On October 25, ISO 27001:2022 was released, replacing the version from 2013. To help you determine the impact on your ISMS implementation, we have compiled this FAQ.

Table of contents

What’s new?

Management system

The management system of ISO 27001:2022 contains a few minor changes, aligning it to Annex SL.

These changes include:

  • Refinement of 4.1 Context
  • Refinement of 4.2 Interested parties
  • Refinement of 4.4 ISMS
  • Refinement of 6.1.3 Risk treatment
  • Refinement of 6.2 Objectives
  • Addition of 6.3 Change management
  • Refinement of 7.4 Communication
  • Rewrite of 8.1 Operational planning
  • Refinement of 9.1 Monitoring
  • Splitting 9.2 into 9.2.1 General / 9.2.2 Audit program
  • Splitting 9.3 into 9.3.1 General / 9.3.2 Input / 9.3.3 Output (and the addition of an extra topic)
  • 10.1 Improvement and 10.2 Nonconformities have switched numbers (!)

Annex A controls

Annex A of ISO 27001:2013 contained 114 controls, divided over 14 chapters. This has been restructured, the 2022 version now contains 93 controls, divided over 4 chapters:

  • 5. Organizational (37 controls)
  • 6. People (8 controls)
  • 7. Physical (14 controls)
  • 8. Technological (34 controls)

While some controls appear to have been merged, other controls look new and might require some tweaking of your existing implementation – if you wish to include them in your Statement of Applicability, of course:

ISO 27001:2022ISO 27001:2013 equivalent
A.5.7 Threat intelligenceA.6.1.4 Contact with special interest groups
A.5.16 Identity managementA.9.2.1 User registration and de-registration
A.5.23 Information security for use of cloud servicesA.15.x Supplier relationships
A.5.29 Information security during disruptionA.17.1.x Information security continuity
A.5.30 ICT readiness for business continuityA.17.1.3 Verify, review and evaluate information security continuity
A.7.4 Physical security monitoringA.9.2.5 Review of user access rights
A.8.9 Configuration managementA.14.2.5 Secure system engineering principles
A.8.10 Information deletionA.18.1.3 Protection of records
A.8.11 Data maskingA.14.3.1 Protection of test data
A.8.12 Data leakage preventionA.12.6.1 Management of technical vulnerabilities
A.8.16 Monitoring activitiesA.12.4.x Logging and monitoring
A.8.23 Web filteringA.13.1.2 Security of network services
A.8.28 Secure codingA.14.2.1 Secure development policy

What about localized versions?

The Dutch version has been released in December, 2022 (available here).

Other localized versions are under development, we will update this page as they will be released.

Updates of related standards (ISO 27017, 27018, 27701, 27799, NEN 7510) largely depend on their initial release date, following the standard 5 year review cycle. Just like ISO 27002 (which started development in 2018) this might take another 3 to 4 years, starting from the next review date.

Below is an overview of all standards in the ISO 27000 family, their status and the expected release dates.

StandardStatusExpected
ISO 27017:2015This standard was last reviewed and confirmed in 2021. Therefore this version remains current (source)
ISO 27018:2019Pending review in 2024 (source)
ISO 27701:2019Currently in development (source)2023 or 2024
ISO 27799:20162022-02-16: New version under development
(source)
2025
NEN 7510:2017Currently in development2023 or 2024
BIOCurrently in development2023

If you are (planning to be) certified for ISO 27001 in combination with any one of these standards, you have two options:

  • Use them in combination with the 2013 control set, so the control numbers match (this should be acceptable)
  • Use them in combination with the 2022 control set, accept the fact that the control numbers do not match, and divide your Statement of Applicability in multiple sections, one for each control set

When will Instant 27001 be updated?

The English and Dutch versions of Instant 27001 are already updated, so you can start your implementation based on the 2022 version today!

How can I update my existing Instant 27001 implementation?

An update package is available for existing customers. This package consists of:

  • The new Annex A structure containing all 93 controls
  • Updates for the changed high level requirements
  • All new and updated policies and procedures (for reference)
  • A new Statement of Applicability
  • A new Monitoring plan
  • A new Internal audit program
  • A new Internal audit report template
  • A Gap analysis + action plan template (as required for the transition audit)
  • Instructions how to merge the contents and update your existing ISMS

This update package is currently available in English and Dutch, and confirmed for the German and Swedish versions (pending their releases).

Can I upgrade to Instant 27001 for Microsoft?

Yes, you can!

When does my ISMS need to be updated?

The International Accreditation Forum (IAF) has released a document, indicating that
starting from the publication of ISO 27001:2022, certified organizations have 36 months to complete the transition, in this case no later than October 31 of 2025.

The transition consists of:

  • Creation of a Gap analysis + action plan
  • Updating the ISMS (controls, risk assessment, documentation)
  • An internal audit (that focuses on the transition)
  • A management review (focusing on the transition)

We recommend combining the transition audit with your next surveillance or re-certification audit, this way you can re-use the existing internal audit and management review slots.

Once the transition audit is done by your registrar, you will be issued an updated certificate.

Can I still become certified to ISO 27001:2013?

Organizations that have not yet been certified can complete their implementation based on ISO 27001:2013 and become certified until April 30 of 2024. You will then have 18 months to make the transition to ISO 27001:2022.

Can I already become certified to ISO 27001:2022?

Because the HLS has changed, registrars (a.k.a. certification bodies or auditing companies) are required to update their accreditation first. They have until Oct 31 of 2023 to do so (source). Since there is a commercial advantage, most of them will do this as soon as possible.

Organizations that have implemented ISO 27001:2022, who are facing a registrar that has not yet transitioned to 2022, can get certified to :2013 with just a modified Statement of Applicability (showing the :2013 controls). You can then transition to :2022 the next year. Contact us if you need help with this.

Subscribe to our newsletter

Would you like to receive updates on ISO 27001? Leave your email address below and we’ll keep you posted!

  • Please use your professional email address (no Gmail, Hotmail or Yahoo)
  • Existing customers will be notified automatically when the update kit becomes available
* indicates required

The information you submit will be processed in line with our Privacy statement.

All our clients have passed certification the first time.
Join them today!

Order now   Book a demo