ISO 27001:2022 – lessons learnt from the front-line of deployment of an evolving Standard

ISO 27001 2022 transition guide key changes ISMS

By a Cybersecurity Strategy Consultant | ISO 27001 Lead Auditor (BSI Certified since 2015)

Editorial note (April 2026): This article was originally published in July 2025, ahead of the ISO 27001:2022 transition deadline. All ISO/IEC 27001:2013 certificates expired on October 31, 2025. If your organization has not yet transitioned, you are now out of certification — and will need to complete a full initial audit to regain ISO 27001:2022 status. The key changes described below remain fully relevant. The practical advice in the CTA section has been updated accordingly.

Let’s be honest — ISO 27001:2013 had a good run. But after a decade of aging gracefully (or… not so gracefully in some orgs), it’s time to say goodbye [Andrea Bocelli singing in the background]. The 2022 version arrived, and not just with new spicy words and an Annex A reshuffle, but with strategic implications that could make or break your security system. Or, eventually, your upcoming audit.

I’ve been through this dance before — I’m an ISO 27001 Lead Auditor certified since 2015. Having completed BSI’s auditor transition training, leading a successful transition for a large telecom, and supporting others through their 2022 re-certifications, I’ve had a front-row seat to the standard’s evolution. This post focuses on my practical experience and theoretical knowledge on ISO 27001:2022 — not a complete list of changes, rather a reflection on those that matter most from my perspective. Whether you’re a startup building your ISMS with a vCISO or an enterprise navigating recertification, here’s what you actually need to know.

Clause 4.2 — From stakeholder „listening tour” to stakeholder „triage”

In 2013, Clause 4.2 was like a polite HR survey: „List the stakeholders. Invite. Note concerns. Smile. Next, please.” The 2022 version? Welcome to strategic stakeholder triage.

Security officers are now expected to:

  • Not just collect stakeholder needs, but decide which ones matter
  • Document why some are included and why others aren’t — yes, „just because” won’t fly 😉
  • Incorporate the chosen ones directly into the risk management engine

That includes regulators, customers, employees, third parties, and the mysterious group known as „the business.” Imagine a key stakeholder saying, „I want monthly pen testing” — now you can’t sympathetically nod and ignore it. You’ll need to evaluate the impact, cost, and risk justification, and either implement or log your reasoning like a (digital) diplomat. And it isn’t just governance theatre. With NIS2 now in force and compliance no longer a siloed function, failing to embed stakeholder priorities could mean both strategic misalignment and non-conformance.

Pro Tip: Startup CISOs — this is your moment to build relationships with key stakeholders. Enterprise ISMS Managers — expect your internal auditors to press for justification, not just presence.

Clause 4.4 — Goodbye static policies, hello process universe

Clause 4.4 introduces a line that might sound innocent: „including the processes needed and their interactions.”

Spoiler: It’s not.

Your ISMS is now expected to act like a real operational ecosystem, not a dusty SharePoint folder with version-controlled PDFs. You must:

  • Identify, document, and map all ISMS-relevant processes — You must be able to demonstrate a clear understanding of your ISMS processes. Think of it as turning your ISMS into a digital twin of your security function — with flowcharts, swimlanes, and yes, at least one RACI matrix 🙂
  • Use a common process management framework — especially organizations with multiple ISO certifications (like 9001, 22301, 27001, 42001) should seize this opportunity to create a shared framework. A common Corrective and Preventive Action (CAPA) process streamlines management and reduces overhead.
  • Show how they interact — for each process, document its inputs, outputs, and interactions (asset inventory feeds risk assessment; organizational changes impact Access Control; etc.)
ISO 27001 2022 ISMS process map interactions example

Source: own material

Pro Tip: Build a process map. Or at least a diagram that doesn’t live exclusively in a security architect’s brain 🙂

Clause 6.3 — The new kid on the block

Say hello to Clause 6.3, the youngest addition to the ISO family, and possibly the most high-maintenance.

In simple terms:

„When the organization determines the need for changes to the ISMS, the changes shall be carried out in a planned manner.”

Translation:

  • You can no longer tweak a policy at midnight and pretend it never happened.
  • Every change — whether it’s ISMS scope expansion, a new control, or a tooling update — must be:
    • Planned — Plan execution, evaluation, and documentation
    • Risk-assessed — Identify risks
    • Resourced — Identify required resources
    • Documented — Justify the rationale for each change

Yes, this is where Change Management meets the ISMS. And it works very well if you like order and hate audit findings.

Pro Tip: Startups — integrate this with your existing sprint or change review cycles. Enterprises — plug it into ITIL or GRC workflow.

