A new revision of ISO/IEC 27001 has been released to “ISO/IEC 27001:2022 -Information security, cybersecurity, and privacy protection – Information security management systems – Requirements.” This revision, published on October 31, 2022, reflects the latest developments and best practices in information security management.

Transition Period and Certification Updates:

• Transition Deadline: All organizations must transition to the new ISO/IEC 27001:2022 standard by October 31, 2025. This provides a three-year period from the publication date for organizations to update their systems and processes.

• Certification Applications: Applications for initial certification or recertification under ISO/IEC 27001:2013 will be accepted until April 29, 2024. After this date, only applications for ISO/IEC 27001:2022 will be considered.

• Validity of Current Certificates: Certificates issued under ISO/IEC 27001:2013 remain valid until October 30, 2025. Surveillance audits based on the 2013 version will continue until October 30, 2024, after which all audits will adhere to the 2022 revision.

For Certified Organizations:

The transition to the new standard during your scheduled surveillance or recertification audits involves additional time: 1.0 man-day for surveillance audits and 0.5 man-day for recertification audits. Should you require a dedicated transition audit outside of these scheduled audits, it will also be conducted for a minimum of 1.0 man-day.

Steps for a Smooth Transition:

1. Develop a Transition Plan: Outline the steps necessary to upgrade your Information Security Management System (ISMS) to meet the new standard.
2. Training and Awareness: Ensure relevant personnel are trained and aware of the changes and their implications.
3. Update Documentation: Revise your existing ISMS documentation to align with the ISO/IEC 27001:2022 requirements.

Key Changes in ISO/IEC 27001:2022:

• Integration with ISO/IEC 27002:2022: Revised Annex A with new control titles and structures.
• Clause Revisions: Editorial changes to enhance clarity and remove ambiguities, notably in clauses 6.1.3 c) and d).
• Control Modifications: Reduction in the number of controls from 114 to 93, restructuring into four main clauses instead of fourteen, introduction of 11 new controls, merging of 24 controls, and updates to 58 controls. The new structure also emphasizes attributes and purposes over objectives for groups of controls.

Audit Considerations for Transition:

• Gap Analysis: Identify what needs to be updated in your ISMS to comply with the new standard.
• Statement of Applicability and Risk Treatment Plan: These documents may need updating to reflect the new or modified controls.

Do not miss the transition deadlines. Contact us to schedule your audits and ensure your organization remains compliant and certified under the updated ISO/IEC 27001:2022 standard.