Late last year, a replacement of ISO 27001 was announced, designed to help businesses improve their cybersecurity, information security, and privacy protection. All organisations who wish to remain ISO 27001 certified will need to transition to the ISO 27001:2022 update before the end of the transition period in October 2025.
What exactly is the ISO 27001:22 update, though, and what are the requirements businesses need to follow to ensure they remain certified? In this latest blog, we thought we would take a closer look…
The ISO 27001:2022 certification is the leading international standard for information security. It was published in partnership between the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC), forming part of a set of standards outlining how businesses should handle information security.
The framework is designed for use by any organisation, regardless of size or industry. Its aim is to provide clear guidance on establishing, implementing, maintaining, and improving information management systems.
As cybercrime rises, ISO 27001 emerges as a crucial certification for every organisation. Predominantly adopted by businesses in the Information Technology (IT) sector, any company achieving this certification can show customers their commitment to data safeguarding and security.
The standard is a key component of an Information Security Management System (ISMS), a set of policies and procedures designed to manage sensitive data systematically. An ISMS addresses everything from employee behaviour to data processes and technology usage.
There are many benefits to achieving the ISO 27001:2022 certification, including:
Having ISO 27001 certification provides a clear overview of your current information security. Maintaining the certification involves regular audits and reviews to ensure continual improvement against ever-changing cyber threats.
As your business grows and new technology gets adopted, it can quickly become a confusing landscape. ISO 27001:2022 helps to clearly outline the responsibilities that organisations need to follow. This can help to increase productivity by ensuring everyone understands who is responsible for information management, while it can also help to improve decision-making by helping businesses understand the risks and how to best manage them.
With the threat of cyber attacks on the rise, ISO 27001:2022 certification helps to protect your business from these risks, demonstrating to your customers that you have taken steps to protect their data. This is a very important step in improving your reputation, helping you to take your brand to the next level.
Finally, ISO 27001 certification ensures that your business is complying with all legal, contractual and regulatory requirements around GDPR and NIS.
The announced update of the ISO 27001 certification is in response to the rapidly changing environment. The 2022 version features several important improvements and updates alongside new guidance and requirements around the governance of data, keeping the supply chain secure, and how to use cloud services.
One of the biggest changes in the 2022 update is the addition of a new risk assessment process. The process is based on the same risk management standards found in ISO 31000, creating a more flexible and adaptable process for risk assessment. This allows organisations to better tailor the strategies to their specific circumstances and needs.
The update also saw a number of new controls added, including
Alongside announcing the details of the update, when ISO 27001:2022 was released a transition period was also launched. This means that in order to remain certified, businesses will need to implement these changes within this time period. Some key dates to remember:
31st October 2022
This was the date that the transition period began.
1st May 2024
From the 1st of May, all new certifications should conform to the ISO 27001:2022 standards, making this an important date. It is also from this date that all recertification audits will need to utilise the criteria set out in the 2022 update.
Until then, though, organisations can still submit certification applications under the original 2013 criteria.
21st July 2025
All ISO 27001 transition audits should be complete by this date.
31st October 2025
The end of October 2025 is when the ISO 27001 transition period comes to an end, and all certificates for ISO/IEC 27001:2013 will no longer be valid.
To maintain compliance, all organisations must implement necessary changes within the ISO 27001 transition period. Initially, updating your management system to align with the new guidelines is crucial. This update must occur before the audit, demonstrating documentation changes and any process requirements adjustments.
Before the formal audit, businesses should conduct an internal audit and management review to ensure they implement all new changes. If uncertain about meeting the required changes, businesses should consider arranging an ISO 27001 transition audit for certification maintenance. This audit will verify that all required revisions are implemented, either alongside an existing audit or as a standalone option, with the duration depending on your chosen approach.
In this fast-paced digital world, ensuring that your business is keeping client data safe and secure from the growing threat of cybercriminals is essential. Here at Critical Path, our mission is to help our clients to plan, monitor and control their projects effectively, ensuring they can reach their goals and overcome any obstacles they may face.
We can help you with your ISO 27001 transition, supporting you every step of the way to ensure that you are fully compliant. Get in touch today to learn more about our services and how we can help you.