Clause 8.1 — Process control, criteria, and third-party risk

Here is a comparison of the old and new Clause 8.1, where orange text reflects the main change:

ISO 27001 2022 vs 2013 Clause 8.1 comparison changes

Source: www.patreon.com/AndreyProzorv

This clause, in the 2013 version, used to be… short. Now it’s more like an operations manual — and that’s actually a good thing. Here’s what’s new:

  1. „Establish criteria” added — Define what „good” looks like for each ISMS process (NIS2 example: 24-hour notification for a preliminary incident report to authorities, 72h update, 30-day close)
  2. „Implement control of the process” added — Monitor, enforce, and adjust when criteria aren’t met
  3. „Control of externally provided processes” added — AI Agents, Cloud Providers, SaaS tools… they’re all part of your ISMS now and must be monitored. Ensure vendors are contractually obligated to support your SLAs and KPIs.

If you’re affected by NIS2, this one is non-negotiable. You’ll need formal detection and reporting mechanisms, response roles, and SLAs that support reporting timelines. Every step must be documented, monitored, and reviewed to ensure not just compliance, but audit readiness.

Your ISMS is no longer just about internal discipline. It’s turned into ecosystem risk governance. Think of it this way: if your AI Agent Provider sneezes, your audit might catch a cold.

Annex A changes: sometimes subtle, always impactful

Annex A didn’t just get a haircut — the reorganization is significant:

  • 11 new controls,
  • 57 merged into fewer, smarter ones,
  • 23 renamed controls.

This reorganization simplifies the structure, but the real game-changer is wording. In many cases, a single word change shifts the scope or intent of a control entirely. The difference between „should be considered” and „shall be implemented” isn’t just semantic — it’s audit gold. I strongly recommend a careful side-by-side comparison of old and new control wording to avoid being caught off-guard.

While often treated as a companion document, ISO 27002:2022 updated guidance is invaluable. Each control guideline now describes its purpose, attributes (e.g., control type, security properties), and operational concepts, making it far easier to map and tailor controls to your specific risk environment.

Pro Tip: Many mature organizations already have 80–90% of the „new” controls implemented — because of regulatory requirements or sector best practices. The key is now to make it explicit and auditable. The wording is where the audit will most likely surprise you.

Key steps for organizations

  • Compare every Annex A control’s old vs. new wording
  • Run a gap analysis against the 2022 version (As-Is & To-Be design):
    • Facilitate SoA working sessions across business, IT, and security
    • Use ISO 27002:2022 control explanations to clarify implementation scope and intent
    • Create a roadmap for implementing any missing or changed controls
  • Update the SoA with actual applicability logic

The deadline has passed — what now?

All ISO/IEC 27001:2013 certificates expired on October 31, 2025. If your organization missed the transition, here is the reality:

  • Your 2013 certificate is no longer valid.
  • You cannot be „grandfathered in” — there is no grace period.
  • To regain certification, you need a full initial audit against ISO 27001:2022.

The good news: if you had a solid 2013 ISMS, you are not starting from zero. Most of the work transfers. The gap is real but manageable — with the right support and a realistic timeline.

Translation for the Board: Risk. Exposure. And potentially lost deals — especially if ISO 27001 compliance is written into your customer contracts.

Let’s start the conversation

The ISO 27001:2022 transition is more than a compliance exercise — it’s a good occasion to build a more resilient, responsive, and strategically aligned security program. Whether you transitioned on time or are now catching up, the path forward is the same: gap analysis, updated SoA, and a structured implementation plan.

If you’re a Startup, you likely need a vCISO to guide the ISO 27001:2022 implementation while maintaining agility. I provide:

  • Risk-based prioritization
  • Process design
  • Control tailoring aligned to your market or product
  • Audit readiness and SoA development

If you’re a Mid to Large Enterprise, you may need a project manager or SME to coordinate cross-functional teams and drive the recertification process. I support:

  • Full transition project delivery
  • Gap analysis and internal audit support
  • Vendor risk integration
  • Cross-standard alignment (ISO 9001, ISO 22301, ISO 42001)

I’m happy to discuss your specific situation. Let’s make your ISO 27001:2022 journey not just another requirement — but a strategic advantage.

📧 srebnicki@protonmail.com
🌐 psrebnicki.pl

Frequently Asked Questions

What is the deadline for ISO 27001:2022 transition?

The transition deadline was October 31, 2025. All ISO/IEC 27001:2013 certifications expired on that date. Organizations that did not complete their transition audit by then are no longer certified and must undergo a full initial audit to achieve ISO 27001:2022 certification.

What are the main changes in ISO 27001:2022 vs 2013?

The key changes are: Clause 4.2 now requires active stakeholder triage (not just listing); Clause 4.4 requires process mapping with documented interactions; the new Clause 6.3 mandates planned change management for the ISMS; Clause 8.1 adds criteria-based process control and vendor oversight; and Annex A was restructured with 11 new controls, 57 merged, and 23 renamed.

What happens if my organization missed the ISO 27001 transition deadline?

Your 2013 certificate is now invalid. There is no grace period. To regain certification, you need a full Stage 1 and Stage 2 initial audit against ISO 27001:2022. If ISO 27001 compliance is required in your customer contracts, this may affect your revenue and business relationships immediately.