ISO 27001 Standard – Most Recent Updates and Revisions

Welcome to the ISO 27001 updates and revisions page, where you can learn more about the most recent changes to this ISO standard.

ISO 27001 is the international standard for information security management, specifying requirements for organisations of any size to establish, implement, maintain, and continually improve an Information Security Management System (ISMS).

Strengthen your organisation’s information security by staying informed on the latest ISO 27001 news, updates, revisions and best practices.

• Discover how the ISO 27001 standard can help your organisation’s information security.
• Understand the ISO 27001 requirements with our comprehensive guide.
• Browse our online cyber security training and awareness courses.

Transition & Certification Deadline

By 31st October 2025, all certifications must be transitioned to ISO/IEC 27001:2022; certificates to the 2013 version will be invalid after this date.

Amendment 1 Published – Climate Action Changes

As part of ISO’s broader initiative to incorporate climate action into all management system standards, an amendment to ISO/IEC 27001 was issued in early 2024. This change introduces a requirement for organisations to consider the impact of climate change in the context of their ISMS.

Key updates were as follows:

• A new requirement added in Clause 4.1 – Understanding the organisation and its context – Organisations must now assess how climate change affects their ability to achieve the intended outcomes of the ISMS.
• A corresponding note was added to Clause 4.2 – Understanding the needs and expectations of interested parties – This reinforces the relevance of climate-related expectations from stakeholders.

1st May, 2024

Key ISO 27001 Transition Deadline

Certification bodies must conduct all new ISO 27001 certifications and recertifications against the 2022 version.

ISO/IEC 27001:2022 Version Launched

ISO 27001 has been updated for the first time in almost a decade, reflecting the rapidly evolving changes that threaten information security and the need for information management systems to remain effective and relevant.

The latest version of the standard, ISO 27001:2022, was published by ISO on 25th October 2022. This update includes a revised structure for Annex A, aligning it with ISO/IEC 27002:2022 needs, and introduces new control categories, such as threat intelligence, information security for cloud services and ICT readiness for business continuity. Certain outdated controls have been removed or merged to streamline the implementation process.

What are the main changes in ISO 27001:2022?

The overall structure of ISO 27001’s Annex SL clauses has not changed. These clauses include:

• Clause 4 – Context of the organisation
• Clause 5 – Leadership
• Clause 6 – Planning
• Clause 7 – Support
• Clause 8 – Operation
• Clause 9 – Performance evaluation
• Clause 10 – Improvement

The clauses have, however, undergone some changes, including wording, the structure of sentences and some additional new content.

Annex A has had the most significant changes, with the number of controls being reduced from 114 in ISO/IEC 27001:2013 to 93 in ISO/IEC 27001:2022. These controls have been restructured and merged to align into 4 control sections, instead of the previous 14 sections.

What does it mean for me and my business?

Once a business is certified to ISO 27001, it demonstrates that they have implemented a management system to identify, manage and mitigate information security risks.

Cyber attacks are more common than ever, and this updated version of the standard offers confidence and assurance that the organisation has a systematic approach in place to manage information security risks, including those posed by cyber attacks.

It also demonstrates to customers and stakeholders that your organisation takes information security seriously and has structured measures in place to address potential risks.

If you received ISO 27001 certification before October 25th 2022, you will need to adjust your actions moving forward so your organisation is compliant with the new standard requirements.

What are the timescales for transitioning to ISO 27001:2022?

If your business is currently certified to ISO/IEC 27001:2013, you will need to transition to the new standard before the Transition Period Deadline.

A transition audit can be completed at the same time as a surveillance audit or a recertification audit, and may require additional audit time.

This transition period is 36 months, and you have until 31st October 2025 to complete the transition.