The ISO 27001:2022 certification standard was released in October 2022. It has replaced the ISO 27001:2013 edition via a three-year transition period, which ends on October 31, 2025. Companies with an ISO 27001:2013 certification are required to transition to ISO 27001:2022 by October 31, 2025. All ISO 27001:2013 certifications will expire or be withdrawn at the end of the transition period.
It is imperative for companies to connect with their ISO 27001 Certifying Body to undergo a transition audit and confirm that they comply with the new security requirements applicable to the ISO 27001 standard.
By May 1, 2024, all new certifications must be issued against the ISO 27001:2022 edition by the certifying bodies. After this date, all recertification audits must also utilize the ISO 27001:2022 edition. While there are changes to the list of controls, ISO 27002:2022 also defines a purpose for individual controls to better explain each control’s intent. The options for the existing and new customers are given below.
If you are a current ISO 27001-certified organization:
a) If your full recertification audit is due before May 1, 2024:
-
-
-
- You could continue with the 2013 version
- You could transition to the 2022 version
-
-
b) If your full recertification audit is due after May 1, 2024, you can only be certified against ISO 27001:2022
c) If your surveillance audit is due before Oct 31, 2025
-
-
-
- You have the choice to continue with your 2013 version
- You also have the option to transition to 2022 and get your transition to 2022 audit completed along with your surveillance audit
-
-
d) However, all transition audits to 27001:2022 need to be completed by Oct 31, 2025 from the ISO 27001:2013 version.
If you are considering getting ISO 27001 certified:
-
-
-
- You can get the 2013 version certified until May 1, 2024
- After May 1, 2024 you can get certified only against the 2022 version
-
-
Changes to ISO 27001:2022
A summary of the changes to the ISO 27001 standard are:
Changes have been made to the following requirements:
-
-
-
- 4.2 Understanding the needs and expectations of interested parties
- 4.4 Information Security Management System
- 6.2 Information security objectives and planning to achieve them
- 6.3 Planning of changes
- 8.1 Operational planning and control
- 9.1 Monitoring, measurement, analysis and evaluation
- 9.3.2 Management review inputs
- 10 Improvement
-
-
Annex A controls
-
-
-
- The overall number of controls within Annex A is now 93 compared to the 114 controls in the previous edition.
- They have been regrouped from 14 control objectives to 4 broad themes: Organizational, People, Physical, and Technological Controls.
- Several previous controls have been consolidated into broader new controls, and 11 new controls have been added, including:
-
-
-
-
-
- Threat Intelligence
- Information Security for the use of Cloud Services
- Physical Security Monitoring
- Configuration Management
- Information Deletion
- Data Masking
- Data Leakage Prevention
- Web Filtering
- Secure Coding
-
-
In ISO 27002:2022, there are five control attributes that include:
-
-
-
- Control Type
- Information Security Properties
- Cybersecurity Concepts
- Operational Capabilities
- Security Domains
-
-
Transition Audit Timelines
As per the guidelines of the IAF, certifying bodies are required to ensure their clients are made aware of the Transition Audit timelines as outlined below:
-
-
-
- Minimum of 0.5 auditor days for the transition audit when it is carried out in conjunction with a recertification audit
- Minimum of 1.0 auditor day for the transition audit when it is carried out in conjunction with a surveillance audit or as a separate audit
- When the certification document is updated because the client successfully completes only the transition audit, the expiration of their current certification cycle will not be changed.
- All certifications based on ISO/IEC 27001:2013 shall expire or be withdrawn at the end of the transition period.
-
-
Prepare for your ISO 27001 Transition Audit
B2B contracts that are based on the ISO 27001 standard require clients to maintain the validity of their certification. As per the IAF guidelines, certified organizations have the option to undergo their transition audit while their ISO 27001:2013 certification cycle is valid. When they apply for recertification, they must undergo their certification audit per ISO 27001:2022 edition.
To ensure that you comply with the new controls and documentation requirements, your organization needs to prepare for the transition audit and ensure that your ISMS complies with ISO 27001:2022 controls and processes.
To ensure you are ready for your transition audit, you need to conduct an internal audit for a thorough gap analysis. This can be done with an organization that offers consulting services and is aware of the protocols of the ISO 27001:2022 edition. Organizations that provide consulting services are not authorized to offer certification services.
It is advisable to prepare for your annual surveillance audit along with your transition audit since the IAF guidelines highlight the importance of completing them together before your ISO 27001:2013 certification expires. Preparing for both will also ensure that you are poised to succeed in your recertification audit and maintain your certification status. This will ensure you are compliant with the security requirements of your B2B contracts that rely on it.
Undergo your Transition Audit and ISO 27001:2022 Certification with databrackets
databrackets holds the distinction of being recognized as an authorized certifying body for ISO 27001:2022 by IAS Online. Our certification is consistently renewed as per IAF Guidelines, and it is a testament to our commitment to excellence in information security management.
This prestigious certification signifies that our team of ISO Auditors possesses the expertise, rigor, and credibility to assess and confirm your organization’s compliance with the latest ISO 27001 standards.
Our certification services not only validate that you have implemented robust security measures to protect sensitive data but also provide assurance to stakeholders, clients, and partners that their information assets are in trustworthy hands. Our role as an authorized certifying body highlights our dedication to promoting best practices in data security and helping businesses navigate the complex landscape of information security management.
Contact us to book your transition audit from ISO 27001:2013 to ISO 27001:2022 today!
Related Links:
Technologies To Detect And Prevent Ransomware Attacks
Sources of Ransomware Attacks on Healthcare Systems
What are the new controls added to ISO 27001 in 2022?
How to Select a Security Vendor
Author: Srini Kolathur, Director, databrackets.com
The technical information presented in this blog has been carefully reviewed and verified by our Director, Srini Kolathur. Srini is results-driven security and compliance professional with over 20 years of experience supporting, leading, and managing global IT security, compliance, support, and risk assessment in fortune 100 companies. Some of his key areas of focus are SOC 2, ISO 27001, NIST 800-171, NIST 800-53, NIST Cybersecurity Framework, HIPAA, Security Risk Assessment, CMMC 2.0 among others. He is a CMMC Registered Practitioner (RP), CISSP, CISA, CISM, MBA. He is active in several community groups including Rotary International and TiE.