The deadline is looming over the horizon as October 2025 marks end of the validity of ISO 27001:2013 certificates.
Have you made a start on your transition journey? If not, you really should make a start in 2024 to ensure you’re all set well before that final deadline. The first step is to decide if you want to do it yourself or enlist the help of a professional consultant.
For those that want to tackle it yourselves, you’re in luck! As we have just the tool to help: The ISO 27001:2022 Transition Gameplan.
In this weeks’ episode, Steph Churchman, Communications Manager at Blackmores, explains why you need to transition to the 2022 version of the Standard and outlines the 7-step ISO 27001:2022 Transition Gameplan available on the isologyhub.
You’ll learn
- Why do you need to transition to ISO 27001:2022?
- What happens if you don’t transition?
- What is the ISO 27001:2022 Transition Gameplan?
- An overview of the 7-step Gameplan
Resources
In this episode, we talk about:
[00:25] A different host – Steph Churchman, Communications Manager at Blackmores, steps in to cover today’s episode. She’s heavily involved with the development and updating of the isologyhub, and will be explaining one of the latest Gameplan’s: The ISO 27001:2022 Transition Gameplan
[01:15] Why do you need to transition to ISO 27001:2022? The October 2025 deadline is fast approaching, so you really should be making a start in 2024 if you’ve not already.
[01:45] Who needs to transition to ISO 27001:2022? – Basically, anyone who is currently certified under ISO 27001:2013 will have to transition to the updated Standard.
One of the main reasons why we recommend getting a head start on this is , Certification Bodies will undoubtedly have a large demand for transition audits in 2025, when everyone’s rushing to get it done last minute. This results in a shortage of resources from the CB’s, and you may end up struggling to get booked in time.
[02:35] What happens if you don’t transition in time? – The harsh truth is you will lose your ISO 27001 certification.
This then means you’ll be required to go through another Stage 1 and 2 Assessment against the latest version of ISO 27001, which can be costly.
Another key reason is the latest version of ISO 27001 also considers a lot of new technologies that weren’t around back when the last version was published. You can imagine now that there are a lot more cybersecurity risks to consider with all the latest technology that has been released in that time. Put simply, it’s for the benefit of your Information Security to ensure you are adhering to the most recent best practice Standards.
[03:40] What is the ISO 27001:2022 Transition Gameplan? This Gameplan will walk you through the stages of transition, which align to our proven isology® approach. Isology being our methodology for implementing any ISO Standard, based on our 18+ years of experience.
In this Gameplan we provide training videos on the changes to ISO 27001, along with specific training videos covering each of the new Annex A controls that you will need to be familiar with, along with templates and workbooks to take you through the process from beginning to end.
[04:20] Step 1: Plan – Before you begin on your journey, it’s advised to understand the main changes to the standard. We’ve summarised the high-level changes in a previous podcast, and included a quick summary in the first step of the Gameplan.
In this first step, you’ll also find guidance on how to prepare for your Certification Body visit. You really do need to do this early on to help establish a realistic timeline to complete your transition work.
[04:55] Step 2: Discover – At this stage, you need to get to grips with the changes to the Standard. There have been a number of controls changed, and 11 completely new ones added. We did cover a select few of these new controls in a few previous podcasts: #111, #112, #113, #114
In this Discover step we provide a number of awareness videos to explore these new controls and changes in detail, including how they may apply to your business.
We’ve also included a downloadable PDF guide to these changes, in case you’d like to share this information internally.
[05:40] Step 3: Expose – In this step we’ve included an ISO 27001:2022 transition workbook, which will act as a guide for all your transition activities. The first being the conducting of a Gap Analysis against the latest version of the Standard.
After completing this, you will have a much better idea of where your main gaps and vulnerabilities are, so you can start putting the necessary controls in place to ensure compliance with ISO 27001:2022.
We’ve also included a summary of the main Management System documentation that will need to be updated ahead of your transition visit.
[06:20] Step 4: Create – This is the step where you will be implementing those changes as a result of your Gap Analysis. This will also be guided by that workbook, and we have provided some additional templates and resources to aid you.
These include:
- A Statement of Applicability Template
- Annex A Control Mapping
- ISO 27001 Management Review Template
[07:15] Step 5: Launch – It’s not just about updating your documentation, you will obviously need to communicate these changes to the wider business.
