It’s Time to Make the ISO 27001 Transition

The world’s best-known standard for cybersecurity, ISO 27001, has been updated from ISO 27001:2013 to ISO 27001:2022. If you haven’t already made the transition, the drop-dead date for adoption of the 2022 standard is October 31, 2025. It’s time to move on to the newest ISO 27001 standard!

As part of the transition to the new standards, you will be required to undergo an ISO 27001 Transition Audit with a certification body. The purpose of the transition audit is to demonstrate that an organization understands the differences between the 2013 and 2022 standards. It can be performed as a stand-alone engagement or combined with a surveillance audit or re-certification audit, adding about one day to the audit.

Where are you on the conversion journey?

Wherever you may be on the conversion journey, you should reach out to your certification auditor to agree on a timeline, if you have not already. Once you know when your transition audit will take place, you can schedule other required activities, including your annual risk assessment and ISMS internal audit accordingly. To make sure you successfully transition to the new standard, now is the time to build a detailed timeline to your ISO 27001:2022 certification, if you have not already.

If you are new to ISO 27001 and have not received your first certification yet, you have no choice but to transition to the 2022 standards before getting certified. April 30, 2024, was the last date ISO certification bodies [aka your certification auditor] could issue a certificate under the ISO 27001:2013 standards.

If you have an existing certification under the 27001:2013 standards, ISO allows for a three-year transition period, which ends October 31, 2025. It is important to understand exactly what happens at the end of the transition period: All ISO 27001 certificates issued under the 2013 standards will be revoked, regardless of the expiration date printed on the certificate itself. If clients reaches out to your certification body to confirm the validity of your ISO 27001:2013 certification after October 30, 2025, they will be told that your certificate is no longer valid. Note that many certification bodies have already been amending the ISO 27001:2013 certificates they issue to show an expiration date of October 30, 2025 rather than three years from the date of issuance.

If you are barely starting your conversion to ISO 27001:2022, you may not be ready for a transition audit until early 2025. Depending on the timing of your next surveillance audit or re-certification audit, you may need to work with your certification body to schedule your audit earlier than usual in order to make the October 30, 2025 deadline.  With other organizations competing for finite audit resources, reaching an understanding around the schedule of your transition audit as soon as possible may be key.

What’s involved in a transition audit?

A transition audit should not require significant work beyond the gap assessment, but the timing of the audit may be crucial. For most organizations, the implementation of new processes and activities identified by the gap assessment should take three to six months. Once your new controls are in place, you should schedule an Internal Audit, not only because it is required annually, but to validate the effectiveness of your new controls and avoid surprises during your transition audit.

During the transition audit, the certification auditor will review:

• the risk treatment plan
• the Statement of Applicability (SoA)
• evidence that new clauses and controls of ISO 27001:2022 are effectively implemented
• a gap analysis to identify new clauses and controls from the 2022 standards that are applicable to your organization.

Clauses 6.1.3 and 8.3 over the preparation and implementation of a risk treatment plan and a Statement of Applicability have not materially changed between versions 2013 and 2022 of the standards. The certification auditor’s focus will be on ensuring your documentation aligns with the new control grouping and numbers in ISO 27001:2022. As in every re-certification and surveillance audit, the auditor will also focus on accuracy and completeness of your documents.

Implementation review

The review of the implementation of the new ISO 27001:2022 clauses and controls is the same as a test of effectiveness of the clauses and controls performed during a re-certification audit. If you perform your transition audit at the same time as a surveillance audit, however, there may be an impact on the scope of the audit. The auditor will review the 2013 controls that had been earmarked for the surveillance audit as part of the auditor’s audit plan, as well as all new 2022 controls, potentially increasing the overall scope of the audit.

Gap assessment

The gap assessment is a one-off activity that should be one of the first steps in the transition to ISO 27001:2022. You can leverage Annex B of ISO 27002:2022 (think of 27002 as the implementation guidelines for 27001) to identify new controls and limit your assessment to them. But we recommend performing a comprehensive assessment of all controls and clauses of the 2022 standards.

Even if controls have not changed between the 2013 and 2022 standards, or they are the results of merging 2013 controls, guidance for the implementation of the controls may have been modified sufficiently to require changes at your organization. For example, control 5.8 from ISO 27001:2022 over integrating security in project management is reported in Annex B as the merger of two 2013 controls. Annex B does not disclose that whereas guidance from 2013 focused on managing security risks early in the initiation of a project, 2022 guidance extends consideration over identifying security risks and implementing effective treatment activities throughout the lifecycle of the project. Failure to extend the control according to the new guidance may lead a certification auditor to question whether the control is fully implemented.

How Weaver Can Help

If you are looking for resources to support your transition activities such as performing a gap or risk assessment, executing the internal audit, or providing consulting services over the design of new processes and activities required for ISO 27001:2022, contact us. We are here to help.

©2024