ISO/IEC 27001 Information Security

Transition to new version of the standard
 

ISO/IEC 27001:2013               ISO/IEC 27001:2022

​

"Information security, cybersecurity, and privacy protection — Information security management systems — Requirements" was released in October 2022 and is replacing ISO/IEC 27001:2013 via a three-year transition period.

​

All organisations that wish to remain certified to ISO/IEC 27001 will need to transition to the 2022 revision of the standard within the set transition period which ends in October 2025.

​

Both versions of the ISO/IEC 27001 standard remain valid and audits to either version of the standard may be conducted subject to the rules noted below, but plans should be made for an organisation’s transition to fully occur prior to the transition period ending.

​

• All initial (new) certifications should be to the ISO/IEC 27001:2022 edition after this date and all recertification audits are recommended to utilise the ISO/IEC 27001:2022 edition after this date.

​​

• AC will continue to accept applications for certification and issue new certificates against the ISO/IEC 27001:2022 standard.

 

• Initial certification and recertification by AC to ISO/IEC 27001:2022 only, to begin no later than 30 April 2024

​​

• 31st October 2025 - Transition period ends

 

• Certificates for ISO/IEC 27001:2013 will no longer be valid after this date

​​

       Organising for your ISO/IEC 27001 Transition:

 

• Organisations must transition their management system in accordance with the requirements to ISO/IEC 27001:2022 before their transition audit is conducted. This should include any documentation changes, along with evidence of any new or changed process requirements.

• Of note, organisations must conduct an internal audit and management review of the new/changed requirements prior to the AC transition audit being conducted.

 

       Your ISO/IEC 27001 Transition Audit:

• All organisations must have a transition audit to confirm the implementation of the revised standard. The transition audit may be conducted in conjunction with an existing audit or may be a stand-alone audit.

• If the transition audit is conducted in conjunction with an existing surveillance (i.e. transition surveillance) or recertification audit (i.e. transition re-assessment), IAF MD 26 requires additional audit time to be added to the audit duration in order to cover the new requirements/concepts introduced by ISO/IEC 27001:2022 as follows:

  • Minimum of 0.5 auditor day for the transition audit when it is carried out in conjunction with a recertification audit.

  • Minimum of 1.0 auditor day for the transition audit when it is carried out in conjunction with a surveillance audit or as a separate audit.

• If a standalone audit is carried out for the transition audit, the duration be calculated on an individual organisation basis.

• For a Transition from ISO/IEC 27001 2013 to 2022 we need a new and signed Contract Acceptance.

• The contract should be completed like a transfer (retain the previous cycle dates).

• Advanced Certification may conduct the transition audit in conjunction with the surveillance audit, recertification audit or through a separate audit.

• The transition audit shall not only rely on the document review, especially for reviewing the technological information security controls.

• The transition audit shall include, but not be limited to the following:

  • The gap analysis of ISO/IEC 27001:2022, as well as the need for changes to the client’s ISMS.

  • The updating of the statement of applicability (SoA).

  • If applicable, the updating of the risk treatment plan.

  • The implementation and effectiveness of the new or changed information security controls chosen by the clients.

 

Your Certificate:

• When the certification document is updated following successful completion of the transition audit, the expiration of its current certification cycle will not be changed.