What is the Gap-to-Certified lifecycle?

It is our proprietary methodology that takes companies from their current security posture to full certification (TISAX, ISO27001) by identifying gaps, implementing controls, and supporting the final audit.

Do you offer outsourced CISO roles?

Yes, we provide outsourced CISO, DPO, and ISMS Manager roles to help organizations maintain compliance without the overhead of full-time executive hires.

How long does TISAX labeling usually take?

The timeline varies based on maturity, but typically ranges from 4 to 9 months including gap analysis, implementation, and the final assessment audit.

ISO 27001:2022 Transition Toolkit: Updating Your ISMS

Executive Summary

The transition period for the ISO/IEC 27001:2022 standard is rapidly closing. Organizations currently certified under the 2013 standard must upgrade their Information Security Management Systems (ISMS) to remain compliant.

The new iteration introduces significant structural changes to Annex A, merging previous controls and introducing 11 entirely new controls focused on modern threats like cloud security, threat intelligence, and secure coding. This guide outlines the essential steps your organization must take to successfully transition to the 2022 standard before your next surveillance or recertification audit.

Understanding the Structural Changes

The ISO 27001:2022 update is not merely cosmetic. It reflects the massive shift toward cloud computing, remote work, and advanced persistent threats that has occurred over the last decade.

The Overhaul of Annex A

The most visible change is the restructuring of the Annex A controls:

Total Controls Reduced: The number of controls has decreased from 114 to 93.
Restructured Themes: The 14 previous domains have been consolidated into 4 distinct themes:

Organizational (37 controls)
People (8 controls)
Physical (14 controls)
Technological (34 controls)

The 11 New Controls

To align with modern operational realities, auditors will now be looking for evidence supporting these new additions:

Our TISAX® and ISO 27001 experts help European automotive suppliers achieve compliance with 95 days.

Free Gap Assessment

Threat Intelligence (5.7): You must proactively gather and analyze information about emerging threats.
Information Security for Use of Cloud Services (5.23): You can no longer rely solely on AWS/Azure defaults. You need an explicit cloud security posture.
ICT Readiness for Business Continuity (5.30): Ensuring IT systems can recover rapidly from disruptions.
Physical Security Monitoring (7.4): Enhanced surveillance and alarm systems.
Configuration Management (8.9): Strict baseline configurations for all hardware and software.
Information Deletion (8.10): Formal processes for cryptographically wiping data.
Data Masking (8.11): Obfuscating PII in testing environments.
Data Leakage Prevention (8.12): Active monitoring tools to prevent exfiltration.
Monitoring Activities (8.16): Network and system anomaly detection.
Web Filtering (8.23): Restricting access to malicious external sites.
Secure Coding (8.28): Integrating security into the SDLC (Software Development Life Cycle).

Practical Guidance: Managing the Transition

Upgrading to the 2022 standard requires methodical execution.

Step 1: Conduct a Delta Assessment

Begin by performing a gap analysis against the 11 new controls. For many organizations, the technical capabilities (like Web Filtering) might already exist, but the formal policy tying them to the ISMS does not. Document what is missing.

Step 2: Update the Statement of Applicability (SoA)

Your SoA is the heart of your ISO 27001 certification. You must rewrite your SoA to follow the new 93-control structure of the 2022 standard. Map your existing 2013 controls to the new format using a transition matrix.

Step 3: Revise Policies and Gather Evidence

Draft new policies to cover the gaps identified in Step 1. More importantly, begin generating the objective evidence required by auditors. If you claim to use Threat Intelligence, you must show the auditor the reports you consume and the resulting infrastructure changes you made.

Step 4: Execute an Internal Audit

Before scheduling your external transition audit, you must test the new ISMS yourself. Conduct a comprehensive internal audit specifically targeting the integration of the new controls.

Expert Insights: The Threat Intelligence Trap

A common failure point we see in transition audits involves Control 5.7 (Threat Intelligence). Organizations often assume that subscribing to an automated vulnerability feed satisfies this requirement.

It does not. External auditors are looking for applied intelligence. If a zero-day vulnerability is announced in your firewall hardware, the auditor wants to see the ticket where that intelligence was ingested, assessed for impact, and patched. The intelligence must trigger an internal action.

Transition Successfully with ITIS-Secure

Navigating the transition from 2013 to 2022 while maintaining daily business operations is a heavy lift. Our compliance architects utilize proven transition matrices and policy templates to guarantee a zero-friction upgrade.