Transition Requirements for ISO 27001:2022

(Updated on May 25, 2023)

Release of IAF MD26:2022

IAF Mandatory Document 26:2022 has been published by the International Accreditation Forum, Inc. (IAF), to define the transition requirements for ISO/IEC 27001:2022.

ISO/IEC 27001:2022 has been publish in Oct 2022, after the preparation of ISO/IEC 27001:2013/AMD1:2022.

Main Changes to ISO 27001:2022

As compared to ISO/IEC 27001:2013, the  key changes to ISO/IEC 27001:2022 include:

• Annex A references to the controls in ISO/IEC 27002:2022, including the information of control title and control;
• The notes of Clause 6.1.3 c) are revised editorially, including deleting the control objectives and using “information security control” to replace “control”;
• The wording of Clause 6.1.3 d) is re-organized to remove the potential ambiguity.
• The number of controls decreases from 114 controls in 14 clauses to 93 controls in 4 clauses.
• 11 controls are new, 24 controls are merged from the existing controls, and 58 controls are updated.
• The control structure is revised, which introduces “attribute” and “purpose” for each control and no longer uses “objective” for a group of controls.

Timescale for Transition

• The transition period will end on Oct 31, 2025.
• DQS will provide transition audits or initial audits against ISO 27001:2022 after the required assessment by the associated accreditation bodies, which is expected to be from Q3 2023.
• An existing certified organization shall plan transition audit, to ensure the issuance of revised certificate before the end of the transition period.
• The Transition Audit against ISO 27001:2022 should be no later than Jul 31, 2025, to ensure sufficient time to complete the transition process, including certificate issuance, before Oct 31, 2025.
• All certifications based on ISO/IEC 27001:2013 will expire or be withdrawn after Oct 31, 2025.
• Regarding the ISO 27001 Initial Audits and Recertification Audits after Apr 30, 2024, DQS will conduct only in accordance with the new version of standard.

Transition Audits

• The transition audit can be in conjunction with a surveillance/recertification audit with appropriately additional audit days or through a separate special audit.
• The transition audit will include, but not limited to the following:
  -  the gap analysis of ISO/IEC 27001:2022, as well as the need for changes to the ISMS;
  - the updating of the statement of applicability (SoA);
  - if applicable, the updating of the risk treatment plan;
  - the implementation and effectiveness of the new or changed controls chosen by the organizations.
• The expiration of the current certificate will not be changed solely due to a transition audit.

Supports by DQS

• DQS is a global certification body providing accredited ISO 27001 ISMS certification and ISO 27701:219 PIMS Certification service.
• DQS Academy is delivering public ISO 27001 Internal Auditor Course and PECB certified ISO 27001 Lead Auditor Course to help customers understand the standard and prepare for the coming upgrade.
• Stay informed, sign up for DQS' newsletters and follow DQS at LinkedIn.