ISO/IEC 27001:2022 Transition Guidance

1

ISO/IEC 27001:2013 Transition Period

  • 31st October 2022: Start of the transition period. Organisations certified to ISO/IEC 27001:2013 have a three year window to transition to ISO/IEC 27001:2022.
  • 31st July 2025: Deadline for completion of transition audits for organisations transitioning from ISO 27001:2013 to the new standard.
  • 31st October 2025: End of the transition period. Certificates for ISO/IEC 27001:2013 will no longer be valid after this date.

 

ISO/IEC 27001:2022 summary of clauses changed

  • 4.2 Understanding the needs and expectations of interested parties.
  • 4.4 Information security management system.
  • 6.2 Information security objectives and planning to achieve them.
  • 6.3 Planning of changes
  • 8.1 Operational planning and control.
  • 9.1 Monitoring, measurement, analysis and evaluation.
  • 9.3 Management review.
  • Compared with ISO/IEC 27001:2013, the Annex A number of controls in ISO/IEC 27002:2022 decreases from 114 controls to 93 controls.
  • The four clause areas are, Organisational controls (37 controls), People controls (8 controls) , Physical controls (14 controls), Technological controls (34 controls).
  • Some controls have been merged, and 11 new controls have been added. These are listed below:
  • 5.7 Threat intelligence
  • 5.23 Information security for use of cloud services
  • 5.30 ICT readiness for business continuity
  • 7.4 Physical security monitoring
  • 8.9 Configuration management
  • 8.10 Information deletion
  • 8.11 Data masking
  • 8.12 Data leakage prevention
  • 8.16 Monitoring activities
  • 8.23 Web filtering
  • 8.28 Secure coding

 

Transferring ISO/IEC 27001:2013 certification

  • ForeFront Certification will assess clients for the transfer of their existing certification to ISO/IEC 27001:2013.
  • Accepted transfers will be certified to ISO/IEC 27001:2013 by ForeFront certification before planning the transition audit assessment for ISO/IEC 27001:2022.
  • We will contact you to agree on the transition audit date. The transition audit may be conducted during the surveillance audit, recertification audit, or as a separate audit.
  • The transition audit is completed, and the recommendation results will be communicated by our auditor.
  • If applicable, audit findings raised will necessitate the submission of corrective action.
  • The transition audit will undergo technical review for a certification decision.
  • Successful client transition audits will be issued ISO/IEC 27001:2022 certificate of registration.

 

What should I do to get ready for the transition from
ISO/IEC 27001:2013 to 2022?

  • Take the time to review the changes and enhancements introduced in ISO/IEC 27001:2022 compared to ISO/IEC 27001:2013. Understanding these changes will make for a smoother transition.
  • Evaluate your existing ISMS against the requirements of ISO/IEC 27001:2022. Identify any gaps or areas that need attention to align with the updated standard.

Execute the needed changes and improvements to meet the requirements of

  • ISO 27001:2022.
  • Ensure that these changes are effectively integrated into your existing ISMS.
  • Conduct internal audits or assessments to verify compliance with the new
  • ISO/IEC 27001:2022 Standard.
  • Conduct a management review according to ISO/IEC 27001:2022.

 

Related posts

April 24, 2024

2024 Important update to ISO standards – Climate change

Read more
February 29, 2024

Now accredited to certify your business to ISO 27001

Read more
February 7, 2024

Newsletter no.11 | February 2024

Read more