Transition for ISO 27001:2022

(Updated on May 25, 2023)


Release of IAF MD26:2022

IAF Mandatory Document 26:2022 has been published by the International Accreditation Forum, Inc. (IAF), to define the transition requirements for ISO/IEC 27001:2022.

ISO/IEC 27001:2022 has been publish in Oct 2022, after the preparation of ISO/IEC 27001:2013/AMD1:2022.

Main Changes to ISO 27001:2022

As compared to ISO/IEC 27001:2013, the  key changes to ISO/IEC 27001:2022 include:

  • Annex A references to the controls in ISO/IEC 27002:2022, including the information of control title and control;
  • The notes of Clause 6.1.3 c) are revised editorially, including deleting the control objectives and using “information security control” to replace “control”;
  • The wording of Clause 6.1.3 d) is re-organized to remove the potential ambiguity.
  • The number of controls decreases from 114 controls in 14 clauses to 93 controls in 4 clauses.
  • 11 controls are new, 24 controls are merged from the existing controls, and 58 controls are updated.
  • The control structure is revised, which introduces “attribute” and “purpose” for each control and no longer uses “objective” for a group of controls.

Timescale for Transition

  • The transition period will end on Oct 31, 2025.
  • DQS will provide transition audits or initial audits against ISO 27001:2022 after the required assessment by the associated accreditation bodies, which is expected to be from Q3 2023.
  • An existing certified organization shall plan transition audit, to ensure the issuance of revised certificate before the end of the transition period.
  • The Transition Audit against ISO 27001:2022 should be no later than Jul 31, 2025, to ensure sufficient time to complete the transition process, including certificate issuance, before Oct 31, 2025.
  • All certifications based on ISO/IEC 27001:2013 will expire or be withdrawn after Oct 31, 2025.
  • Regarding the ISO 27001 Initial Audits and Recertification Audits after Apr 30, 2024, DQS will conduct only in accordance with the new version of standard.

Transition Audits

  • The transition audit can be in conjunction with a surveillance/recertification audit with appropriately additional audit days or through a separate special audit.
  • The transition audit will include, but not limited to the following:
    -  the gap analysis of ISO/IEC 27001:2022, as well as the need for changes to the ISMS;
    - the updating of the statement of applicability (SoA);
    - if applicable, the updating of the risk treatment plan;
    - the implementation and effectiveness of the new or changed controls chosen by the organizations.
  • The expiration of the current certificate will not be changed solely due to a transition audit.

Supports by DQS

Blog Author of DQS HK