ISO StandardsPublished on March 19, 20268 min read

ISO 27001:2022 — Quick transition guide for organizations that have not yet migrated

Everything you need to know to migrate to ISO 27001:2022 before the deadline. Annex A changes, most frequent transition errors, and an operational checklist.

The 2022 version of ISO 27001 has been published for over three years and the transition deadline is reaching its limit. However, a significant number of organizations in Latin America still operate on the 2013 version or, worse, started the transition but left it halfway. If your organization is in either group, this quick guide covers the critical points you need to address now.

What changed between 2013 and 2022

The high-level structure (clauses 4 to 10) did not undergo radical changes. The main adjustments are concentrated in three areas:

Clause 6.3 — Planning of changes: An explicit requirement was added to plan changes to the ISMS in a controlled manner.
Clause 8.1 — Operational planning and control: Criteria for managing outsourced processes were strengthened.
Annex A — Controls: Moved from 114 controls in 14 domains (2013) to 93 controls in 4 thematic categories (2022): organizational, people, physical, and technological. 11 new controls were added, 24 were merged, and duplications were eliminated.

The 11 new controls you cannot ignore

These controls did not exist in the 2013 version and your organization must implement them: A.5.7 Threat intelligence, A.5.23 Cloud security, A.5.30 ICT readiness for business continuity, A.7.4 Physical security monitoring, A.8.9 Configuration management, A.8.10 Information deletion, A.8.11 Data masking, A.8.12 Data leakage prevention, A.8.16 Monitoring activities, A.8.23 Web filtering, and A.8.28 Secure coding.

Common transition mistakes

According to data from our research on the ISO 27001:2022 transition, the most common errors are: mapping controls 1:1 without gap analysis, ignoring the Statement of Applicability, not training internal auditors on the new requirements, and underestimating the new technological controls that require concrete technical evidence.

Operational transition checklist

If your organization needs to complete the transition, the priority order is: gap analysis against ISO 27001:2022, rewrite the Statement of Applicability, implement the 11 new controls, update the risk assessment with clause 6.3 criteria, train internal auditors, run a full internal audit against the 2022 version, and coordinate the transition audit with the certification body.

If you need a quick assessment of where your organization stands regarding the 2022 version, a gap analysis against ISO 27001:2022 provides concrete answers within 72 operational hours.

Available now

Want to apply these findings?

We transform research data into actionable assessments for your organization.

Request diagnosis→View research→

Loading content…

What changed between 2013 and 2022

The high-level structure (clauses 4 to 10) did not undergo radical changes. The main adjustments are concentrated in three areas:

Clause 6.3 — Planning of changes: An explicit requirement was added to plan changes to the ISMS in a controlled manner.

Clause 8.1 — Operational planning and control: Criteria for managing outsourced processes were strengthened.

Annex A — Controls: Moved from 114 controls in 14 domains (2013) to 93 controls in 4 thematic categories (2022): organizational, people, physical, and technological. 11 new controls were added, 24 were merged, and duplications were eliminated.

The 11 new controls you cannot ignore

Common transition mistakes

Operational transition checklist

If you need a quick assessment of where your organization stands regarding the 2022 version, a gap analysis against ISO 27001:2022 provides concrete answers within 72 operational hours.