In this step we go over a few options for your launch plan – including guidance for both a soft launch and an all-in launch.
To help you decide which one would be the best fit for you, we’ve included a full summary of each method in addition to a pro’s and con’s list for each.
[08:30] Step 6: Engage – The last stages are all about gathering evidence of compliance against new and updated clauses and controls.
In this step we provide some insight into what’s required from your Internal Audits and Management Review ahead of your transition visit.
If you wanted to get some more tips on carrying out internal Audits within your business – we also offer a full Internal Auditor course on the hub that covers the core skills needed to complete those. If you become a member of the hub, you’ll get access to our whole library of resources – which includes a wealth of ISO related tools, templates and training videos.
[09:20] Step 7: Review – This last step will help you prepare for the transition visit with your certification body.
We touch on what you should expect from your Certification Body ahead of the transition visit, and include guidance on carrying out a final Document and evidence check to make sure you’re all good to go.
If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on Twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episode’s:
Stitcher | Spotify | YouTube | iTunes | Soundcloud | Mailing List
Anyone with a current ISO 27001:2013 certificate will be required to update and add certain elements in their existing Information Security Management System to ensure compliance to ISO 27001:2022 ahead of the October 2025 deadline.
Over the past few weeks, our mini-series has covered the fundamental changes to the Standard, along with tips on how to plan and Implement the required updates.
Join Mel this week as she explains the final few stages of an ISO 27001 transition, including the Internal Auditing and final preparation ahead of a Certification Body visit.
You’ll learn
- What needs to be audited?
- What do I need to do to prepare for the Certification Body visit?
- How can you get a free copy of ISO 27001:2022?
Resources
In this episode, we talk about:
[00:44] Catch up on the last two episodes before listening to this one: What you need to know to transition to ISO 27001:2022 / What changes need to be Implemented to transition to ISO 27001:2022
[01:00] The last stages are all about gathering evidence of compliance against new and updated clauses and controls
[01:28] Make sure you plan your transition visit well in advance – If you leave it too late you may incur additional fees for more days or possibly even for a full certification if you miss the deadline.
[02:15] This process for transition is fairly consistent among Certification Bodies. It typically includes a Readiness Review and a transition visit where they will review evidence of compliance against the new controls.
[02:45] You can get a free copy if you sign up to our Transition Programme by April 1st 2023)
[02:55] The last stage ahead of the transition visit is Internal Auditing. For those still planning their 2023 Internal Audits, you may wish to Implement the changes earlier in the year with a view to audit the changes in the later half of 2023. Ensure that you allow time to build evidence of compliance ahead of a transition visit.
[03:45] If you need a bit of extra help, we include Internal Auditing within our transition programme – this will typically take 1 day.
[04:30] We can also support you during your transition visit – this could be on-line or on-site, which would depend on your Certification Bodies preference.
[05:20] Currently many Certification Bodies are suggesting a half day for the Readiness Review and another day for the transition. Some may choose to include this transition as a part of their annual Surveillance visit to help save on costs. If you have a Surveillance coming up, it’s worth getting in contact with them to see what they would recommend regarding your transition.
[05:43] We advise that you also ask your Certification Body, when they will be UKAS accredited for ISO 27001:2022 – they may not be ready complete a transition visit until the later half of 2023.
[06:35] For our global listeners, your Certification Body will have an Accreditation Body that needs to verify their ability to conduct transition visits. For the UK this is UKAS, but it may differ for other countries.
[07:15] Don’t leave this until last minute! Based on previous experience with transitions, we’ve found companies that leave it until a few months before the deadline often can’t transition in time, and end up having to pay up for a full Stage 1 and 2 Assessment in order to keep their certification.
Grab a copy of our ISO 27001:2022 Guideline to the changes here:
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on Twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
ISO 27001, The Information Security Standard, was updated in October 2022. While there is a 2-year grace period for transition, we would urge everyone to make a start on implementing the changes to ensure you are compliant with latest best practice standards.
Over the last two episodes, we’ve gone over the key changes and explored the specific clause updates in more detail. As mentioned in the first episode of this mini-series, there have been 11 new controls added to ISO 27001:2022.
