Via our friendly compliance expert
🚨 It's finally happening....sort of
The IAF released the transition requirements for ISO 27001:2013 to ISO 27001:2022.
General Key points:
-All accreditation bodies will have 12 months from the last day of publication month of ISO 27001:2022 to assess and transition conformity assessment bodies (CAB) they accredit.
-Organizations already certified to ISO 27001:2013 will have 36 months from the last day of publication month of ISO 27001:2022 to transition to and be certified to ISO 27001:2022.
-All certifications based on ISO 27001:2013 shall expire or be withdrawn at the end of the transition period.
Transition Audit Key Points
-CABs may conduct the transition audit in conjunction with the surveillance audit, recertification audit or through a separate audit.
-The transition audit shall not only rely on the document review, especially for reviewing the technological controls.
-The transition audit shall include, but not limited to the following:
• the gap analysis of ISO 27001:2022, as well as the need for changes to the client’s ISMS;
• the updating of the statement of applicability (SoA);
• if applicable, the updating of the risk treatment plan;
• the implementation and effectiveness of the new or changed controls chosen by the clients.
-CABs may conduct the transition audit remotely if they ensure the transition audit objectives is met.
KEY NOTE - ISO 27001:2022 has not been published yet and therefore the transition period has not started yet.