close up of a logo
On-Demand Webinar

Cybersecurity for Real Estate Organizations

  • Cybersecurity
Read More
View All Insights

Receive the latest business insights, analysis, and perspectives from EisnerAmper professionals.

Subscribe