ISO 27001:2022 Transition Guide: What Changed and How to Migrate Your ISMS

TL;DR

• ISO/IEC 27001:2022 transition deadline: October 31, 2025. After that, 2013-era certificates are invalid.
• Annex A restructured: 114 → 93 controls across 4 themes (Organizational, People, Physical, Technological). 11 new controls.
• Clauses 4–10 changed minimally; the work is concentrated in Annex A, SoA, and gap remediation.

If you have ISO 27001:2013 certification on your wall, you have a deadline. October 31, 2025 is the last day your 2013-era certificate is valid. After that, you either hold a 2022 certificate or you are no longer ISO 27001 certified. Procurement teams are already flagging 2013 certificates as near-expiration in vendor risk reviews.

This guide covers what changed, the 11 new Annex A controls, and a practical migration plan that most B2B SaaS can complete within a normal surveillance audit cycle.

What Changed at a Glance

The 2022 update is less dramatic than the 2005-to-2013 revision. The core ISMS framework (clauses 4 through 10) received minor clarifications. The significant work is in Annex A:

Area	2013 version	2022 version
Annex A structure	14 categories (A.5–A.18)	4 themes (Organizational, People, Physical, Technological)
Number of controls	114	93
New controls	—	11
Merged/consolidated	—	24 merged into fewer broader controls
Clause-level changes	—	Minor editorial updates
Transition deadline	—	October 31, 2025

For the broader context on ISO 27001 for B2B SaaS, see our ISO 27001 ISMS reality guide.

The 4 New Annex A Themes

In 2022 Annex A is organized by subject area rather than by control category. Each control has a theme, a set of attributes (purpose, type, security domain), and a unique identifier.

A.5 Organizational controls (37 controls). Policies, roles and responsibilities, threat intelligence, supplier relationships, cloud services, information classification, incident management, continuity, and legal and compliance.

A.6 People controls (8 controls). Screening, terms of employment, awareness and training, disciplinary processes, termination, confidentiality, remote working.

A.7 Physical controls (14 controls). Perimeter security, physical entry, secure areas, equipment protection, clear desk and screen, secure disposal.

A.8 Technological controls (34 controls). User endpoints, access rights, authentication, privileged access, system hardening, capacity management, network security, malware protection, backup, logging, vulnerability management, secure development, change management, data masking, data leakage prevention, test data, web filtering, cryptography.

The 11 New Controls

These are the additions in the 2022 version. Every organization transitioning must evaluate each for inclusion in the Statement of Applicability.

A.5.7 Threat intelligence

Collect, analyze, and act on information about information security threats. In practice: subscribe to threat feeds (US-CERT, CISA, vendor security advisories), integrate with your SIEM if you have one, and document how threat intelligence informs your risk assessment and vulnerability prioritization.

A.5.23 Information security for use of cloud services

Specific assessment of cloud service risks and controls. If you use AWS, GCP, Azure, or any major SaaS, you need a documented cloud security assessment. Most of this content already exists in mature ISMSs but was scattered across A.13, A.14, and A.15 in 2013.

A.5.30 ICT readiness for business continuity

Your business continuity plan must specifically address ICT (IT) readiness. This includes RTO and RPO targets, disaster recovery testing, backup validation, and failover procedures. Often already covered by existing BCP but not labeled as ICT-specific.

A.7.4 Physical security monitoring

Continuous monitoring of physical access to sensitive areas. For fully-remote SaaS, this typically applies to whatever physical facilities you do have (office, co-location). For teams with no physical facility, document the scope exclusion clearly in your SoA.

A.8.9 Configuration management

Baseline configurations for hardware, software, and networks with change management. Most cloud-native organizations have this implicitly through infrastructure-as-code; the 2022 requirement is to document it explicitly.

A.8.10 Information deletion

Secure deletion of information no longer required. Ties directly to GDPR Article 17 (right to erasure) and data retention policy enforcement.

A.8.11 Data masking

Techniques to mask personal data in non-production environments. If you have a staging or development environment that could contain production data, document your masking approach.

A.8.12 Data leakage prevention

Prevent unauthorized disclosure of sensitive information. Covers DLP tools, email filtering, USB controls, and any outbound data protection measures.

A.8.16 Monitoring activities

Continuous monitoring of systems, networks, and applications for security events. Aligns with SIEM operations and log analysis workflows.

A.8.23 Web filtering

Restrict access to websites that introduce risk (malware distribution, phishing, inappropriate content). In cloud-native SaaS, typically implemented via DNS filtering (Cisco Umbrella, Cloudflare Zero Trust, or equivalent) or through identity provider controls.

A.8.28 Secure coding

Principles and practices for secure software development. If you have a software development lifecycle, you likely have most of this in place via code review, SAST, and security training. The 2022 requirement is to document it as a discrete control.

