Transition to ISO/IEC 27001:2022
On October 25, 2022, ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems — Requirements was published.
The publication of the new standard means that ISO/IEC 27001:2013 Information technology – Security techniques – Information security management systems – Requirements will be withdrawn with a transition period of three years and replaced by ISO/IEC 27001:2022.
During the transition period, certificates that have been issued for ISO/IEC 27001:2013 will remain valid until the last day of the transition period, which is:
In order for certificates to remain valid, all certified organizations must make a transition to ISO/IEC 27001:2022 and this transition audit should be carried out no later than:
See “Summary time-schedule” at the end of this document.
The transition can be performed either in connection with a re-certification or during an ordinary surveillance audit, alternatively as a separate audit.
We recommend that you start your work regarding the transition as soon as possible and that you plan the transition audit in good time together with your audit leader.
Additional time in accordance with IAF MD 26:2023 Transition Requirements for ISO/IEC 27001:2022:
1) At least 0.5 auditor day for transition audit when performed in connection with a re-certification audit.
2) At least 1.0 auditor day for transition audit when performed in conjunction with a surveillance audit or a separate audit.
If you have any questions regarding the certificate’s validity period, you are always welcome to contact one of our Team assistants:
Svensk Certifiering Norden AB
S-184 40 ÅKERSBERGA, Sweden
Phone: 08-540 676 20
What does this mean for us in practice?
During the transition from ISO/IEC 27001:2013 to ISO/IEC 27001:2022, a certified organization needs to update its Information Security Management System (ISMS) to ensure alignment with the new requirements and guidelines in the updated standard.
An important part of this update is to perform gap analysis between the organization’s existing ISMS and the requirements of the new standard, to identify any gaps and develop a plan to address them.
When it comes to the statement of applicability, it is important that the organization evaluates which parts of the standard are applicable to the business, and which are not. This requires a follow-up of the organization’s risk profile and information needs. Furthermore, the organization needs to ensure that all applicable requirements of the standard are properly implemented and documented in the ISMS, and that there is a clear communication plan to inform all relevant parties of the changes and their impact on the organization.
25 October, 2022
ISO/IEC 27001:2022 is published.
31 October, 2022
The transition period starts.
1 May, 2024
All initial (new) certifications should be to the ISO/IEC 27001:2022 edition after this date.
Recertification audits are recommended to be conducted against ISO/IEC 27001:2022.
31 July 2025
All transition audits should be conducted by this date.
31 October 2025
Transition period ends.
Certificates issued against ISO/IEC 27001:2013 will no longer be valid after this date.