ISO 27001:2022 Transition Toolkit
The Transition to ISO 27001:2022
The transitioning process from ISO/IEC 27001:2013 to ISO/IEC 27001:2022 is expected to be completed in three years, starting from the publication date of ISO/IEC 27001:2022, October 25, 2022. Therefore, the current 2013 version certificates need to be transitioned to the new version before October 31, 2025.
The transition audit can be carried out at any scheduled audit during the 3-year transition period but can also be performed as a special transition audit.
Organizations that are certified against ISO/IEC 27001:2013 can initiate the update of their ISMS based on ISO/IEC 27001:2022 at any time and the main workload is to implement the new controls of Annex A.
What You Need to Know
- All organizations must have a transition audit to confirm the implementation of the revised standard. The transition audit may be conducted in conjunction with an existing audit or can be a stand-alone audit.
- If the transition audit is conducted in conjunction with an existing surveillance (i.e. transition surveillance) or recertification audit (i.e. transition re-assessment), additional time may be added to the audit duration in order to cover the new requirements/concepts introduced by ISO 27001:2022.
- If a stand-alone audit is carried out for the transition audit, the duration is calculated on an individual organization basis.
- The duration of the specific transition audit is between 0.5 to 1.5 audit day(s) and is dependent on the organization’s size and the complexity of the ISMS. Your ABS QE Client Representative will advise your specific transition audit duration.
Updated ISO 27001:2022 certificate issuance and validity will be as follows:
- Transition surveillance: The organization’s existing ‘Valid Until Date’ will be maintained.
- Transition re-assessment: A new ‘Valid Until Date’ will be issued for the renewed 3-year period.
- Stand-alone transition: The organization’s existing ‘Valid Until Date’ will be maintained.
How to Prepare for the Transition
Organizations can prepare for the transition by taking the following steps:
- Conduct a gap analysis to understand your existing system and determine the changes required to fulfill the requirements of the new edition of the standard.
- Assess the information security risks and determine the information security controls that should be implemented.
- Review and update the risk treatment plan and the Statement of Applicability.
- Review other ISMS documentation and the mapping with other frameworks or set of controls and update them as necessary.
- Plan and conduct role-based training regarding the new standard requirements, if necessary.
- Implement controls to meet new requirements.
- Conduct an internal audit to assess the ISMS compliance, as required by clause 9.2 of ISO/IEC 27001:2022.
- Start the migration/certification process. Certified companies may wish to pursue a more aggressive timeline for this to benefit from the heightened levels of security and privacy included in the new 27001 release.