From ISO 27001:2013 to ISO 27001:2022

You might have heard that there's a new version of ISO 27001. It's ISO 27001:2022, with both the 2013 and 2017 versions soon to be extinct. Let's break it down and tackle some common questions you might have about this transition.

When do ISO 27001:2013/2017 expire?

Mark your calendar for October 31, 2025.

All organizations must transition to the new ISO 27001:2022 standard by this date, regardless of their original registration date. All remaining ISO 27001:2013/2017 certificates will be withdrawn and considered expired as of October 25, 2023, regardless of the original certification date.

What is the difference between ISO 27002:2013 and 2022 mapping?

The old version, ISO 27001:2013, had 114 controls spread out over 14 domains. But the new ISO 27001:2022 has 93 controls, grouped into 4 domains: Organizational, People, Physical, and Technological.

While some controls appear to have been merged, others are new and might require some tweaking of your existing implementation.

What are the new changes in ISO 27001:2022?

The main part of ISO 27001, i.e., clauses 4 to 10, has changed only slightly, mainly to align with other ISO management standards such as ISO 9001 and ISO 14001, and with Annex SL, the common structure and terminology for all ISO management system standards. This alignment will create a more holistic approach to obtaining more than one certificate at once.

Here are some changes in controls:

How to transition from ISO 27001:2013 to 2022?

At Secfix we will support you with transitioning from ISO 27001:2013/2017 to ISO 27001:2022. Our platform will provide you with the guidance and tools you need to make the switch smoothly, from updated policies and procedures to new security checks for audits and a continuous gap analysis. No need to manually map controls on your own!

You can schedule a free consultation with us so we can answer any questions you have on how we can help you update to the new ISO 27001:2022 version fast and easy.