Answer: You have the option to choose either version up until 30th April 2024, (12 months after publication of ISO 27001:2022) after which all new certificates issued must be to ISO 27001:2022.
Section 1 – Transition requirements
Section 2 – FAQs
Management system standards are reviewed as a minimum on a 5 yearly basis to ensure they remain relevant and up to date with business needs and challenges. For information security management systems, technology is a rapidly changing area and so are the threats, and as such, the minimum controls needed for security, cybersecurity and privacy also need to evolve to remain current.
Summary of main changes in clauses:
Summary of main changes in Annex A Controls:
The new sections within Annex A are:
5 – Organisational controls
6 – People controls
7 – Physical controls
8 – Technological controls
The new controls within Annex A are:
5.7 – Threat intelligence
5.23 – Information security for use of cloud services
5.30 – ICT readiness for business continuity
7.4 – Physical security monitoring
8.9 – Configuration management
8.10 – Information deletion
8.11 – Data masking
8.12 – Data leakage prevention
8.16 – Monitoring activities
8.23 – Web Filtering
8.28 – Secure coding
Important Note: - there are other changes within the wording of ISO 27001:2022 within the clauses and the controls which may impact the compliance of an organisation’s ISMS. Organisations seeking to transition are required to undertake their own gap analysis and address changes as applicable. Please see section below on ‘What will a transition audit include’.
There are a few dates that organisations need to note in relation to certification to ISO 27001:2022.
Organisations that currently hold a valid ISO27001:2017 certificate with Centre for Assessment will be required to have a transition audit to update their certificate. It has been determined by the Internal Accreditation Forum (IAF) that additional audit time will be required to effectively assess a client’s management system against the new/changed requirements of the new standard. The transition duration will be based on size and complexity, and will also depend on the transition option chosen, please see below. The actual time required will be confirmed in writing prior to your transition audit.
Please note, major non-conformances found at a transition audit may result in the need for further audit time in a follow up audit. This will be confirmed at the time.
To support our clients and ensure a smooth transition, Centre for Assessment have made the 2 following options available to all existing ISO27001:2017 certificate holders.
The transition audit options are as follows:
A standalone transition audit – this is an additional assessment activity which is separate from the ongoing maintenance of the existing approval. The standalone transition visit can be conducted at any time and does not need to be linked to a scheduled visit.
Transition at an existing scheduled audit e.g. surveillance or recertification – transition can be undertaken at the same time as a scheduled audit. It must still be regarded as an additional audit activity and planned as such and must not impact ongoing maintenance or recertification audit activity.
Centre for Assessment is required to maintain your existing certification until a transition process has been successfully completed and a UKAS accredited certificate issued to the 2022 version of the standard. Please see below for details on our accreditation transition with UKAS.
Centre for Assessment will be undertaking transition audits of clients whilst going through our own transition process with UKAS. We will not be able to issue accredited ISO 27001:2022 certificates until we have completed the transition with UKAS. In the interim, we will issue an unaccredited ISO 27001:2022 certificate and replace it with an accredited certificates once accreditation is achieved. At the same time, your ISO 27001:2017 UKAS accredited certificate will remain valid until replaced by the accredited 2022 version.
Certificates issued to ISO 27001:2022 to relace ISO 27001:2017 will have the same certificate expiry as would have been applicable based on their last certification decision and current certification cycle (and not the end of the transition period).
The only exceptions to the above will be clients who hold unaccredited certification with us in technical or geographical areas for which we are not currently accredited by UKAS for the scheme.