The transition period from ISO 27001:2013 to ISO 27001:2022 is entering its final phase. Organizations certified under the 2013 version must complete their transition by October 31, 2025 — a deadline that many Indian companies have already missed or are at risk of missing. For those still in transition, the window is tight but achievable with focused effort.
The most significant structural change in ISO 27001:2022 is the reorganization of Annex A controls from 14 categories to 4 themes: Organizational (37 controls), People (8 controls), Physical (14 controls), and Technological (34 controls). The total control count decreased from 114 to 93, but 11 new controls were added, including threat intelligence, cloud security, ICT readiness for business continuity, and data masking.
The new controls reflect the current threat landscape. Control A.5.7 (Threat Intelligence) requires organizations to collect and analyze threat intelligence relevant to their operations. This doesn't necessarily mean standing up a threat intel program — it means demonstrating that security decisions are informed by current threat data. Subscribing to CERT-In advisories and incorporating sector-specific threat briefings into risk assessments satisfies the basic requirement.
Control A.8.23 (Web Filtering) and A.8.28 (Secure Coding) formalize practices that many organizations already follow informally. The key is documentation — auditors will look for evidence that these practices are defined in policy, implemented in practice, and measured for effectiveness. If your developers already follow OWASP guidelines but it's not documented, that's a gap.
For the transition itself, we recommend a phased approach: Week 1-2, conduct a gap analysis mapping your existing controls to the 2022 structure. Week 3-6, update your Statement of Applicability and risk treatment plan. Week 7-10, implement any new controls and update documentation. Week 11-12, conduct an internal audit against the new standard. This timeline assumes an organization with a mature ISMS — less mature organizations should plan for 16-20 weeks.
Common pitfalls in transition: treating it as a documentation exercise rather than an operational improvement, underestimating the effort required for new controls like threat intelligence, and attempting to maintain dual compliance during the transition period. The most successful transitions we've supported treat the new standard as an opportunity to eliminate accumulated technical debt in the ISMS.
Need help with ISO 27001?
Our team can scope an engagement tailored to your environment.
[ Execute Assessment ]