ISO 27001:2022 TRANSITION GUIDANCE FOR CLIENTS

ISO/IEC 27001:2022 “Information security, cybersecurity and privacy protection – Information  security management systems – Requirements” was released in October 2022 and is set to  replace ISO 27001:2013 in a three-year transition period. All organizations that wish to remain  certified to ISO 27001 will need to transition to the 2022 revision of the standard within the set  transition period which is expected to end in October 2025. 

The overall allowable transition period is expected to be three years (i.e., from October 2022  through October 2025) 

During that period both versions of the ISO/IEC 27001 standard remain valid and audits to  either version of the standard may be conducted subject to the rules noted below, but plans  should be made for an organization’s transition to fully occur prior to the transition period  ending.  

Detailed Transition Period 

• October 25th, 2022 – ISO/IEC 27001:2022 release date 

• October 31st, 2022 – Transition Period begins 

• May 1st 2024 – All initial (new) certifications should be to the 27001:2022 edition after  this date and all recertification audits are recommended to utilize the 27001:2022  edition after this date. 

• Johanson Group will continue to accept applications for certification and issue new  certificates against the 27001:2013 standard until this date.  

• July 31st 2025 – All transition audits should be conducted by this date • October 31st 2025 – transition period ends 

Download the full transition plan (PDF)

ISO/IEC 27001:2022 Change Analysis

Changes within the ISO/IEC 27001 standard have been made to better align with the structure for management system standards.

Changes have been made in the following requirements: 

• 4.2 Understanding the needs and expectations of interested parties 

• 4.4 Information security management system 

• 6.2 Information security objectives and planning to achieve them 

• 6.3 Planning of changes 

• 9.1 Monitoring, measurement, analysis and evaluation 

• 9.3.2 Management review inputs 

• The Annex A controls have been regrouped from 14 control objectives to 4 themes that  include: Organizational, People, Physical and Technological Controls 

• The overall number of controls within Annex A has changed from 114 controls to 93.  • 11 new controls have been added, including

• Threat intelligence 

• Information Security for use of Clous Services 

• Physical Security Monitoring 

• Configuration Management 

• Information Deletion 

• Data Masking 

• Data Leakage Prevention 

• Web Filtering 

• o Secure Coding 

• 57 controls have been merged and 1 control was split: 

• 23 controls were renamed:  

• 35 controls stayed the same 

• ISO/IEC 27002:2022 included 5 control attributes to variously categorize controls: o Control Type 

o Information Security Properties 

o Cybersecurity Concepts 

o Operational Capabilities 

o Security Domains 

• ISO/IEC 27002:2022 also defines a purpose for each individual control to better explain  the intent of each control 

Preparing for your ISO 27001 Transition 

• Organizations must transition their management system in accordance with the  requirements to ISO/IEC 27001:2022 before their transition audit is conducted. This  should include any documentation changes, along with evidence of any new or changed  process requirements.  

• Additionally, organizations will need to provide the following for review: o Gap analysis of ISO/IEC 27001:2022, as well as the changes to the information  security management system (ISMS). 

• Changes to the ISMS 

• Changes to Documentation 

• Risk Treatment Plan (if applicable) 

• Management Review 

• As updated Statement of applicability (SoA) 

• An updated risk treatment plan (if applicable) 

• The implementation and effectiveness of the new or changed controls chosen as  applicable (per your SoA) 

• Organizations must conduct an internal audit and management review of the  new/changed requirements prior to Johanson Group conducting the transition audit. 

ISO 27001 Transition Audit

• All organizations must have a transition audit to confirm the implementation of the  revised standard. The transition audit may be conducted in conjunction with an existing  audit, or may be a stand-alone audit.  

• If the transition audit is conducted in conjunction with an existing surveillance or  recertification audit, additional time may be added to the audit duration in order to  cover the new requirements/concepts introduced by ISO 27001:2022. 

• If a stand-alone audit is carried out for the transition audit, the duration will be  calculated on an individual organization basis.  

Specific audit durations for transition will depend on the actual situation of the organization  including the organization’s size and the complexity of the ISMS. 

When a transition audit is carried out in conjunction with a recertification audit a minimum  time of 0.5 auditor days will be needed. 

If the audit is carried out in conjunction with a surveillance audit or as a separate audit a  minimum time of 1.0 auditor days will be needed.  

Revised ISO/IEC 27001:2022 Certificates  

• As with any audit, non-conformities identified during a transition audit will require a  corrective action to be submitted and approved. An updated ISO 27001:2022  certification will be issued following corrective action approval. 

• Updated ISO/IEC 27001:2022 certificate issuance and validity will be as follows o Surveillance with transition – the organization’s ‘Expiry date’ will be maintained o Re-certification with transition – a new “Expiry date’ will be issued for the  renewed 3-year period. 

• Stand-alone transition – The organization’s existing ‘Expiry date’ will be  maintained.

• Re-certification with transition – a new “Expiry date’ will be issued for the

  renewed 3-year period.

• Stand-alone transition – The organization’s existing ‘Expiry date’ will be

  maintained.