ISO 27001:2022 Deadline: What You Need to Know Before October 2025

As organisations continue to navigate the ever-evolving landscape of cybersecurity and data privacy, protecting sensitive information is no longer optional – it is a necessity. ISO/IEC 27001 is the internationally recognised standard for Information Security Management Systems (ISMS), providing a systematic framework to safeguard data, mitigate risks, and demonstrate trustworthiness to stakeholders. It defines the requirements for establishing, implementing, maintaining, and continuously improving an Information Security Management System (ISMS). The most recent revision ISO 27001:2022, reflects the growing complexity of global data security threats and the need for organisations to enhance their information security strategies. It introduces updates to security controls and a modernised structure designed to address current and emerging risks. With the updated version of the standard now in effect, organisations must ensure they are compliant by the deadline set for October 2025. Organisations certified under ISO 27001:2013, are required to transition to the updated ISO 27001:2022 standard to maintain their certification and uphold compliance.

 

This blog explores the key changes in ISO 27001:2022 and the steps required for a smooth transition from ISO 27001:2013.

 

Key Updates in ISO 27001:2022

  1. Revised Annex A Controls:
  • The total number of controls in Annex A has been reduced from 114 (in ISO 27001:2013) to 93 in the 2022 version.
  • The controls are now organised into 4 broad categories, instead of the original 14:
  1. Organisational Controls
  2. People Controls
  3. Physical Controls
  4. Technological Controls

This reorganisation streamlines the framework and aligns it more closely with other ISO management system standards such as ISO 27032 (Cybersecurity Guidelines) and ISO 22301 (Business Continuity Management). It also facilitates improved integration for organisations that are implementing multiple ISO standards, including ISO 27701:2019, the Privacy Information Management System (PIMS), which is currently undergoing revision to ensure its continued relevance and alignment with evolving cybersecurity and privacy requirements.

  1. New and Updated Controls:

The updated Annex A introduces several new controls which address emerging challenges such as:

  • 5.7 Threat intelligence: This new control emphasises the need to gather and use both external and internal threat intelligence to detect, prevent, and respond to emerging security risks.
  • 5.23 Information security for use of cloud services: This control addresses security measures required specifically for cloud environments, which have become increasingly critical as businesses shift to cloud-based infrastructures.
  • 5.30 ICT readiness for business continuity: This control emphasises that organisations must ensure their IT systems are prepared to continue operating and can recover quickly during disruptions, maintaining critical business functions.
  • 7.4 Physical security monitoring: This control addresses the need for implementation of monitoring systems, such as surveillance and physical access controls, to secure premises and prevent unauthorised access to server rooms and other sensitive areas.
  • 8.9 Configuration management: This control requires establishing processes to manage and control system configurations, ensuring that secure settings are maintained, and vulnerabilities are minimised.
  • 8.10 Information deletion: This control requires organisations to securely delete or destroy sensitive information that is no longer needed, preventing unauthorised access or recovery of data.
  • 8.11 Data masking: This control provides detailed requirements around data privacy and the use of advanced techniques for data protection, in line with global privacy regulations like GDPR.
  • 8.12 Data leakage prevention: This control ensures that organisations implement measures to prevent the unauthorised transfer or exposure of sensitive data.
  • 8.16 Monitoring activities: This control mandates continuous monitoring of systems and processes to detect security incidents early and mitigate potential risks.
  • 8.23 Web filtering: This control recommends organisations to implement web filtering solutions to block access to harmful, malicious, or non-business-related websites, thereby reducing the risk of cyber threats.
  • 8.28 Secure coding: New controls highlight the need for secure coding practices and integrating security into the Secure Software Development Lifecycle (SSDLC).
  1. Updated Risk Management Approach:

ISO 27001:2013 focused on identifying and mitigating risks, but the new approach emphasises consideration of both risks and opportunities within the context of information security. This means evaluating not only potential data breaches or cyberattacks, but also how new technologies, systems, or processes could present opportunities to improve security. This approach encourages that risk management be an ongoing, dynamic process – continually assessing and reassessing both risks and opportunities, rather than treating risk management as an annual activity.

  1. Focus on Leadership and Governance:

Leadership roles and responsibilities in managing information security have been more clearly defined, emphasising a top-down approach to ISMS implementation. The ISO 27001:2022 update requires top management to take greater ownership of the ISMS which includes not just overseeing its implementation but also ensuring that security aligns with the organisation’s strategic objectives. It calls for clear leadership commitment to security, ensuring that senior executives are responsible for ensuring security risks are adequately addressed, resources are allocated, and the ISMS is continuously improved.

  1. More Comprehensive Documentation Requirements:

ISO 27001:2022 emphasises a structured approach to documented information, including policies, procedures, and records to ensure consistency across the ISMS. It requires organisations to manage and control how information is created, reviewed, approved, and archived, thereby maintain proper audit trails.

Steps to Transition Transitioning to ISO 27001:2022 involves careful planning and execution. Here are the recommended steps:

  1. Understand the Changes: Start by reviewing ISO 27001:2022 and ISO 27002:2022 to understand the differences and their implications for your ISMS. Engage with your internal audit teams, consultants, or certification bodies to get a complete understanding of what’s required.
  2. Conduct a Gap Analysis: Identify areas where your current ISMS falls short of the updated requirements. Focus on new controls and revised processes.
  3. Update Documentation: Revise policies, procedures, and other ISMS documentation to align with the new standard. Pay special attention to risk management processes, as the 2022 version places more emphasis on the identification and treatment of risks.
  4. Staff Training and Awareness: Ensure that all staff members are aware of the updated standards, particularly those involved in information security. The success of your ISMS depends not only on technical controls but also on a well-informed and vigilant workforce.
  5. Internal Audit: Conduct an internal audit to ensure compliance with the updated standard. Address any non-conformities before the external audit.
  6. Schedule a Transition Audit: Work with your certification body to plan and complete the transition audit well before the October 2025 deadline.

Benefits of Transitioning to ISO 27001:2022

  • Enhanced Security: The updated controls address modern threats, improving your organisation’s resilience.
  • Streamlined Processes: Consolidated controls simplify implementation and monitoring.
  • Competitive Advantage: Demonstrating compliance with the latest standard can boost stakeholder confidence and open doors to new business opportunities.

Why Start Now?

Early preparation ensures a smoother transition and reduces the risk of non-compliance. Certification bodies will likely face increased demand for transition audits as the deadline approaches, so scheduling early can avoid delays. Additionally, aligning with the updated standard sooner enhances your organization’s information security posture.

Conclusion

While the October 31, 2025, deadline may appear distant, transitioning to ISO 27001:2022 is a detailed process that demands careful planning and effort. Starting early gives organisations the opportunity to smoothly update their ISMS, avoid last-minute challenges, ensure compliance, and fortify their overall security posture. A proactive approach—beginning with a gap assessment—can help you adapt to the evolving cybersecurity landscape, enhance your information security practices, and maintain a competitive edge. Don’t wait—take the first step today to stay ahead of the curve.

 

Find out how we can help with your cyber challenge

Please enter your contact details using the form below for a free, no obligation, quote and we will get back to you as soon as possible. Alternatively, you can email us directly at [email protected]
Contact Us

Contact Us Reach out to one of our cyber experts and we will arrange a call

We've launched Solas