On August 09, 2022 the International Accreditation Forum (IAF) has published the document IAF MD 26:2022(1) detailing the requirements to be followed for the transition to ISO/IEC 27001:2022.
At the time of this publication, the draft ISO/IEC 27001:2022 has been approved and is awaiting publication. The transition period has been set at 3 years after publication.
Main Changes
New Annex A with ISO/IEC 27002:2022 controls. Comparing with the previous version:
- The number of controls decreased from 114 and 14 clauses to 93 controls and 4 clauses
- There are 11 new controls.
- 24 controls have been integrated with other existing controls
- 58 controls have been updated
- The structure of the controls has been revised, including as new the “attribute” and “purpose” in all controls and in some controls the “objective” has been eliminated.
The notes to Clause 6.1.3 c) have been revised by deleting the objective of control and replacing “control” with “information security control”
The description of Clause 6.1.3 d) has been reorganized to eliminate potential ambiguities.
Impact of changes
The impact of the changes, following the requirements for the ISO/IEC 27001:2022 transition, is focused on the introduction of the new Annex A.
The ISO/IEC 27001 requirements using the reference controls in Annex A, is the process of comparing the information security controls established by the organization with those in Annex A (6.1.3 c) and the Statement of Applicability (6.1.3.d). By comparing the information security controls with those in Annex A, the organization can check if there are any Annex A controls that have been overlooked.
It may result from this comparison that no unnoticed controls appABr. However, in the event that unattended controls are identified, the organization should update the risk trABtment plan, add the security control and implement it.
From the above it can be deduced that the impact of ISO/IEC 27001:2022 on organizations that have implemented an ISMS should not be significant.
Timeline
Activity
Accreditation Body (AB)
AB to be ready to assess to ISO/IEC 27001: 2022 no later than
Due date
.
6 months from the last day of publication month of ISO/IEC 27001:2022
Initial assessment by AB to ISO/IEC 27001:2022 to begin no later than
6 months from the last day of publication month of ISO/IEC 27001:2022
AB transitions of CABs completed by
12 months from the last day of publication month of ISO/IEC 27001:2022
Conformity Assessment Bodies (CAB)
Initial certification by CAB to ISO/IEC 27001: 2022 to begin no later than
CAB transitions of certified clients completed by
.
12 months from the last day of publication month of ISO/IEC 27001:2022
36 months from the last day of publication month of ISO/IEC 27001:2022
Conformity Assessment Bodies actions for the transition process
1. Transition agreements
CABs shall establish the arrangements for the transition to ISO/IEC 27001:2022 taking into consideration the requirements of IAF MD 26:2022(1).
The transition agreement should include the obligations of the CABs and those of the clients. CABs may have several separate documents to address the transition agreement.
The transition agreement should include at least the following considerations:
- The changes in ISO/IEC 27001 and the gap analysis.
- The need to modify the certification process, documents, as well as IT systems to manage certification activities, if applicable.
- Relevant personnel are competent for ISO/IEC 2007:2022.
- The audit team, as a whole, should be aware of ISO/IEC 27002:2022 controls and their implementation (see ISO/IEC 27006:2015, 7.1.2.1.3 b)
- The transition audit programme.
- The transition program should indicate the period of communication with clients, including the timing, the period for conducting the transition audit and the consequences in case the client fails before the expiration date of the transition period.
CABs are encouraged to plan and start with the required actions as soon as possible
2. Transition Audit
CABs may conduct the transition audit at the same time as the control audit, the recertification audit or separately.
The transition audit will not only be based on the review of documents, but especially on the review of technological controls.
The transition audit should include, among other things, the following:
- ISO/IEC 27001:2022 gap analysis, and the need for changes to the customer’s ISMS.
- The update of the statement of applicability (SOA).
- If applicable, updating of the risk treatment plan.
- The implementation and effectiveness of new controls and modifications introduced by customers.
The CAB can perform the transition audit remotely if it is assured that the objectives are met.
At a minimum, the audit must include an additional 0.5 auditor days to confirm the transition of the certified client when the transition is performed during a control audit or as a separate audit.
3. Others
The CAB may define the timeline for the submission of the transition request by certified clients in the transition audit schedule.
The CAB will make the transition decision based on the outcome of the transition audit.
The CAB shall update the certification documents for the certified client if its ISMS meets the requirements of ISO/IEC 27001:2022.
Note: When the certification document is updated because the client successfully completed only the transition audit, the expiration of their current certification cycle will not be modified.
All certifications based on ISO/IEC 27001:2013 will expire or be withdrawn at the end of the transition period.
