Revised ISO 27001 Standard

In anticipation of the release of ISO 27001:2022 later this year, the International Accreditation Forum (IAF) have set out the mandatory requirements for transitioning to the new version of this standard. This is detailed in the document IAF MD 26.

What you need to know if you hold ISO 27001:2013 certification:

  1. You will have 36 months to update your ISMS and transition your certification from the release of ISO 27001:2022. After 36 months all ISO 27001:2013 certificates will expire or be withdrawn
  2. Your certification body will need to conduct a transition assessment within this time period and issue you an updated certificate.
  3. The transition assessment will determine whether you have updated your ISMS to the new requirements of ISO 27001:2022 including the significant changes to Annex A controls.
  4. You can transition at a surveillance audit, a recertification audit or a stand-alone assessment. Typically this will require additional audit time.
  5. No new certificates for ISO 27001:2013 can be issued after 12months from the release of ISO 27001:2022