In October 2022, a revision to ISO/IEC 27001 was published bringing with it new requirements for your Information Security Management System and transitional requirements for your accredited certification.
Find out about the changes in ISO/IEC 27001:2022 & the transitional arrangements for Accreditation Bodies, Certification Bodies and how they will affect your transition to an ISO/IEC 27001:2022 certificate
This article will be relevant to anyone working in or having an interest in the transition process for ISO/IEC 27001:2022 certification. So, whether you work or contracted to work in an Accreditation Body or Certification Body, work in a 27001 certified organisation, are an Information Security Consultant or anyone with an involvement in information security then this video is for you.
To start, I will look at the publication of two documents that will have a significant impact on Information Security Management Systems based on ISO/IEC 27001:2013.
Firstly, the 2013 version of 27001 has been withdrawn and replaced by the 2022 edition until 25 October 2022, so its new requirements can be used to drive your information security forward over the coming months and years.
The main changes in ISO/IEC 27001:2022 include:
- The main change of the Annex A references to the controls in ISO/IEC 27002:2022, which includes the information of control title and control;
- Integration of amendments and corrigenda into the document including:
- The notes of Clause 6.1.3 c) including deleting the control objectives and using “information security control” to replace “control”; and
- Reorganisation of Clause 6.1.3 d) to remove the potential ambiguity.
- Other editorial changes are at a lower level and a more detailed analysis can be found in accompanying article here
IAF MD:26 :2022
Secondly, the International Accreditation Form (IAF) published a Mandatory Document, which contains requirements for the management of the transition from 27001 certification from the 2013 to 2022 for Accreditation and Certification Bodies that will impact your certificate. This document was published on 9 August 2022 and has an implementation date of the same date.
There are three levels of transition that are recognised:
Transition for Accreditation Bodies
Accreditation Bodies are tasked with preparing their own revised processes and Assessor competence by six months from the last day of the publication month, which was 31 October 2022, so this must be completed by 30 April 2023 or more, likely 1 May 2023 as this is the first working day.
In-line with the Accreditation Body setting up their own assessment systems for the new edition of ISO/IEC 27001, from 30 April 2023 will be the start of their assessment of their accredited Certification Bodies.
And the final step of the Accreditation Body transition assessments will be the completed by the end of the 12-month period, so 31 October 2023.
Once a Certification Body has successfully completed their accreditation transition, they will be accredited to delivery ISO/IEC 27001:2022 certification. This can be at anytime from 30 April to 31 October 2023 with the likely earliest accreditation of Certification Bodies to have been completed at the earliest in May or June 2023.
Transition for Certification Bodies
Secondly, the Certification Bodies will need to make their own transition of their own auditing and certification processes. Their transition arrangement needs to include at least the consideration of the following:
- The identified changes in ISO/IEC 27001 and the gap analysis;
- Any need to modify the related certification processes, documents and, if applicable, IT systems for managing certification activities
- Ensuring that all relevant personnel are competent for ISO/IEC 27001:2022 and transition process
- the audit team, as a whole, shall have knowledge of all controls contained in ISO/IEC 27002:2022 and their implementation (see ISO/IEC 27006:2015, 220.127.116.11.3 b))
- the transition audit programme
- there is a timely communication to the clients on the transition programme, such as the timeline, transition audit approach, and the consequences if the client fails to transition prior to the end of the transition period.
The overall encouragement is for Certification Bodies to plan and start the required actions at the earliest opportunity to ensure that they can transition within the deadlines.
There are two timescales are relevant to accredited-Certification Bodies and their clients with the first relating to the 31 October 2023, when initial certification to ISO/IEC 27001:2022 is to begin at the latest. And by inference, the Certification Body cannot offer initial ISO/IEC 27001:2013 certification.
Transition for new and certified organisations
So, if you are looking to get certified to ISO/IEC 27001:2013 and are ready to go then you may want to progress your initial certification to conclusion by 31 October 2023 rather than revise your ISMS to meet the 2022 edition and miss out on its benefits over that period.
However, if you have not yet started with the development of your ISMS, you may wish to consider using ISO/IEC 27001:2022 as the basis of your Information Security Management System and be ready to take advantage of an early certification in the period between the accreditation transition of their Certification Body and the closure of ISO/IEC 27001:2013 initial certification, at some time after 30 April and 31 October 2023.
The second timescale relevant for certified organisations is that accredited-Certification Bodies will need to transition your certificate from the 2013 to 2022 edition no later than 30 October 2025.
What to expect from a Transition Audit?
For certified organisations, you can anticipate that your Certification Body can complete your transition audit in conjunction with your surveillance audit, recertification audit or through a separate audit. The final selection of that transition audit is open to your dialogue with your Certification Body.
You can expect that your transition audit will not wholly rely on a document review as there is likely to be a need for other auditing techniques, such as the audit technological controls and interviews with management and personnel.
During your transition audit, the Certification Body is expected to cover specific issues, which are listed in the IAF Mandatory Document. You can anticipate the need to be able to demonstrate that you have completed a gap analysis of ISO/IEC 27001:2022, as well as the need for changes in your ISMS, the updating and revision of your Statement of Applicability (SoA) to embrace the new information security controls in Annex A. if applicable, the updating of the risk treatment plan and, finally, the implementation and effectiveness of the new or changed information security controls.
The type of audit can be remote, as this option has become readily available since the COVID-19 pandemic, on-site or a blended approach of remote and on-site audits.
Is extra time needed for the transition?
If you transition audit is during your recertification audit, then no additional audit time will be required as this type of audit covers all the ISO/IEC 27001 requirements.
If your transition audit combined with your Surveillance Audit or as a separate audit, then an extra half day will be added to the audit time.
Obviously, a transition during a Surveillance or separate audit will have an extra half days auditing cost, which may point you towards transition at your Recertification Audit. However, this extra cost may be good value for you, if you need to demonstrate transition to the 2022 edition outside of your certification cycle for the Recertification Audit.
If this article has helped to advance your understanding of the changes brought by ISO/IEC 27001:2022 and the background to the transition arrangements, please leave a comment in the box below, if this article has help you.
So, to summarise:
I have covered a lot of ground in this article on the revision of ISO/IEC 27001 to the 2022 version and the transition process for Accreditation Bodies, Certification Bodies & certified organisations, I hope that it will be helpful to start your journey towards enhancing your information security or for securing ISO/IEC 27701:2022 certification.
You can purchase a copy of ISO/IEC 27001:2022 from your National Standardisation Body with a selection of the main Standards Bodies given in the table below:
If you enjoyed this article, you should subscribe to our YouTube Channel – EMSmastery, where you can watch our videos, such as our video accompanying this article on New ISO IEC 27001 2022 – All the key requirements and Transition process with all the changes that you need to know and subscribe in our YouTube channel for new videos released each week.
#ISO27001, #ISMS, #EMSmastery