Transition to ISO/IEC 27001:2022
On August 9, 2022, the International Accreditation Forum has published the document IAF MD 26:2022, which defines the requirements for the accreditation and certification bodies for transition to ISO/IEC 27001:2022.
Changes to ISO/IEC 27001:2022
According to the document, the significant changes to ISO/IEC 27001:2022 are:
- Annex A references to the controls in ISO/IEC 27002:2022;
- The notes of Clause 6.1.3 c) are revised editorially;
- The wording of Clause 6.1.3 d) is re-organized to remove the potential ambiguity;
Compared to the previous version of the standard, the number of controls in ISO/IEC 27002:2022 has decreased from 114 controls divided into 14 sections to 93 controls in 4 sections. 24 controls have been merged and 58 controls have been updated.
Changes to certified companies
In order for companies to transfer to ISO/IEC 27001:2022 certification, the following steps must be taken (but not limited):
- the gap analysis of ISO/IEC 27001:2022, as well as the need for changes to the client’s ISMS;
- the updating of the statement of applicability (SoA);
- if applicable, the updating of the risk treatment plan;
- the implementation and effectiveness of the new or changed controls chosen by the clients;
All certified customers must transition to ISO/IEC 27001:2022 within 36 months of the standard’s publication date, tentatively October 2025.
Requirements for certification bodies
Certification bodies must be accredited according to ISO/IEC 27001:2022 within 12 months from the publication of the standard, taking into account the capabilities of the accreditation bodies.
Customers’ transition to the new ISO/IEC 27001:2022 can be organized by:
- In the regular audit
- transition audit
As a minimum, the audit shall include an additional 0.5 auditor day.
For existing customers, BM Certification will prepare detailed information on the transition to the new ISO/IEC 27002:2022.
The document is available here: