The ISO 27001:2022 transition audit. The phrase strikes fear into the hearts of many tech startups who have already been diligent enough to obtain their ISO 27001:2013 certification.
But, fear not. If you’re already certified with ISO 27001:2013, that certification is still valid until the end of your certification cycle if that cycle ends before 1 November 2025. More about that later.
Why the Update from ISO 27001:2013 to ISO 27001:2022?
With information security being the priority that it is, naturally, security standards must be revised and improved upon regularly. So, it goes without saying that new and improved versions of ISO 27001 will have to be implemented in the future.
It’s been almost 10 years since the 2013 version came out and, by the time everyone has transitioned to the 2022 version, it will be 12 years, so it’s certainly time for a revised certification.
What’s changed from ISO 27001:2013 to ISO 27001:2022?
Let’s first take a look at the difference between ISO 27001:2013 and ISO 27001:2022. You can read a brief rundown in Compleye’s LinkedIn post of 21 March.
The changes are most evident in Annex A and address cyber security and privacy aspects. There are 11 new controls, 58 updated controls and 24 merged controls.
New security controls include:
- Threat Intelligence
- Information security for use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
What’s the timeline for the transition to ISO 27001:2022?
As mentioned, your ISO 27001:2013 certification is valid until the end of its current cycle, as long as that cycle finishes before 31 October 2025, which is the ultimate deadline for the implementation of ISO 27001:2022.
So, if you’re currently certified using the 2013 version, your certification is still valid, but only until October 31 2025.
What is the ISO 27001:2022 transition audit?
The transition audit is the inspection that the auditor will conduct to audit the new requirements of ISO 27001:2022. The auditor will check how your organisation has implemented the new controls.
When can the transition audit be done?
You can carry out the transition audit during any scheduled audit. This will mean that additional time will be added to the existing audit.
But, you can also have a special transition audit performed separately, so you don’t need to wait until your next scheduled audit and you don’t have to be ready sooner than you want to or have the ability to be.
If I my organisation has never been certified, should I certify with ISO 27001:2013 or ISO 27001:2022?
Although you could, in theory, get certified with ISO 27001:2013 if you plan on getting certified before October 2023, we recommend that companies that do not have existing certification should – if possible – bite the bullet and go straight for ISO 27001:2022.
If you do decide to go for ISO 27001:2013, the auditor will expect that you do a gap analysis to show that you understand what you will need to do for ISO 27001:2022 and what additional resources will be required. This also applies to companies that are already certified and that choose to renew certification with the 2013 version of ISO 27001.
This is important because, if you attempt ISO 27001:2022 and aren’t ready for it, you’re likely to come up against many non-conformities. It might be best to implement ISO 27001:2013 and complete a gap analysis, showing that you understand what is required and that you will be able to implement ISO 27001:2022 before 31 October 2025.
What’s the latest I can do the transition audit?
All transition audits should be conducted by 21 July 2025.
Of course you won’t need a transition audit if you go straight for ISO 27001:2022.
Contact Compleye to get further advice on the best choice to make in the run-up to the transition!