The ISO/IEC 27001:2022 standard was published on October 25, 2022.
Certification Bodies must have completed their clients’ transition to ISO/IEC 27001:2022 within 36 months of the standard’s publication. Certified organizations are required to complete their transition by the end of October 2025.
In this context, 12 months after the publication of the ISO/IEC 27001:2022 Standard, that is, starting from November 1, 2023, Certification Bodies will not conduct initial certification audits or re-certification audits according to ISO/IEC 27001:2013/ISO/IEC 27001:2017.
Studies for the ISO/IEC 27001:2022 transition of certified bodies should include, but are not limited to:
• GAP analysis of ISO/IEC 27001:2022 and the need for changes in existing ISMS;
• Updating the Statement of Applicability (SoA);
• Updating the risk recovery plan, if any;
• Implementation and effectiveness of new or modified controls selected by customers.
For transition application firstname.lastname@example.org
IQR may conduct the transition audit in conjunction with the surveillance audit, recertification audit or through a separate audit.
The transition audit shall not only rely on the document review, especially for reviewing the technological information security controls.
The transition audit shall include, but not be limited to the following:
- The gap analysis of ISO/IEC 27001:2022, as well as the need for changes to the client’s ISMS.
- The updating of the statement of applicability (SoA).
- If applicable, the updating of the risk treatment plan.
- The implementation and effectiveness of the new or changed information security controls chosen by the clients.
Minimum of 0.5 auditor day for the transition audit when it is carried out in conjunction with a recertification audit.
Minimum of 1.0 auditor day for the transition audit when it is carried out in conjunction with a surveillance audit or as a separate audit.
When the certification document is updated because the client successfully completed only the transition audit, the expiration of its current certification cycle will not be changed.
All certifications based on ISO/IEC 27001:2013 shall expire or be withdrawn at the end of the transition period.