ISO 27001:2022 TRANSITION GUIDANCE FOR CLIENTS
ISO/IEC 27001:2022 “Information security, cybersecurity and privacy protection – Information security management systems – Requirements” was released in October 2022 and is set to replace ISO 27001:2013 in a three-year transition period. All organizations that wish to remain certified to ISO 27001 will need to transition to the 2022 revision of the standard within the set transition period which is expected to end in October 2025.
The overall allowable transition period is expected to be three years (i.e., from October 2022 through October 2025)
During that period both versions of the ISO/IEC 27001 standard remain valid and audits to either version of the standard may be conducted subject to the rules noted below, but plans should be made for an organization’s transition to fully occur prior to the transition period ending.
Detailed Transition Period
• October 25th, 2022 – ISO/IEC 27001:2022 release date
• October 31st, 2022 – Transition Period begins
• May 1st 2024 – All initial (new) certifications should be to the 27001:2022 edition after this date and all recertification audits are recommended to utilize the 27001:2022 edition after this date.
• Johanson Group will continue to accept applications for certification and issue new certificates against the 27001:2013 standard until this date.
• July 31st 2025 – All transition audits should be conducted by this date • October 31st 2025 – transition period ends
Download the full transition plan (PDF)
ISO/IEC 27001:2022 Change Analysis
Changes within the ISO/IEC 27001 standard have been made to better align with the structure for management system standards.
Changes have been made in the following requirements:
• 4.2 Understanding the needs and expectations of interested parties
• 4.4 Information security management system
• 6.2 Information security objectives and planning to achieve them
• 6.3 Planning of changes
• 9.1 Monitoring, measurement, analysis and evaluation
• 9.3.2 Management review inputs
• The Annex A controls have been regrouped from 14 control objectives to 4 themes that include: Organizational, People, Physical and Technological Controls
• The overall number of controls within Annex A has changed from 114 controls to 93. • 11 new controls have been added, including
Threat intelligence
Information Security for use of Clous Services
Physical Security Monitoring
Configuration Management
Information Deletion
Data Masking
Data Leakage Prevention
Web Filtering
o Secure Coding
• 57 controls have been merged and 1 control was split:
• 23 controls were renamed:
• 35 controls stayed the same
• ISO/IEC 27002:2022 included 5 control attributes to variously categorize controls: o Control Type
o Information Security Properties
o Cybersecurity Concepts
o Operational Capabilities
o Security Domains
• ISO/IEC 27002:2022 also defines a purpose for each individual control to better explain the intent of each control
Preparing for your ISO 27001 Transition
• Organizations must transition their management system in accordance with the requirements to ISO/IEC 27001:2022 before their transition audit is conducted. This should include any documentation changes, along with evidence of any new or changed process requirements.
• Additionally, organizations will need to provide the following for review: o Gap analysis of ISO/IEC 27001:2022, as well as the changes to the information security management system (ISMS).
Changes to the ISMS
Changes to Documentation
Risk Treatment Plan (if applicable)
Management Review
As updated Statement of applicability (SoA)
An updated risk treatment plan (if applicable)
The implementation and effectiveness of the new or changed controls chosen as applicable (per your SoA)
• Organizations must conduct an internal audit and management review of the new/changed requirements prior to Johanson Group conducting the transition audit.
ISO 27001 Transition Audit
• All organizations must have a transition audit to confirm the implementation of the revised standard. The transition audit may be conducted in conjunction with an existing audit, or may be a stand-alone audit.
• If the transition audit is conducted in conjunction with an existing surveillance or recertification audit, additional time may be added to the audit duration in order to cover the new requirements/concepts introduced by ISO 27001:2022.
• If a stand-alone audit is carried out for the transition audit, the duration will be calculated on an individual organization basis.
Specific audit durations for transition will depend on the actual situation of the organization including the organization’s size and the complexity of the ISMS.
When a transition audit is carried out in conjunction with a recertification audit a minimum time of 0.5 auditor days will be needed.
If the audit is carried out in conjunction with a surveillance audit or as a separate audit a minimum time of 1.0 auditor days will be needed.
Revised ISO/IEC 27001:2022 Certificates
• As with any audit, non-conformities identified during a transition audit will require a corrective action to be submitted and approved. An updated ISO 27001:2022 certification will be issued following corrective action approval.
• Updated ISO/IEC 27001:2022 certificate issuance and validity will be as follows o Surveillance with transition – the organization’s ‘Expiry date’ will be maintained o Re-certification with transition – a new “Expiry date’ will be issued for the renewed 3-year period.
Stand-alone transition – The organization’s existing ‘Expiry date’ will be maintained.
Re-certification with transition – a new “Expiry date’ will be issued for the
renewed 3-year period.
Stand-alone transition – The organization’s existing ‘Expiry date’ will be
maintained.
You! Yes, YOU! Sitting there, reading this blog post. This is my two weeks notice…