Mel is once again joined by Steve Mason, Managing Consultant here at Blackmores, to discuss the 11 new controls added to ISO 27001:2022 and their purpose.
You’ll learn
- What are the 11 new controls in ISO 27001:2022?
- Why have these been added?
- What is their purpose?
Resources
In this episode, we talk about:
[01:00] A quick overview of the key changes – 56 Controls combined into 24 newly titled controls, 11 new controls added and 58 existing controls remained unchanged.
[02:30] We have been over a few of the new controls in ISO 27002:2022 in more detail in a few previous episodes: #111, #112, #113, #114
[02:50] These new controls are nothing to worry about – they are simply aligning the Standard with more modern security considerations. You may already be complying with them!
[03:32] Control A.5.7 Threat intelligence – ‘To provide awareness of the organization’s threat environment so that the appropriate mitigation actions can be taken.’ – This can come from many different sources, such as the NCSC or local police websites. There are also additional tools you can add to detect possible phishing attacks. This also includes consideration to external threats – Information Security is about much more than just protecting data! It also includes physical security.
[05:33] Control A.5.23 Information security for use of cloud services – “To specify and manage information security for the use of cloud services.” – More and more businesses reply on cloud-based computing. It’s important to verify the security of your service provider to ensure it’s adequate. You can check to see if they have any valid Information Security related credentials such as CSA Star, Cyber Essentials, SOC. You could also adopt principles of ISO 27017 (certification for cloud security), ISO 27018 (Protection of PII in the public cloud) and ISO 27701 (PII security Standard).
[08:30] Control A.5.30 ICT readiness for business continuity –‘ To ensure the availability of the organization’s information and other associated assets during disruption’ – There a few standards that could assist with this, including ISO 27031 (ICT readiness for Business Continuity). Those that have ISO 22301 may want to look at how ISO 27001 elements can be integrated and improved in any disaster recovery plans. ISO 27001 needs to be an integral part of any business continuity plans – not just a bolt on. Small business may not want to conduct a full business impact analysis, but should carry out a risk assessment around business continuity at the very least.
[11:30] Control A.5.30 ICT readiness for business continuity – further considerations: A key focus of this part of the Standard is Recovery Time Objectives and Recovery Point Objectives. Overall, the whole business continuity aspect of the updated ISO 27001:2022 may take a bit of work to implement, but you will ultimately be much better off in the event of a disaster or security incident. For further guidance, you may want to check out an older non-certifiable standard, BS 25777 (ICT continuity).
[13:20] Control A.7.4 Physical security monitoring –‘ To detect and deter unauthorized physical access.’ – This can include things like CCTV, access control, swipe cards ect. This also includes the ability and regular practice of monitoring these access methods, for the purpose of detecting any anomalies.
[18:56] Control A.8.9 Configuration management – ‘To ensure hardware, software, services and networks function correctly with required security settings, and configuration is not altered by unauthorized or incorrect changes’ – Configuration for things like a firewall, software, any hardware devices, passwords ect should be documented, explained and monitored on a regular basis to ensure nothing has been changed without notifying the relevant people. ISO 20000 includes a helpful section around configuration if you require further guidance.
[21:41] Control A.8.10 Information deletion – ‘To prevent unnecessary exposure of sensitive information and to comply with legal, statutory, regulatory and contractual requirements for information deletion.’ – This already existed in the Standard, it has simply been clarified further. You will now need to prove that data has been deleted as required, if you use a 3rd party for this, they will need to provide the relevant certificates.
[22:05] Control A.8.11 Data Masking – ‘To limit the exposure of sensitive data including PII, and to comply with legal, statutory, regulatory and contractual requirements.’ – You have 3 options for data masking: Obfuscation, pseudonymisation and annoymisation. This also helps to comply with GDPR requirements.
[24:10] Control A.8.12 Data leakage prevention – ‘To detect and prevent the unauthorized disclosure and extraction of information by individuals or systems.’ – This control has made a return from the 2005 version of ISO 27001. Businesses should have systems in place to monitor any particularly large data downloads – or even possibly large print batches. You should also ensure that you have a secure email system in place as well as VPN’s and regular security training to sure up your security to prevent any potential leaks.
[27:00] Control A.8.16 Monitoring Activities – ‘To detect anomalous behaviour and potential information security incidents.’ – Appropriate monitoring should be in place to detect any potentially dangerous or malicious behavior.
