Transition Information Security Management Systems ISO/IEC 27001:2022

The new version of ISO/IEC 27001, ISO/IEC 27001:2022 “Information technology – Security techniques – Information security management systems – Requirements”, has been published on October 25, 2022.
In MD 26 “Transition Requirements for ISO/IEC 27001:2022”, the International Accreditation Forum (IAF) describes the transition requirements for this new version.

Most important data from the MD 26

  • Certification bodies (hereafter CB) must acquire accreditation for certification against this new version within 12 months after publication, meaning: CBs must be accredited before November 1, 2023.
  • CB’s must have completed the transition of their clients to ISO/IEC 27001:2022 within 36 months after publication. The certified organizations may be certified against the old version until the end of October 2025.
  • After 18 months after publication, meaning from May 1, 2024 onwards, CB’s may no longer conduct initial assessment audits or reassessment audits against ISO/IEC 27001:2013 or NEN-EN ISO/IEC 27001:2017+A11:2020.

Application for scope extension is necessary

For CB’s that are accredited for ISO/IEC 27001 and would like to transition to ISO/IEC 27001:2022, the process of RvA is as follows, based on IAF MD 26. As from now, CB’s may apply for a scope extension for accreditation for ISO/IEC 27001:2022. The application can be submitted to the contact person at RvA as per usual. Only complete applications will be accepted.

Along with the application for scope extension, apart from the signed application forms F105 and F006-2, the CB must provide:

  • the internal audit report about the transition to the new norm;
  • a management review about the transition to the new norm;
  • a gap analysis of changes in ISO/IEC 27001:2022 compared to the last version;
  • a plan of action for the transition based on the gap analysis, fulfilling the requirements of MD 26;
  • method and content of provision of information by the certification body to its clients about the changes and method of transition to a ISO/IEC 27001:2022 certificate;
  • information that proves that auditors and decision makers have been trained for the new norm and how this has been secured in the management system.

Simultaneous decision

The extension applications that have been sent in before December 15, 2022, will be assessed in a simultaneous procedure. A simultaneous procedure has been decided upon to level the playing field as much as possible for all accredited CB’s.

CB’s for which no non-conformities are determined during this assessment, a simultaneous decision will be made on February 1, 2023. CB’s for which non-conformities are determined may take corrective actions. The simultaneous decision for these CB’s will be made on June 1, 2023. For CB’s that send in their extension application for ISO/IEC 27001:2022 after December 15, 2022 and thus do not take part in the simultaneous decision, the accreditation decision will be made after June 1, 2023. The assessment will be conducted based on documents and will take a minimum of 4 hours, regardless of whether it is part of the simultaneous decision, is supplementing the regular assessment, or is filed as a separate extension application.

Adjusting scopes of accreditation

The version of ISO/IEC 27001:2013*) will be mentioned on the scope of accreditation in order to make clear that the CB is accredited for this version. After gaining accreditation for ISO/IEC 27001:2022, both versions will be mentioned on the scope of accreditation, with the end date of October 25, 2025 for ISO/IEC 27001:2013.

Not yet accredited for ISO 27001?

CB’s that do not have accreditation for ISO/IEC 27001 may apply for an accreditation scope extension as per usual. The assessment will consist of a documentation assessment, an office assessment and a stage 1 and stage 2 witness assessment ISMS audit (see SAP-C010). After April 25, 2023, the RvA will no longer accept new application for accreditation of ISO/IEC 27001:2013.

*) NEN-EN_ISO/IEC 27001:2017+A11:2020 may be read wherever ISO/IEC 27001:2013 is mentioned. This version will not be mentioned on the scope of accreditation.