The transition from ISO/IEC 27001:2013 to ISO/IEC 27001:2022 marked an important evolution in information security management. The updated standard introduces revised clause structures and a reorganisation of Annex A controls, reducing the total number from 114 controls to 93 controls. This change reflects modern security challenges such as cloud security, threat intelligence, and secure development.
Organisations that were already certified under the 2013 version were required to transition their Information Security Management System (ISMS) to the updated standard within the transition period. Certification bodies have since conducted numerous transition audits, evaluating whether organisations have effectively aligned their ISMS with the new requirements.
Based on audit observations across multiple industries, several recurring nonconformities have emerged during transition audits. Understanding these findings can help organisations prepare more effectively and ensure a smoother transition to ISO/IEC 27001:2022.
This article highlights common nonconformities observed by certification body auditors, along with examples of major and minor findings that organisations frequently encounter.
A transition audit assesses whether an organisation’s existing ISMS has been properly updated to comply with ISO/IEC 27001:2022 requirements.
Unlike initial certification audits, transition audits focus on:
While many organisations successfully transition with minimal issues, auditors frequently identify gaps resulting from incomplete updates or misunderstandings of the revised requirements.
Risk assessment remains the foundation of the ISMS. One of the most common issues observed during transition audits is when organisations fail to review and update their risk assessment methodology and results after transitioning to the new version of the standard.
In many cases, organisations continue using risk assessments created under the previous standard without reviewing them in light of new threats, technologies, or updated control structures.
Typical audit observations include:
Minor Nonconformity
The organisation updated its Statement of Applicability to reflect the ISO/IEC 27001:2022 control structure. However, the risk assessment documentation still references Annex A controls from the 2013 version, indicating incomplete alignment between the risk assessment and the updated standard.
The Statement of Applicability (SoA) is a critical document within the ISMS, as it explains which controls are implemented and why.
During transition audits, certification bodies frequently find that organisations update the control numbering but fail to properly reassess the applicability of controls under the new structure.
Common issues include:
Major Nonconformity
The organisation’s Statement of Applicability references the updated ISO/IEC 27001:2022 control structure; however, multiple listed controls were found not to be implemented during the audit. This indicates that the SoA does not accurately reflect the current implementation status of security controls within the ISMS.
ISO/IEC 27001:2022 introduces several new controls, including:
Some organisations update documentation to reference these controls but fail to demonstrate practical implementation or operational evidence.
Auditors frequently observe that:
Minor Nonconformity
The organisation documented a policy referencing the control for threat intelligence; however, no formal process or documented procedure was available demonstrating how threat intelligence information is collected, analysed, or used within the ISMS.
Internal audits play a critical role in verifying the effectiveness of the ISMS.
During transition audits, certification bodies often discover that organisations conducted internal audits using old checklists aligned with ISO/IEC 27001:2013, without evaluating the changes introduced in the 2022 version.
Common issues include:
Minor Nonconformity
The internal audit program was conducted before the transition audit; however, the audit checklist used was aligned with ISO/IEC 27001:2013 and did not include evaluation of new or updated controls introduced in ISO/IEC 27001:2022.
Documentation is an essential component of the ISMS, but auditors often find discrepancies between documented procedures and actual practices.
Examples observed during transition audits include:
These issues can indicate weaknesses in document control and ISMS governance.
Minor Nonconformity
The information security policy references control identifiers from ISO/IEC 27001:2013. The organisation has transitioned to ISO/IEC 27001:2022, but the policy has not yet been updated to reflect the revised control structure.
Another recurring issue during transition audits is ineffective handling of previous findings or incidents.
Organisations sometimes implement corrective actions that address symptoms rather than root causes.
Typical issues include:
Major Nonconformity
A nonconformity identified during the previous surveillance audit regarding access control review was marked as closed. However, evidence during the transition audit shows that the same issue persists, indicating that the corrective actions implemented were not effective in addressing the root cause.
ISO/IEC 27001 requires top management involvement in reviewing ISMS performance.
During transition audits, auditors sometimes observe that management reviews:
Without effective management oversight, the ISMS may not receive the necessary strategic direction.
Minor Nonconformity
Management review records did not include a discussion of the organisation’s transition to ISO/IEC 27001:2022 or an evaluation of the impact of updated controls on the ISMS.
Certification bodies classify audit findings based on their impact on the effectiveness of the ISMS.
A major nonconformity indicates a significant failure to meet a requirement of the standard or a breakdown of the ISMS.
Examples include:
Major nonconformities usually require corrective action and verification before certification or transition approval can be granted.
A minor nonconformity represents a limited lapse in implementation that does not significantly affect the overall effectiveness of the ISMS.
Examples include:
Minor nonconformities typically require corrective action within a defined timeframe.
Organisations can significantly reduce transition audit findings by taking several proactive steps.
A gap analysis helps identify areas where the existing ISMS does not fully align with ISO/IEC 27001:2022 requirements.
Ensure that the SoA accurately reflects:
Risk assessments should be reviewed to ensure they remain relevant and aligned with the updated control framework.
Internal audits should verify that all changes introduced by the updated standard have been properly implemented.
Organisations should focus on root cause analysis and verification of corrective action effectiveness.
Transitioning to ISO/IEC 27001:2022 requires more than simply updating documentation or renumbering controls. Organisations must ensure that their ISMS processes, risk management practices and security controls are effectively aligned with the updated requirements.
Certification body auditors frequently observe recurring nonconformities related to outdated risk assessments, incomplete Statements of Applicability, weak internal audit programs and insufficient evidence of control implementation.
By conducting thorough internal reviews and ensuring proper implementation of updated controls, organisations can successfully navigate transition audits and maintain a robust and effective Information Security Management System.
As a UKAS-accredited certification body, Risk Associates provides independent certification services for organisations implementing Information Security Management Systems. Risk Associates is accredited by UKAS (United Kingdom Accreditation Service) as an ISO/IEC 17021-1:2015 management system certification body to certify organisations against ISO/IEC 27001:2022 for Information Security Management Systems (ISMS). Through rigorous and impartial auditing, Risk Associates supports organisations in demonstrating compliance with internationally recognised information security standards.
Table of Content
