ISO 27001:2022 | New Controls & Transition Deadline

As of 30 April 2024, certification bodies can no longer offer (re)certification to the 2013 edition of the Standard.

Even if your organisation’s ISMS was (re)certified to ISO 27001:2013 by 30 April 2024, that certificate will expire on 31 October 2025 – even if it has been in place for less than three years (the normal duration of an ISO management system certificate).

We therefore advise you start adopting the 2022 Standard as soon as you can.

• A.5.7 Threat intelligence

• A.5.23 Information security for use of cloud services

• A.5.30 ICT readiness for business continuity

• A.7.4 Physical security monitoring

• A.8.9 Configuration management

• A.8.10 Information deletion

• A.8.11 Data masking

• A.8.12 Data leakage prevention

• A.8.16 Monitoring activities

• A.8.23 Web filtering

• A.8.28 Secure coding

For organisations that currently have the ISO 27001 (2013 version), what you’ll notice is that some of these new ISO 27001 controls are very similar to 'old controls' from the 2013 revision; however, because these controls were categorised as 'new' in ISO 27002:2022, I have listed all 11 in this blog.

Finally, keep in mind that these controls are not mandatory – ISO 27001 allows you to exclude a control if (1) you identified no related risks, and (2) there are no legal/regulatory/contractual requirements to implement that particular control.

If you need some assistance with your transition from ISO 27001:2013 → ISO 27001:2022 before the October 2025 deadline, you can contact us here.