iso-27001-faq-dqs-it-specialists discuss in the data centre with cloud-server symbol and visualisati

ISO 27001 Transition Guide

A guide to transitioning your ISO 27001:2013 certification to the updated ISO 27001:2022 standard


Introduction

ISO 27001 and ISO 27002 have been updated to reflect the evolution of business practices to focus and rely more heavily on digital reliance and cloud services. These new standards will require you to implement changes to your ISMS to ensure you remain compliant, providing the benefit of aligning your data and cyber security practices with the digitization of business practice and the threats and risks that are associated with it.

What are the changes to the new version of the standard?
The key changes between ISO 27001:2013 and ISO 27001:2022 revolve around the changes to the controls in Annex A:
•    The structure has been consolidated from 14 sections to 4 key areas: Organizational, People, Physical and Technological.
•    Controls have been reduced from 114 to 93.
•    The concept of “attributes” and “purpose” has been introduced to help organisations to identify and align stakeholders and other roles and responsibilities associated with controls.

Changes to align the standard with the ISO harmonized approach:
•    Defining the processes and their interactions required for the ISMS
•    Identifying the requirements of interested parties which the ISMS will address.
•    New clause for Planning of Changes.
•    Addition of requirements to monitor and document Information Security Objectives.
•    New requirements to establish criteria for operational processes and implementing control of these processes.
•    New requirement to determine how to communicate .
•    Some clause and sub-clause numbering re-organisation.

Other minor changes include:
•    Changing the title to include “cybersecurity and privacy protection” as well as Information security.
•    Re-phrasing some of the language used for easier translation and emphasising different aspects of the clauses.

When does it take effect?
The new ISO 27001:2022 has been in effect from 1st November 2022.
Since 1st November 2023, all new certifications for ISO 27001 must use ISO 27001:2022. you can still be certified against ISO 27001:2013, if you started your certification (i.e. had Stage 1 audit performed) before 31st October 2023, and   will need to go through a transition.

What is the timeline for migration from the old version?
There is a 3 year transition period which runs between 1st November 2022 and 31st October 2025. During this time all certifications must transition to the new version.

Can I still certify our ISMS against ISO27001:2013?
Certifications against ISO27001:2013 will still be accepted until 31st October 2023, but will need to go through a transition. After that, all new certifications must use ISO27001:2022.
 

What impact does the change have on our ISMS – what should we expect?
The key impact will be the need to revisit the risk assessment and statement of applicability to ensure that the updated set of controls are applied effectively. This will ensure that your ISMS is in line with the level of digital business risk you have determined.

What do we have to do to transition and update our certificate?
A transition audit must be carried out to assess that the changes have been implemented effectively. This will require a comprehensive understanding of the changes and their impact on your organisation and effective implementation.

Any Questions?

We are here for you.
Contact Us