IAF (the International Accreditation Forum), has published updated requirement for the transition of ISO 27001 from 2013 to the fresh 2022 version.
TLDR
- transition period did not change (kept 3 years from publication)
- (update) initial certification and recertification of ISO 27001:2023 until 30 april 2024
- After 30 april 2024 you can only certify against the ISO27001:2022.
- All ISO 27001:2013 shall expire or be witdrawn at the end of the transition period (3 years, october 2025)
- (update) Certification transition assessment shall include minimum
- an additional 1/2 day for recertification audit
- an additional 1 day for surveillance or separate audit
Sources and milestones
- 15 feb 2023
- Issue 2 published
- 2023 version of MD 26 (MD = Mandatory Document)
- https://iaf.nu/iaf_system/uploads/documents/IAF_MD26_Issue_2_15012023.pdf
- 25 october 2022
- ISO 27001:2022 published
- https://www.iso.org/standard/82875.html,
- 9 aug 2022,
- MD 26 Issue 1 published
- Transition Requirements for Iso/Iec 27001:2022 – Iaf
Just you know
The MD:26 Issue 2 is published on 15 feb 2023, a few months after the publication of ISO 27001:2022 in October 2022.
Main issue: the previous issue was already published in august, before the final version of ISO 27001…
So obviously an update was required.
[For your info: If you need some help on acronyms, see the end of this article…]
Some thing were updated, but some were not.
The key topics to remember
What changed (green highlight) and what did not change (red highlight)?
- Transition period is kept 3 years (36 months)
- Initial certification and recertification by CAB to begin no later than 18 months (was: 12 months) after end of month of publication, (oct 2022).
- This means that you can still certify against the old standard (ISO 27001:2013) until 30 April 2024
- After 30 april 2024 you can only certify against the ISO27001:2022.
- (4.2 CAB actions)
- Certification transition assessment shall include minimum
- an additional 1/2 day for recertification audit
- an additional 1 day for surveillance or separate audit
- Certification transition assessment shall include minimum
- All ISO 27001:2023 shall expire or be witdrawn at the end of the transition period (3 years, October 2025)
But of course, I don’t need to tell you : as soon as your CAB is ready, better upgrade your current certification to the newest version 2022.
A quick recap
A bit more details of the MD 26 document
Ch1. Introduction
| Normative Document: | ISO/IEC 27001:2022 |
| Replacing: | ISO/IEC 27001:2013 |
| Current Status (at time of MD publication): | IS |
| Transition Period: | 3 Years (36 months) |
Ch2. Summary of key changes
§2.1 Background
Contains overview of ISO publication agenda from FDIS to IS
Did you know that
No more than two separate documents in the form of amendments shall be published modifying a current International Standard (see ISO/IEC Directive Part 1, 2022, Clause 2.10.3), therefore, the new edition of ISO/IEC 27001 had to be published after the preparation of ISO/IEC 27001:2013/DAmd1.
Source: IAF MD 26:2023
§2.2 Key changes (in ISO27001)
Source: MD26:2023
- Annex A references the information security controls in ISO/IEC27002:2022, which includes the information of control title and control.
- The notes of Clause 6.1.3 c) are revised editorially, including deleting the control objectives and using “information security control” to replace “control”.
- The wording of Clause 6.1.3 d) is re-organized to remove potential ambiguity.
- Adding a new item 4.2 c) to determine the requirements of the interested parties addressed through an information security management system(ISMS).
- Adding a new subclause 6.3 – Planning for changes, which defines that the changes to the ISMS shall be carried out by the organization in a planned manner.
- Keeping the consistency in the verb used in connection with documented information, for example, using “Documented information shall be available as evidence of XXX” in clauses 9.1, 9.2.2, 9.3.3 and 10.2.
- Using “externally provided process, products or services” to replace “outsourced processes” in Clause 8.1 and deleting the term “outsource”.
- Naming and reordering the subclauses in Clause 9.2 – Internal audit and 9.3- Management review.
- Reorder of the two subclauses in Clause 10 – Improvement.
- Updating the edition of the related documents listed in Bibliography, such as ISO/IEC 27002 and ISO 31000.
- Some deviations in ISO/IEC 27001:2013 to the high-level structure, identical core text, common terms and core definitions of MSS are revised for consistency with the harmonized structure for MSS, for example, Clause 6.2 d)
$2.3 Impact
- New annex A (as ISO 27002:2022 is published)
- Annex is normative
- Updated harmonized structure
Ch3. Key time scale
AB
- ready to assess : 30 apr 2023
- initial assessment by AB: 30 apr 2023
- AB transition of CAB completed by 31 oct 2023
CAB
- initial and recert of ISO27001:2022 no later than 30 april 2024
- transition of certified clients: 36 months, 31 october 2025
Ch4. Transition action process
§4.1 AB Action
Only interesting if you are an AB, see MD 26
§4.2 CAB Action
Is extra time likely to be needed for the transition? Yes.
- 1) Minimum of 0.5 auditor day for the transition audit when it is carried out in conjunction with a recertification audit.
- 2) Minimum of 1.0 auditor day for the transition audit when it is carried out in conjunction with
- a surveillance audit or
- as a separate audit.
Important note:
When the certification document is updated because the client successfully completed only the transition audit, the expiration of its current certification cycle will not be changed.
All certifications based on ISO/IEC 27001:2013 shall expire or be withdrawn at the end of the transition period.
§4.3 Other
TLDR…
Acronyms
AB = Accreditation Body
CAB = Conformity Assessment Body, certification body
IAF: International Accreditation Forum
FDIS: Final Draft International Standard
IS: International standard
Identity Underground 