ISO 27001 Information Security Management System sets a framework to manage and protect sensitive information, including financial information, personal data, and intellectual property, within your organisation. In October 2022, ISO released a new version of ISO 27001, thereby opening a cycle of recertification for many organisations. Here we set out everything you need to know about the transition and make sure you remain certified to ISO 27001 after the end of the transition period.

What are the timings?

ISO 27001:2022 "Information security, cybersecurity and privacy protection — Information security management systems — Requirements" will replace ISO 27001:2013 via a three-year transition period, which ends in October 2025. Until that date, both versions of ISO 27001 remain valid. If you wish to remain certified to ISO 27001, you must transition to the 2022 revision before October 2025.

What do you need to do?

With the new standard now in place, we recommend that all future audits are completed to the requirements of ISO 27001: 2022. This will ensure that your certificate is in place before the end of the transition period.

In order to do this, you should transition your management system to the new requirements of ISO 27001: 2022, including any changes to documentation and evidence of any new or amended processes.

Once completed and to prepare for your Bureau Veritas transition audit, you should also conduct an internal audit and management review. Our certification specialists can help with transition gap analysis.


What has changed?

ISO27001:2022 presents a simplified version of the required controls. The original 114 controls divided into 14 chapters are now reorganised into 93 controls divided over four chapters - organisational, people, physical and technological.

New focus points are now set on prevention, detection and reaction to cyberattacks, as well as data protection (in line with the NIST Cybersecurity Framework).

A number of other changes have been made throughout various requirements. Bureau Veritas can work with you to help identify and implement the changes.

How else can Bureau Veritas help?

We are here to guide you through the transition to ISO 27001: 2022 and ultimately achieve certification to the revised standard. Our services include:

  • Technical advice and guidance: Our ongoing programme of support, education and guidance begins with a free webinar from Bureau Veritas experts. You can watch it here
  • Gas analysis: Identifying any gaps between your existing management system and the requirements of the revised ISO 27001 standard ahead of your transition audit.
  • Transition audit: Your next audit should be completed to the requirements of the revised standard to ensure certification within the transition period.
  • Training: Bureau Veritas offers a wide range of flexible training courses covering all aspects of certification.

Don’t forget, if you are certified to ISO 27001 with another provider, you can switch to Bureau Veritas using our fuss-free transition process to take advantage of benefits from a true global leader.


Please select country prefix
Enquiring about
I have read and understood the terms and conditions of {Personal data protection policy}.
Your personal data is collected by Bureau Veritas UK, having its registered office at Suite 206, Fort Dunlop, Fort Parkway, Birmingham B24 9FD, and is subject to computer processing in order to respond to questions from the media about the Group or its subsidiaries on the basis of your consent, and to respond to customer complaints, on the basis of the service contract that you have entered into with a subsidiary of Bureau Veritas.

Your personal data is intended for the Corporate Communication department or the Quality, Health & Safety and Environment department of the Bureau Veritas Group, depending on the nature of your request, and for their service providers, providing consulting and technical services as well as for the Bureau Veritas IT department. Your personal data will be retained for a period of one year for media requests and three years for customer complaints from your request. Your personal data can be transferred outside the European Union, in countries where Bureau Veritas subsidiaries operate, on the basis of standard contractual clauses established by the European Commission, available on request, by submitting a query here.

Fields marked with an asterisk must be filled in. Otherwise, Bureau Veritas would not be able to answer your questions and/or complaints. In accordance with the Data Protection Act 2018 and the General Data Protection Regulation of 27 April 2016, you have the right to access, rectify and erase any personal data concerning you, as well as the right to limit the processing, the right to oppose to the processing or the right to portability of your personal data. You have the right to withdraw your consent at any time by submitting a query here and unchecking the box dedicated to the collection of your consent. You can exercise your rights online to lodge a complaint to the Information Commissioner’s Office.