RIGCERT policy for the transition of certifications to ISO/IEC 27001:2022
On the 25th of October 2022 the new edition of ISO/IEC 27001 (ISO/IEC 27001:2022) was published by the International Organization for Standardization.
This policy details the requirements and arrangements for the transition of accredited ISO/IEC 27001 certifications to the new edition of this standard. The policy is relevant for certified organizations as well as for those organizations looking to obtain the ISMS certification to ISO/IEC 27001.
The transition period began on the 31st of October 2022 and it ends on the 31st of October 2025.
RIGCERT will continue to accept applications for ISMS certification according to ISO/IEC 27001:2013 until 01.04.2024. Starting from 01.05.2024 all new certifications and recertifications will have to be in accordance with the 2022 edition of ISO/IEC 27001.
Our ability to provide accredited certification according to ISO/IEC 27001:2022 depends of course on the transition of our accreditation to the new edition of the standard. We are hopeful that we will be able to transition our accreditation in time so that we can provide accredited ISO/IEC 27001:2022 certifications in the first part of 2024.
All existing certifications must be transitioned to the new edition of the standard until the 31st of October 2025. The assessment for the transition to the new edition of the standard will normally be done during regular surveillance or recertification audits. At the request of the certified organization the transition assessment can be done through a special audit.
The changes brought by this new edition of ISO/IEC 27001 are limited. They mostly refer to the information security controls from Annex A of this standard, which now includes 93 controls (instead of 114, in the 2013 edition) and that are now grouped into 4 themes, organizational controls, people controls, physical controls and technological controls.
The transition will require from the certified organizations a gap analysis, revisions to existing documents of the ISMS (i.e. Statement of Applicability, risk treatment plan), the implementation of the additional/ modified information security controls and an evaluation of their effectiveness. An internal audit of the ISMS and a management review should also be performed as part of the transition process.
Considering the changes brought by the new standard we believe that the impact on our clients and their ISMSs is limited and we consider that the assessment for transition will not require more than 1 supplementary auditor day.
Following the successful evaluation for transition, RIGCERT will issue a new certificate for the ISMS (to ISO/IEC 27001:2022) which identifies the updated version of the Statement of Applicability.
Our online training course on the requirements for an ISMS according to ISO/IEC 27001:2022 is available here.