January 16, 2023

ISO/IEC 27001:2022 Transition

ISO/IEC 27001:2022 Transition

A new revision of ISO/IEC 27001 has been released. The new revision is titled:

ISO/IEC 27001:2022 Information security, cybersecurity, and privacy protection – Information security management systems – Requirements

The new revision was published on 31st October 2022 and the older ISO/IEC 27001:2013 will be withdrawn on 31st October 2025.

All WCS ISO/IEC 27001:2013 certified clients have a three-year period to migrate its management system certification to ISO/IEC 27001:2022. After the 31st October 2025 all old revision certificates will expire.


A planned transition approach is essential. Here are some pointers:

  • Obtaining a copy of the standard,
  • Identify suitable training (if required)
  • Ensure communication within your organisation
  • Identify responsibilities for the transition
  • Undertake a gap analysis
  • Update the documented system
  • Provide additional training to employees
  • Complete internal audits with an emphasis on the additional requirements
  • Apply for the transition with World Certification Services


Clients will be able to transition to the new standard during surveillance audits, recertification audits or by having a special audit in advance of their next scheduled surveillance/recertification audit.

It is a requirement that WCS add audit duration to cover the new requirements. This extra audit duration will be communicated and agreed before the audit takes place.


ISO/IEC 27001:2022 is not a fully revised edition. Its main changes include:

  • Annex A references to the controls in supporting standard ISO/IEC 27002:2022, which includes the information of control title and control.
  • The notes of Clause 6.1.3 c) are revised editorially, including deleting the control objectives and using “information security control” to replace “control”;
  • The wording of Clause 6.1.3 d) is re-organized to remove the potential ambiguity.

Compared with the old revision, the number of controls in ISO/IEC 27002:2022 decreases from 114 controls in 14 clauses to 93 controls in 4 clauses. For the controls in ISO/IEC 27002:2022, 11 controls are new, 24 controls are merged from the existing controls, and 58 controls are updated. Moreover, the control structure is revised, which introduces “attribute” and “purpose” for each control and no longer uses “objective” for a group of controls.

If you would like more information please contact WCS.

Back to Blog

The auditor built a good rapport with the auditees and was thorough but fair in his questioning and report.

Oceaneering International Inc.

Open up new business opportunities

Request a quote today