Timescales for ISO/IEC 27001 Transition have been Formally Announced
The International Accreditation Forum issued Transition Requirements for ISO/IEC 27001:2022 on 9th August 2022. ISO/IEC 27001 Information Security Management is one of the most common ISMS (Information Security Management System) frameworks in the world and certification is possible. Current version was published in 2013 and is expected to be updated in 2022 following the recent update of its guideline, ISO/IEC 27002:2022.
In the Transition Requirements, key timescales for the Accreditation Bodies (AB) and Conformity Assessment Bodies (CAB) are shown. ABs are organizations that accredit the certification bodies and generally appointed by the government. CABs are organizations that perform assessments and they are especially called as Certification Bodies in the context of ISO/IEC 27001 certification.
Key Timescales and Impact for Certified Organizations
(created based on the key timescale table in the Transition Requirements)
| Activity | Due Date (from the last day of publication month of ISO/IEC 27001:2022) | Impact for organizations to be (re) certified |
|---|---|---|
| Accreditation Bodies (AB) | ||
| AB to be ready to assess to ISO/IEC 27001: 2022 no later than | 6 months | Will be able to select at least 1 CAB to receive ISO/IEC 27001:2022 audit within 6 months |
| Initial assessment by AB to ISO/IEC 27001:2022 to begin no later than | 6 months | |
| AB transitions of CABs completed by | 12 months | Will be able to receive ISO/IEC 27001:2022 audit from any CAB within 12 months |
| Conformity Assessment Bodies (CAB) | ||
| Initial certification by CAB to ISO/IEC 27001: 2022 to begin no later than | 12 months | Will be able to receive ISO/IEC 27001:2022 audit from any CAB within 12 months |
| CAB transitions of certified clients completed by | 36 months | Will not be able to receive ISO/IEC 27001:2013 audit 36 months later |
If your organization is certified to ISO/IEC 27001:2013 (and next recertification audit is not expected before or soon after the ISO/IEC 27001:2022 publication), technically you may select next recertification audit between version 2013 and 2022. However, we recommend version 2022 as your stakeholders such as your customers may expect you to comply with the latest framework sooner. The same can be said for organizations that are preparing for the ISO/IEC 27001 certification. Additionally, in the Transition Requirements, Transition Audit is mentioned and “CAB may conduct the transition audit in conjunction with the surveillance audit, recertification audit or through a separate audit.”. So you can update your ISO/IEC 27001 certification to version 2022 before expected next recertification audit.
In most case, major updates in the ISMS are not necessary as the change in ISO/IEC 27001:2022 from the version 2013 is limited to the Annex A, reference control objectives and controls. This is a reference set of security controls and each organization can select necessary controls based on its context (for more details, please refer to The 2022 update to ISO/IEC 27001/2). You will need to review the Statement of Applicability (SoA) but if your organization already maintains necessary controls, you may not need major change nor implementation. The Transition Requirements indicate key review points as transition audit criteria.
The transition audit shall include, but not limited to the following:
|
If you need any assistance or have any questions regarding privacy or cybersecurity in general, feel free to contact us. We can support you to review your ISMS to comply ISO/IEC 27001:2022.
References
International Accreditation Forum, https://iaf.nu/en/home/