Transition for ISO 27001:2022
(Updated on May 25, 2023)
Release of IAF MD26:2022
IAF Mandatory Document 26:2022 has been published by the International Accreditation Forum, Inc. (IAF), to define the transition requirements for ISO/IEC 27001:2022.
ISO/IEC 27001:2022 has been publish in Oct 2022, after the preparation of ISO/IEC 27001:2013/AMD1:2022.
Main Changes to ISO 27001:2022
As compared to ISO/IEC 27001:2013, the key changes to ISO/IEC 27001:2022 include:
- Annex A references to the controls in ISO/IEC 27002:2022, including the information of control title and control;
- The notes of Clause 6.1.3 c) are revised editorially, including deleting the control objectives and using “information security control” to replace “control”;
- The wording of Clause 6.1.3 d) is re-organized to remove the potential ambiguity.
- The number of controls decreases from 114 controls in 14 clauses to 93 controls in 4 clauses.
- 11 controls are new, 24 controls are merged from the existing controls, and 58 controls are updated.
- The control structure is revised, which introduces “attribute” and “purpose” for each control and no longer uses “objective” for a group of controls.
Timescale for Transition
- The transition period will end on Oct 31, 2025.
- DQS will provide transition audits or initial audits against ISO 27001:2022 after the required assessment by the associated accreditation bodies, which is expected to be from Q3 2023.
- An existing certified organization shall plan transition audit, to ensure the issuance of revised certificate before the end of the transition period.
- The Transition Audit against ISO 27001:2022 should be no later than Jul 31, 2025, to ensure sufficient time to complete the transition process, including certificate issuance, before Oct 31, 2025.
- All certifications based on ISO/IEC 27001:2013 will expire or be withdrawn after Oct 31, 2025.
- Regarding the ISO 27001 Initial Audits and Recertification Audits after Apr 30, 2024, DQS will conduct only in accordance with the new version of standard.
Transition Audits
- The transition audit can be in conjunction with a surveillance/recertification audit with appropriately additional audit days or through a separate special audit.
- The transition audit will include, but not limited to the following:
- the gap analysis of ISO/IEC 27001:2022, as well as the need for changes to the ISMS;
- the updating of the statement of applicability (SoA);
- if applicable, the updating of the risk treatment plan;
- the implementation and effectiveness of the new or changed controls chosen by the organizations. - The expiration of the current certificate will not be changed solely due to a transition audit.
Supports by DQS
- DQS is a global certification body providing accredited ISO 27001 ISMS certification and ISO 27701:219 PIMS Certification service.
- DQS Academy is delivering public ISO 27001 Internal Auditor Course and PECB certified ISO 27001 Lead Auditor Course to help customers understand the standard and prepare for the coming upgrade.
- Stay informed, sign up for DQS' newsletters and follow DQS at LinkedIn.
DQS Newsletter
Stay informed and subscribe to our newsletter!
Author
Blog Author of DQS HK
DQS HK