FAQs about the ISO 27001 2022 revision in Conformio

What is the ISO 27001 2022 revision?

The ISO usually updates its standards every few years. ISO 27001 2022 is the latest version or revision of the standard that will be published sometime in 2022. It will replace the current one, named ISO 27001 2013, as it was last updated in 2013.

What exactly has changed in ISO 27001 2022?

The main part of ISO 27001, i.e., clauses 4 through 10, are not going to change. These clauses include the scope, interested parties, context, Information Security Policy, risk management, resources, training & awareness, communication, document control, monitoring and measurement, internal audit, management review, and corrective actions.

Only the security controls listed in ISO 27001 Annex A will be updated.

In general, the changes are only moderate and were made primarily to simplify the implementation: The number of controls has decreased from 114 to 93, and they are now placed into four sections instead of the previous 14. There are 11 new controls, and while none of the controls were deleted, many controls were merged. For more about these new controls and their requirements, read the article Detailed explanation of 11 new security controls in ISO 27001:2022.

When will the new revision of the standard be published?

Although the update draft was published earlier this year by the ISO, it will not be officially published until sometime later this year, and the exact date has not been set yet. Even after it is officially published, it will take a couple of months for the certification bodies to start using it. This means that any certification audit in 2022 will definitely still use the current 27001 2013 revision of the standard.

What will change in Conformio?

The Risk Register and Statement of Applicability modules will be updated to reflect the ISO 27001 2022 Annex A controls, including automatic suggestions of implementation methods for new and changed controls.

As a result of these updates to controls, some documents will also be adapted, as well as some related modules, like the Register of Requirements and the Internal Audit, to ensure full compatibility with the updated standard.

When will Conformio be updated to the 2022 revision?

As soon as the ISO officially publishes the new standard, it will become available in Conformio. It will be entirely up to you to decide when you will transition to the new version or decide to use it for a new implementation project.

If you will be in the middle of the implementation (or already certified) when the 2022 update is officially published, you will still have a lot of time to upgrade. Certification bodies will only start working with the 2022 revision at some point in 2023.

Which version should we implement if we are only starting?

If your existing or potential client expects you to get certified, then you should start as soon as possible; if your project can wait until the end of 2022, then you can wait for the updated standard.

You can use this interactive decision tool to help you determine whether you should start with ISO 27001 2013 or the 2022 revision, depending on your specific needs.

What do we do if we already started the implementation using the ISO 27001 2013 revision?

You can simply finish implementing the current 2013 version and transition to the new 2022 version when you need to.

How will the transition work?

The transition will take you only about two hours and will be completely free of charge. You will be able to start the transition when you are ready, for example, before your first surveillance audit in 2023. Nothing in Conformio will be changed on its own without your consent and involvement.

Our industry experts have prepared an easy-to-use Transition Wizard based on the updated Annex A controls. This wizard will present the exact tasks and then guide you step-by-step through reviewing and approving all suggested changes.

Conformio will automatically create the necessary tasks, update the documents, and guide you through the relevant steps to ensure that you are fully prepared for your next audit.

What do we need to know if we’re already certified?

You will simply need to transition to the new 2022 revision before your next audit in 2023.

If you are not currently using Conformio, but are interested in using it as a hassle-free way to update to the new ISO 27001 2022 revision, we can help you transition your existing ISMS to Conformio. Set up a free consultation here.



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.

  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.