[28:00] Control A.8.23 Web Filtering – ‘To protect systems from being compromised by malware and to prevent access to unauthorized web resources.’ – Your systems should be set up in a way to prevent people from accessing unsecure or unsavory sites. This could include Social Media sites – but be mindful that there may have to be exceptions for marketing or communications personnel for those particular sites.
[28:00] Control A.8.28 Secure Coding – ‘To ensure software is written securely thereby reducing the number of potential information security vulnerabilities in the software.’ – If you have created your own secure coding, be sure to evaluate it against industry professional standards such as OWASP and NIST.
As a reminder, we’ll be running a mini-series through January and February on the updated ISO 27001:2022 in addition to how you can transition to the new version.
Keep an eye out for next weeks episode where we dive into the clause clarifications and control changes of ISO 27001:2022…
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on Twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube | iTunes | Soundcloud
Beyond certification, we take great pride in delivering ISO consultancy and support solutions. These solutions help our clients improve their productivity and profitability in a risk-controlled way.
We are your dedicated ISO consultants for all compliance matters from internal audits to updating Health, Safety and Environmental Legal compliance.
No matter what ISO certification you are hoping to achieve, we have a specialist ISO consultant ready to work with you and your organisation. Contact our team today to get started.
Our 7 Steps to Success
The Blackmores ISO Roadmap is a proven path to go from idea to launching your ISO Management System.
Whether you choose to work with one of our ISO Consultants, our isologists®, or work your own way through the process on our isology Hub, we’re certain you’ll achieve certification in no time!
We have a proven step by step process that our ISO Consultants implement as soon as our working relationship begins. We use our specialist skills and industry knowledge to determine what is already on track and where improvements can be made. We live and breathe ISO standards, we know the standards inside out so you don’t have to.
Our ISO Consultants can help you implement systems for any ISO Standard. See the full list for specialised standards here.
What our clients have to say
We engaged Blackmores to develop our ISO 9001, 14001, and 45001 management system from scratch. Throughout the creation and development stages of our ISO journey, Anju Punetha demonstrated remarkable patience, knowledge, and understanding as our dedicated consultant.
During our internal audit preparations, Ian Battersby’s meticulous attention to detail and thorough approach ensured we were well-prepared for our external audit, which we passed with flying colours. His guidance during the external audit was invaluable.
Based on our engagement and experience, I highly recommend the entire Blackmores team. If you’re considering pursuing ISO accreditations, Blackmores should be your first choice.
Graeme Adam
The support and advise I get from our assigned auditors is immense. Forward planning for the following year is great and they are flexible and always willing to help.
Kalil Vandi
“Blackmores have assisted us almost since the start of our adoption of the ISO 9001 quality standard. Their input has improved our processes since the start, and enabled our goal of continuous improvement to be achieved. The people are also extremely easy to get on with, and they really understand our business, giving us a great deal of confidence in their advice.”
David Gibson
“Blackmores are the perfect bridge between working on your ISO as an individual or company, to being audited each year. We find that any queries we have are covered and we feel sure that we have everything as needs be before going into an external audit.”
Mandy Welsby
“We have been extremely impressed with the service and support provided by Blackmores. There knowledge and assistance through out our ISO journey has been amazing!”
Philip Hannabuss
“Blackmores have really kept us on our toes with the broad scope and level of detail they apply to our internal audit schedule. They always stay abreast of ISO standard changes and help us to adapt our processes and documents to embrace these changes accordingly. Having Blackmores shadow our external audits provides invaluable confidence and peace of mind – would highly recommend their services!”
Phil Geens
“Our ISO 27001 certification project has gone so well, that there was no doubt in who we were going to ask to help us with our aspirations of becoming ISO 14001 certified. It’s been an absolute pleasure working with Blackmores, and we are really looking forward to working with them for the foreseeable future.”
Trusted by leading organisations across all sectors, we support companies of all sizes in any location.
Listen to our Podcast
Welcome to the ISO Show podcast, dispelling myths and sharing tips for success to improve your business with ISO Standards. Join us to hear interviews with successful business leaders as they share their ISO journey with you.
Get top tips via audio master classes “ISO Steps to Success” on the most popular ISO Standards.
