The Countdown to ISO 27001:2022 – What Certified Companies Must Do?
When ISO dropped the 2022 edition on 25 October 2022, it was like announcing a surprise detour halfway through a well-known trail. Certified organisations have a strict three-year window—ending 31 October 2025—to swap their old maps (ISO 27001:2013) for this updated chart.
“A stitch in time saves nine.” Timely migration not only dodges audit nonconformities but cements your reputation as a security leader. This article walks through every landmark on that journey—planning, gap-spotting, docs overhaul, training, audits, and beyond—so your ISMS stays on track, and your certificate stays valid.
What Is ISO 27001:2022?
Imagine your ISMS as a house. The 2022 update remodels certain rooms, adds smart locks, and rewires the foundation for modern security threats.
Evolution from ISO 27001:2013
- Annex SL makeover: A common skeleton across management standards.
Clause refinements (4–10): Clearer guidance on context, leadership, planning, support, operation, performance evaluation, and improvement.
Key Updates and Control Attribute Changes
| Aspect | Before (2013) | After (2022) |
|---|---|---|
| Annex A Controls | 114 | 93 (merged, split, and 11 brand-new controls) |
| New Control Attributes | N/A | Threat intelligence, cloud security, and more |
| Focus on Change & Objectives | Implicit | Explicit clauses on planning changes and objective monitoring |
Anecdote: One Melbourne firm treated the new controls like a surprise exam—lots of late-night study sessions, but they aced the transition audit by focusing on the five fresh attributes.
Why Transition Matters in the Countdown to ISO 27001:2022
- Enhanced Trust: Clients sleep better knowing your ISMS keeps pace with emerging threats.
- Competitive Edge: The latest certification looks sharp on tender decks.
- Risk Reduction: New controls tackle today’s villains—think supply-chain skulduggery and remote work blind spots.
- Metaphor: Missing the October 2025 deadline is like letting your passport expire mid-trip—you’re grounded until you sort the paperwork
Understanding the Transition Timeline
| Date | Milestone |
|---|---|
| 25 Oct 2022 | ISO/IEC 27001:2022 published |
| 31 Oct 2022 | Transition period kicks off |
| 1 May 2024 | All initial and recertification audits against the 2022 edition |
| 31 Jul 2025 | Last chance for transition audits |
| 31 Oct 2025 | ISO 27001:2013 certificates withdrawn; only 2022 certificates recognised |
Mark these dates in red on your calendar—no excuses..
Pre-Transition Planning
“Fail to prepare, prepare to fail.” A well-oiled machine starts with cogs in the right place:
- Assemble the A-Team: Project lead, technical guru, documentation whiz, and comms champ.
- Blueprint Your Roadmap: A Gantt chart or timeline that outlines who does what and when.
- Win Stakeholders Over: Host a briefing for execs—sell them on the ROI of staying ahead.
Conducting a Comprehensive Gap Analysis
A gap analysis is your treasure map—X marks where the new controls live.
- Map Old to New: Create a side-by-side matrix showing merges (57→24), splits, and fresh controls.
- Spot Documentation Holes: Audit your policies, SoA, and proof of implementation.
- Prioritise Like a Pro: Score tasks by risk and effort—tackle the quick wins and high-impact fixes first.
Training and Competence Requirements
Security is only as strong as the team behind it:
- Practitioner Workshops: Cover new clauses on change planning and threat intelligence.
- Auditor Swap-over Courses: 4–8 hours to level up existing ISO 27001:2013 auditors to the 2022 edition.
- Record Keeping: Log attendance, quiz scores, and role-based competencies in your training matrix.
- Quote: “You can’t manage what you don’t measure.” – Peter Drucker
Updating Your ISMS Documentation
Dust off those manuals—it’s time for a refresh:
- Policies & Procedures: Weave in new requirements (e.g., communication protocols under Clause 7.4).
