ISO standards, including ISO 27001, are periodically reviewed and revised to ensure they remain relevant and effective in addressing current challenges, technological advancements, and industry best practices. Here are some key reasons why ISO 27001 is being updated to a new version in 2022.
Moving from ISO 27001:2013 to ISO 27001:2022 involves a transition process that organizations currently certified to ISO 27001:2013 will need to follow. Here’s a general timeline and process for transitioning:
- Publication of ISO 27001:2022: New standard was published in early 2022.
- Transition Period: Typically, ISO standards provide a transition period during which organizations can update their management systems to comply with the new version. The exact transition period for ISO 27001:2022 is as follows:
- October 31st. 2022 – Transition period begins.
- May 1st. 2024 – Companies to be certified for the first time must do it using version 2022 new standard.
- July 31st. 2025 – Deadline to move to version 2022 new standard.
Then, what should you do?
Familiarization with Changes: Organizations should familiarize themselves with the changes introduced in ISO 27001:2022 compared to ISO 27001:2013. This includes understanding new or revised requirements, updated terminology, and any additional guidance provided.
Gap Analysis: Conduct a gap analysis to identify areas where your current information security management system (ISMS) aligns with ISO 27001:2022 and where adjustments or enhancements are needed. This should include a review of policies, procedures, controls, risk assessments, and documentation.
Update Documentation and Implementation: Update your ISMS documentation and implement any necessary changes to align with ISO 27001:2022 requirements. This may involve revising existing policies and procedures, incorporating new controls, and adjusting practices to reflect updated guidance.
Training and Awareness: Provide training and awareness sessions for relevant personnel to ensure they understand the changes in ISO 27001:2022 and their roles in implementing the updated ISMS.
Internal Audit: Conduct an internal audit to assess the effectiveness of the updated ISMS against ISO 27001:2022 requirements. This helps identify any areas needing further improvement or corrective actions.
Management Review: Review the results of the internal audit and overall performance of the ISMS in a management review meeting. This ensures top management is aware of the status of the transition and can provide necessary support and resources.
Certification Audit: Schedule a certification audit with your chosen certification body. The audit will assess your ISMS against ISO 27001:2022 requirements, including interviews, documentation review, and on-site verification (if applicable).
Certification Decision: Based on the audit findings, the certification body will decide regarding certification to ISO 27001:2022. If compliant, they will issue a new certificate reflecting the updated version.
The specific timeline for transitioning from ISO 27001:2013 to ISO 27001:2022 can vary depending on factors such as the complexity of your ISMS, the size of your organization, available resources, and external support (e.g., consultants). It is advisable to start planning and preparing for the transition as soon as the new version is published to ensure a smooth and timely certification process.
