Moving from ISO/IEC 27001:2013 to 2022

This article covers the 6 steps on how to transition from ISO/IEC 27001:2013 to 2022 in 6clicks


  1. Download ISO/IEC 27001:2022 Authority Document
  2. Mapping ISO/IEC 27001:2013 to 2022
  3. Pivot ISO/IEC 27001:2013 Assessments
  4. Update Control Sets to ISO/IEC 27001:2002
  5. Preparing a New Statement of Applicability
  6. Business as Usual

Please note: A pre-requisite for this guide is to have existing ISO/IEC 27001:2013 content and data within your 6clicks environment, along with the Growth or Enterprise plan.

This guide and its associated steps may vary between users and is dependent on your data in 6clicks.

Don't know where to start? Check out our expert guide for ISMS Implementation.

This article covers the steps on how to transition from ISO 27001:2013 to 2022 in 6clicks. For more detailed guidance on a particular module, please refer to the corresponding links throughout the article.

Step 1: Downloading the ISO/IEC 27001:2022 Authority Document

To begin, you'll need to download the latest version of the ISO/IEC 27001:2022 authority document from our content library. 6clicks has updated its content library with a new document that includes the mandatory requirements for ISO 27001:2022. The document will help in implementing the revised standard and maintaining your information security. 

Navigate to the Content Library, search for ISO/IEC 27001:2022 and select the Authority document.

Click on it then Add content. You will receive both an in-app and email notification once the content has been loaded into your Compliance module.

For more information on the Content Library, head here.

Step 2: Mapping ISO/IEC 27001:2013 to 2022

Now that both versions of ISO/IEC 27001 are available, Hailey AI mapping can be used to determine the overlap between both versions. This will allow you to see how 2022 differs from 2013 and where the gaps are for your organization to address.

To do this, navigate to the Compliance module and select ISO/IEC 27001:2013.

Select the Mappings tab and click the Map provisions button. Select the new version and leverage Hailey AI to complete the mapping, followed by viewing the results.

This completes the mapping process. You can now review the mappings, where you can decide to unlink mappings where appropriate.

For more detailed instructions on compliance mapping, please see this article.

Step 3: Pivot previous ISO/IEC 27001:2013 Assessments

Once you've completed the mapping, you can pivot previous assessment results against ISO/IEC 27001:2013 to the new version. This takes advantage of the mapping generated in the previous step to show your performance against the new version based on your previous assessments.

Please note: A pre-requisite for this step is to have existing ISO/IEC 27001:2013 assessment data in 6clicks.

New customers have the option to import historic assessments should they wish to take this step.

To do this, navigate to the Analytics module and run either of the reports below depending whether the historic assessment was an RBA or QBA.

When running either of the above dashboards, you will need the mandatory filters as below and then click apply to generate the results.

  • Source Authority: ISO/IEC 27001:2013
  • Target Authority: ISO/IEC 27001:2022

The additional filters will allow you to drill-down to specific assessments or assessment fields.

Below are screenshots of the Authority to Assessment Dashboard with sample data.

Step 4: Update Control Sets to ISO/IEC 27001:2022

The next step is to update your internal Controls and Policies in line with the 2022 version. To do this, you can start by using Hailey again to map you Control Sets to the new version. This will trigger an AI-powered Gap Analysis and allow you to start workflows to remediate any gaps where appropriate.

To do this, navigate to the Controls module and select the relevant Control Set, ensuring it's in Edit mode. Navigate to the Mappings tab then select Create new mapping.

Select the ISO/IEC 27001:2022 Authority and click Scan.

Hayley will now map your control set to the new version. You will receive both an in-app and email notification when this is complete.

From here, you'll begin the process of mapping your existing controls to the new version. Controls with a similarity rating of 85% and above will be automatically mapped, whereby the others will require a manual link.

For more information on Control Set mapping, please refer to this article.

Please note: you will need to do this for each of your Control Sets that are relevant to ISO/IEC 27001.

Once all relevant Control Sets are mapped, you can pivot the mapping to view it from the perspective of ISO/IEC 27001:2022 provisions.

This will allow you to identify provisions within the new version that are not addressed by your current internal Control Sets and Policies. Issues and Actions can then be raised to remediate these gaps and ensure the organisation achieves compliance.

For more information on Gap Analysis, please refer to this article.

Once the gaps have been addressed, Publish the relevant Control Sets in order to roll out the updates across the organisation.

Step 5: Preparing a new Statement of Applicability 

Now that you've closed the gap in your internal control sets and policies, the next stage is to prepare a new Statement of Applicability (SoA) against the current standard. This is the final step in the transition process, enabling you to assess your current state and act based on the findings.

6clicks provides an ISO/IEC 27001:2022 SoA template which can be added directly from our content library. Simply navigate to the content library, use the search bar, and add using the star.

Once you've added the content, create a new Requirement Based Assessment using the above template.

Assign both a name and respondent to your assessment, then click create. 

You now have the option to modify the questions or include your own. For more guidance on modifying assessments, click here.

Once you have assigned the appropriate access members and due date, proceed publishing the assessment.

Now that your assessment has been published, you will now conduct the assessment within 6clicks. Click +Add Response to get started.

The below links will direct you to complete and then report on the SoA assessment.

Step 6. Business as usual

Once you've completed all of the above items, you're now in a position to conduct ongoing risk and compliance management against the new version. 

You may also consider repeating the above mapping and updating control sets to the ISO/IEC 27001:2022 Annex A authority, along with running additional internal audits via assessments. The relevant content can be found within the content library.