- Statement of Applicability (SoA): List all 93 Annex A controls with rationales for exclusions.
- Risk Assessments: Update threat profiles (hello, cloud risks) and tweak the treatment plan.
Internal Audit and Management Review
Before the referee (external auditor) shows up, run your own drills:
- Internal Audits: Cover each tweaked clause and control change.
- Management Reviews: Capture decisions on resources, unresolved issues, and strategic pivots.
- Corrective Actions: Close nonconformities promptly—nobody likes repeat offenders.
Scheduling and Executing the Transition Audit
Choose your adventure:
- Integrated Approach: Bundle your transition with a surveillance or recertification visit—time and cost savers.
- Standalone Audit: Opt for a dedicated session if the integrated route feels too rushed.
- Resolution Window: Block out time post-audit to tackle any findings before certificate issuance.
Certificate Issuance and Validity
| Route | Expiry |
|---|---|
| Surveillance-Based | Aligns with existing cycle |
| Recertification-Based | Fresh three-year term from audit date |
Either way, keep an eye on expiry dates—expired certs are about as useful as a chocolate teapot.
Common Pitfalls and Best Practices
- Scope Creep: Stick to your ISMS boundary—don’t chase shiny, unrelated processes.
- Use ISO 27002:2022: The companion guide is your implementation bible.
- Document Everything: Meeting minutes, training records, risk logs—if it isn’t documented, it didn’t happen.
- Partner Up: Internal champions or consultants can fast-track gap closures and training roll-outs.
ISO 27001: 2022 Certification With CyberSapiens: Compliance & Security Services
CyberSapiens works closely with your organization throughout the ISO 27001 certification process, delivering comprehensive support and expert guidance to help you achieve compliance smoothly and efficiently. Our key offerings include:
- ISO 27001 Readiness Assessment: Evaluate your current security posture to identify strong areas and pinpoint aspects that need improvement.
- Comprehensive Gap Review: Analyze your existing controls against ISO 27001 standards to determine specific compliance gaps.
- Risk Assessment & Treatment Planning: Identify critical risks and develop strategic mitigation plans to manage and reduce potential threats.
- Policy & Procedure Creation: Access customizable, ISO-compliant documentation designed to align with your organizational requirements.
- ISMS Implementation Guidance: Receive practical, hands-on support in building and deploying your Information Security Management System.
- Security Awareness & Employee Training: Train your workforce on ISO 27001 essentials and cybersecurity best practices.
- Internal Audit & Corrective Action Support: Conduct internal audits to measure preparedness and implement necessary improvements.
- Support for External Certification Audit: Gain expert assistance to ensure a smooth, well-organized, and successful certification audit.
- Continuous ISMS Maintenance & Compliance Monitoring: Keep your ISMS effective and compliant through ongoing evaluation, updates, and monitoring.
Clients Served by CyberSapiens
Conclusion
The clock is ticking on the Countdown to ISO 27001:2022. By treating this transition as a well-planned relay—handing off tasks cleanly from planning to audit to upkeep—organisations will cross the finish line with flying colours, fortifying their defences and earning stakeholders’ trust.
FAQs: The Countdown to ISO 27001:2022 – What Certified Companies Must Do?
1. What is the final deadline to transition to ISO 27001:2022?
Ans: All ISO 27001:2013 certificates expire on 31 October 2025—after that, only the 2022 certificate counts.
2. Can the transition audit be bundled with surveillance visits?
Ans: Yes. Integrating avoids duplicate effort and offers cost savings.
3. What if the deadline is missed?
Ans: SO 27001:2013 certs will be withdrawn, and a full initial certification to 2022 will be required.
4. How is a gap analysis conducted?
Ans: Create a side-by-side Annex A matrix, flag merges, splits, and new controls, then map documentation gaps.
5. What training do staff and auditors need?
Ans: Staff require awareness sessions on new clauses; auditors need a 4–8 hour transition course.
