ISO/IEC 27001:2022 ISMS Transition Program

ISO/IEC 27001:2022 Information Security Management System Transition Program 

Transition requirements

ISO/IEC 27001 has been updated and the new ISO/IEC 27001:2022 was published on 25 October 2022, and is set to replace ISO/IEC 27001:2013 by 31 October 2025. Certified organizations are given three years to transit from ISO/IEC 27001:2013 to ISO/IEC 27001:2022. Therefore, by 31 October 2025, ISO/IEC 27001:2013 shall cease. 

When to transit? 

The transition to ISO/IEC 27001:2022 could take place during surveillance, recertification or non-routine audits, and if the organization fails to transit to ISO/IEC 27001:2022 by 31 October 2025, the certification is no longer valid, and it will be treated as new client application whereby initial (stage 1 & 2) audit is required.  

In view of the changes from ISO/IEC 27001:2013 to 2022, there is additional time is required to verify the changes.  

Main Changes to ISO/IEC 27001:2022 

• Changes to Annex A of ISO/IEC 27001:2013 to align with the updates of ISO/IEC 27002:2022 which was published earlier in Year 2022 

• The changes to Annex A consist of changes to the number of controls and listing in the groups  

• The number of controls has decreased from 114 to 93 as most of the controls have been merged or renamed  

• The 93 controls have been restructured to four control groups or sections: organization controls, people controls, physical controls, and technological controls  

• Addition of 11 new controls which consist of threat intelligence, information security for the use of cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering and secure coding  

• Additional new content added to clauses 4.2, 6.2, 6.3, 8.1 and 9.3  

• Minor changes to some of the terminology and restructuring of the sentences and clauses