Consolidated and Merged Controls

Twenty-four controls from 2013 have been merged into fewer, broader 2022 controls. Examples:

• A.11.1.1 and A.11.1.2 (2013) merged into A.7.1 Physical security perimeters (2022)
• A.13.1.1, A.13.1.2, A.13.1.3 (2013) consolidated into A.8.20, A.8.21, A.8.22 (2022) network security family
• A.14.1.2 and A.14.1.3 (2013) merged into A.8.26 (2022) application security requirements

The merges reduce the number of distinct controls without reducing coverage. The 2022 version asks for broadly the same content under fewer labels.

The 5-Step Transition Plan

Step 1: Gap Analysis (weeks 1–2)

Map every 2013 control in your current Statement of Applicability to its 2022 equivalent. Identify:

• Controls that map one-to-one (most of them)
• Controls that merged into broader 2022 controls (about 24)
• Controls that were retired (about 11 retired or absorbed)
• 2022 controls that are entirely new (the 11 listed above)

Output: a mapping spreadsheet with 2013 control ID, 2022 control ID, and mapping status.

Step 2: Implement New Controls (weeks 3–8)

For each of the 11 new controls, determine whether it applies to your organization. If applicable, implement the control and document evidence. If not applicable, document the exclusion rationale in your SoA.

Most of the 11 new controls are already partially implemented in mature organizations — the work is documentation and evidence collection, not new technical implementation.

Step 3: Update the Statement of Applicability (weeks 8–10)

Rewrite your SoA using 2022 control IDs, names, and themes. Each control needs:

• 2022 control ID and name
• Included or excluded
• Justification for inclusion (reference specific risks or business requirements)
• Justification for exclusion (if applicable)
• Implementation reference (policy, procedure, or system)

For the full SoA methodology, see our Statement of Applicability guide.

Step 4: Update Policies and Procedures (weeks 10–12)

Update policy documents that reference 2013 control numbers. Replace citations throughout your policy pack, procedure manuals, and training materials.

This step is mostly editorial but needs careful version control. Many organizations publish a "2022 Conversion" version of each policy and retire the 2013 version on the transition date.

Step 5: Transition Audit (weeks 12–16)

Your certification body will audit the transition during a scheduled surveillance or recertification audit. Provide:

• Gap analysis spreadsheet
• Updated Statement of Applicability (2022 version)
• Evidence of implementation for new controls
• Updated policy pack
• Updated risk assessment reflecting any new risks identified

The auditor will verify the transition and issue an updated certificate referencing ISO/IEC 27001:2022.

Common Transition Pitfalls

Treating it as a rewrite. The 2022 update does not require rewriting your ISMS from scratch. The core ISMS framework (clauses 4–10) is mostly unchanged. Focus the effort on Annex A.

Missing the new controls. Organizations sometimes complete the transition without explicitly addressing all 11 new controls. Auditors will flag missing coverage even if the controls are informally implemented.

Keeping legacy control numbering. Policies that reference "A.12.1.2 Change management" (2013) instead of "A.8.32 Change management" (2022) will be flagged as documentation inconsistency.

Leaving the transition until Q3 2025. The transition deadline is October 31, 2025, but certification bodies are booking transition audits throughout 2024 and 2025. Leaving transition to Q3 2025 risks calendar unavailability with your certification body.

Re-scoping without notification. The transition is a good moment to review ISMS scope, but scope changes must be notified to your certification body in advance. Do not combine scope expansion with transition without agreement.

Impact on Surveillance and Recertification Cycles

Your surveillance and recertification schedule continues uninterrupted through the transition. Certification bodies issue an updated certificate referencing ISO/IEC 27001:2022 with the same expiration date as your current cycle.

If you are mid-cycle (e.g., currently in Year 2 of a 3-year certification), the updated certificate preserves your original expiration date. Your next full recertification audit then follows the 2022 version exclusively.

Cost Implications

For most B2B SaaS, the transition adds:

• 40 to 80 hours of internal labor (senior compliance engineer or CISO time)
• $3,000 to $15,000 in consulting support if external help is used
• $1,000 to $3,000 in certification body administrative fees (varies by CB)
• No additional audit-days in most cases (transition is absorbed into scheduled surveillance)

Organizations operating ISO 27001 alongside SOC 2 benefit from parallel evidence collection. Most GRC platforms support both frameworks natively and handle the 2022 mapping automatically.

For the broader cost picture across frameworks, see our compliance cost breakdown.

Getting Started

If your certification expires before October 31, 2025, book your transition audit now. If you are currently pre-certification, plan directly against the 2022 version — do not start against 2013.

For teams that want a partner through the transition — including gap analysis, new control implementation, policy updates, and auditor coordination — reach out to CertifyOps to scope the work.

For the fundamentals of ISO 27001 certification, start with our ISO 27001 complete guide.