Get your businesses ready for ISO 27001: 2022


You probably already hold Cyber Essentials and ISO27001, but did you know that you will soon need to transition to ISO27001:2022?

If your business is ISO 27001:2013 certified, working toward ISO 27001 certification (or considering it), you need to know about updates to the framework and their impact.

Changes to the longstanding ISO 27001 control framework were finally published in February 2022, with the deadline for transition set as 31st October, 2025. Now, that may sound like a fair time away. But when you consider that projects can take between 6 to 18 months, depending on the size of your business, that date will soon come around.

At Safe Data Governance, we understand that it’s not easy keeping up with the many demands of data compliance. Does your business lack the systems, engagement, organisation and ownership to see it through?

We can help. Our new PRISM solution is designed to help businesses to manage this transition smoothly and cost-effectively.

The platform incorporates all the changes; helping companies with existing ISO 27001 to manage your migration to the new version, as well as helping businesses without ISO 27001 to implement the standard.

In addition, PRISM is scalable and enables to you manage Data Protection (ISO27701), Information Security (ISO27001) and Cyber Essentials compliance all in one place. The system can be tailored to large organisations or SME’s, including sole traders and micro-organisations.

Director Steve Gibson commented, “This long-awaited update will have many businesses worried about how to either update their existing systems or manage changes to systems still to be implemented. The truth is, that a structured approach to these changes will eliminate a lot of the pain often caused by inexperience and overcomplication of these new requirements. This is exactly what we are set up to help organisations achieve.”

ISO 27001 Implementation Project Team


What do the changes mean for ISO 27001 certification?

Since the release of the new version of ISO27001 (ISO27001:2022) in late 2022, certification bodies have now launched new schemes against which this new version of the standard will be audited.

The deadline by which organisations with the old version of this standard need to have transitioned is October 2025. However, certification bodies will be pushing to get the transition audits completed by the end of September 2025 to ensure that certifications do not lapse.

This should give organisations just under 18 months to complete their transition, but don’t leave it until the last minute as booking an auditor will become extremely challenging as organisations compete to get an auditor to do a last-minute audit!

We would recommend booking your audit at least 3 months ahead of the transition date, to provide you with plenty of leeway to cope with any unforeseen situations.

How challenging are the changes?

ISO27001:2022 has had its controls totally re-indexed, with some old controls being combined or split and 11 new controls added. There are also a few wording changes that are a bit of a ‘Gotcha’ for those who don’t look closely enough.

These index changes will affect your entire Statement of Applicability, your entire risk register (relative to the selected risk treatment controls from Annex A), and any policies that reference your Annex Controls.

The 11 new controls will need careful consideration, and there is a stronger emphasis on the standard of rules and procedures, rather than policies. This means that you will be expected to define more of ‘how’ something is done rather than just saying that you do it in a policy.

A big change, of only 2 words in an existing control, is the requirement to have staff acknowledge your information security policies. Think about this for a while…
To decide who needs to acknowledge a policy you need to define the audience for that policy and get that audience to acknowledge it – for every information security policy!

If you have many, many policies – that is a lot of work and rationalising your policies to fewer larger policies may be your best option to manage this change.

How can the transition from ISO 27001:2013 to ISO 27001:2022 be made easier for businesses?

The new platform PRISM incorporates all the new changes and updates.

This brand-new data protection and information security platform enables businesses to manage Cyber Essentials, Information Security ISO 27001 and Data Protection ISO 27701 compliance all in one place.

PRISM is designed to make data protection and cyber security compliance easier to manage, wherever a company is in their compliance journey. It will help companies with existing ISO 27001 to manage the migration to the new version, as well as helping businesses without ISO 27001 to implement the standard.


Need help managing the safe use of personal data? 

ISO27001:2013 Transition Gap Analysis

We offer a specialised Transition Gap Analysis service which inlcudes a complete review of all Annex A controls against the new version of ISO27001. Our Gap Analysis Report will identify what actions need to be carried out to achieve the transition to ISO27001:2022. Find out more

Book a PRISM Demo

With PRISM, you can manage Data Protection (ISO27701), Information Security (ISO27001) and Cyber Essentials compliance all in one place with our new scalable software. Book a free demo to see how it could help your business.