Transition to ISO/IEC 27001:2022

Changes to ISO/IEC 27001:2022

According to the document, the significant changes to ISO/IEC 27001:2022 are:

• Annex A references to the controls in ISO/IEC 27002:2022;
• The notes of Clause 6.1.3 c) are revised editorially;
• The wording of Clause 6.1.3 d) is re-organized to remove the potential ambiguity;

Compared to the previous version of the standard, the number of controls in ISO/IEC 27002:2022 has decreased from 114 controls divided into 14 sections to 93 controls in 4 sections. 24 controls have been merged and 58 controls have been updated.

Changes to certified companies

In order for companies to transfer to ISO/IEC 27001:2022 certification, the following steps must be taken (but not limited):

• the gap analysis of ISO/IEC 27001:2022, as well as the need for changes to the client’s ISMS;
• the updating of the statement of applicability (SoA);
• if applicable, the updating of the risk treatment plan;
• the implementation and effectiveness of the new or changed controls chosen by the clients;

All certified customers must transition to ISO/IEC 27001:2022 within 36 months of the standard’s publication date, tentatively October 2025.

 Requirements for certification bodies

Certification bodies must be accredited according to ISO/IEC 27001:2022 within 12 months from the publication of the standard, taking into account the capabilities of the accreditation bodies.

Customers’ transition to the new ISO/IEC 27001:2022 can be organized by:

• In the regular audit
• transition audit

As a minimum, the audit shall include an additional 0.5 auditor day.

For existing customers, BM Certification will prepare detailed information on the transition to the new ISO/IEC 27002:2022.

The document is available here:

https://iaf.nu/iaf_system/uploads/documents/IAF_MD_26_Transition_requirements_for_ISOIEC_27001-2022_09082022.pdf