ISO 27001 at 20: Reflecting on Two Decades of Information Security Excellence

This year marks the 20th anniversary of ISO 27001 , the world’s leading information security management standard. Over two decades, ISO 27001 has become a global benchmark for protecting data, reducing cyber risk, and embedding security culture. As we approach the transition deadline for the 2022 update, now is the perfect time for organisations to take stock of their compliance journey.

What’s Changed: From BS 7799 to ISO 27001:2022

Before ISO 27001 became a global standard, its origins lay in the UK’s own BS 7799, first published in the 1990s. This framework evolved into ISO 27001 in 2005 and quickly gained international recognition for setting out what an effective Information Security Management System (ISMS) should look like.

The most recent version, ISO 27001:2022, modernises the standard for today’s digital landscape. While the management clauses remain largely familiar, the control set has been restructured to reflect new risks, technologies, and ways of working.

Main updates in ISO 27001:2022

• The number of controls has reduced from 114 to 93.
• Controls are grouped into four new categories: organisational, people, physical, and technological.
• New controls have been introduced to address modern risks such as cloud services, threat intelligence, and remote working.
• Each control now includes attributes that describe its purpose, making the standard more flexible and user-friendly.

These changes bring ISO 27001 in line with other management system standards through the Annex SL structure, which simplifies integration with frameworks like ISO 9001 (Quality Management) and ISO 22301 (Business Continuity).

Why It Matters for UK Organisations

ISO 27001 remains the gold standard for demonstrating information security maturity, and the 2022 update represents a significant evolution. For UK businesses, this update isn’t optional, it’s a mandatory transition with a clear deadline.

• Transition deadline: All ISO 27001:2013 certifications will expire on 1 November 2025. After this date, organisations must be certified to ISO 27001:2022.
• Improved alignment: The new structure makes it easier to integrate with other ISO standards, streamlining management processes.
• Modern security relevance: Updated controls address emerging threats such as cloud computing, supply chain security, and hybrid working environments.
• Enhanced business credibility: Certification to the latest version signals strong governance and builds trust with clients, partners, and regulators.

What You Should Be Doing Now

With less than a year until the transition deadline, organisations certified under ISO 27001:2013 should be well underway with their upgrade plans. Here’s how to get started:

• Confirm your certification status: Check which version of ISO 27001 your organisation is currently certified against and when your next audit is due.
• Conduct a gap analysis: Compare your existing ISMS against the 2022 control set. Identify any new, merged, or removed controls that affect your environment.
• Update policies and documentation: Ensure your ISMS documentation reflects new control terminology, roles, and risk management processes.
• Train your team: Make sure everyone involved in your ISMS,  from IT to HR, understands the new structure and control requirements.
• Engage your certification body: Confirm they are accredited for ISO 27001:2022 and schedule your transition audit well before the November 2025 deadline.
• Seek expert support: If resources are stretched, external consultants can provide transition planning, control mapping, or pre-audit support to make the process smoother.

Our View / Final Thoughts

Twenty years on, ISO 27001 continues to be the cornerstone of information security best practice. Its evolution shows how adaptable the framework is, maintaining timeless governance principles while responding to modern threats such as AI, remote work, and data sovereignty challenges.

At Data Protection People, we see ISO 27001:2022 not just as a compliance exercise, but as a strategic opportunity. Transitioning effectively strengthens resilience, improves stakeholder trust, and demonstrates that your organisation takes information security seriously.

If your certification is still under the 2013 version, now is the time to act. Our experts can support your transition with ISO audits, staff training, and ongoing compliance support.

FAQs

When do we need to transition to ISO 27001:2022?

All certifications under ISO 27001:2013 will expire on 1 November 2025. Transition audits should be completed before that date to avoid a lapse in certification.

What are the biggest changes in ISO 27001:2022?

The most significant updates are the streamlined control set (from 114 to 93), new control categories, and the addition of modern topics such as cloud security and threat intelligence.

Do all organisations need to adopt the new controls?

Every organisation must review all 93 controls, but not every control will apply. Applicability depends on your ISMS scope and risk assessment.

What happens if we don’t transition in time?

Your ISO 27001:2013 certification will become invalid after November 2025, and you may need to restart the full audit process, which is more costly and time-consuming than a transition audit.

Can DPP help with our ISO 27001 transition?

Yes. Our consultants can guide you through the transition process, from gap analysis and policy updates to training and audit preparation. Get in touch to learn more.

References and Useful Sources

• Evalian: ISO 27001 – 20 Years of Information Security Excellence (2025)
• ISO: Official ISO/IEC 27001 Standard
• BSI: ISO 27001 Certification Overview
• DPP: GDPR Audits | Training | Outsourced DPO | Support Services