January 2, 2024

Last Updated on January 17, 2024

If your organization seeks to transition its ISO 27001 certification from ISO 27001:2013 to ISO 27001:2022, perhaps the most important new artifact you’ll need to create from scratch is a transition plan. Your third-party auditors will ask for this document and review it thoroughly as one of the initial external audit steps.

This post explains why an ISO 27001:2022 transition plan is so critical, what it should include, and other transition planning considerations.

 

What is an ISO 27001:2022 transition plan?

Your ISO 27001:2022 transition plan should comprehensively outline the steps your organization will take to achieve compliance with the updated standard. It should include:

  • The findings from your gap assessment to identify the required changes to your information security management system (ISMS).
  • Areas of your ISMS that do not need to change.
  • New or changed ISMS processes and procedures.
  • Timelines, budgets, and resources needed to accomplish the changes.
  • Notable changes to ISMS artifacts like your Statement of Applicability (SOA), risk treatment plan, and/or system security plan (SSP).

 

Why is a transition plan important for ISO 27001:2022 certification?

A top recommendation from CBIZ Pivot Point Security consultants helping clients move to ISO 27001:2022 is to ensure you have a robust transition plan that details how you adapted your ISO 27001 information security management system (ISMS) to the standard’s 2022 version.

Among the key steps for any company transitioning to ISO 27001:2022 is gap analysis and transition planning. Once you’ve identified where your ISMS is out of compliance with ISO 27001:2022, you need to document all the changes to bring it into compliance.

Some of the top questions your transition plan should answer for external auditors and other stakeholders include:

  • Which new controls did you decide were relevant in your environment, and which not?
  • Which of the new controls have you now operationalized, and which not?
  • What are your plans and timelines for rolling out any omitted controls?
  • What artifacts are you tracking to demonstrate new control operation and effectiveness?

Official recommendations on how to document your transition to ISO 27001:2022 are available in the International Accreditation Forum Mandatory Document MD 26:2022, “Transition Requirements for ISO/IEC 27001:2022.”

 

What is the official ISO 27001:2022 transition timeline?

You should complete your ISO 27001:2022 transition audit before July 31, 2025. This will ensure that you are awarded a new certificate before your ISO 27001:2013 certificate becomes invalid after October 31, 2025.

In addition, third-party auditors will only award new ISO 27001:2013 certifications through April 30, 2024. Organizations with a recertification audit scheduled on or after May 1, 2024, will need to transition to ISO 27001:2022 by that date.

 

Which transition approach should we take?

An organization has three options for undergoing its ISO 27001:2022 transition audit:

  1. During a scheduled ISO 27001 recertification audit, which takes place once every three years.
  2. As an add-on to a scheduled ISO 27001 surveillance audit, which takes place in years one and two following a certification or recertification audit.
  3. As a separate, focused audit independent of the three-year surveillance/recertification cycle.

For many companies, a big factor in deciding when to undergo a transition audit is how long it will take to implement and document all the changes and actions identified in the gap assessment. Consult with your external audit firm and your ISO 27001 consulting partner if you are using one to make sure your audit plans align with your ISO 27001 recertification cycle.

Another major factor in transition timing is often budget and resource availability. Build anticipated costs into future budgets with sufficient lead time so that senior management and team leaders can ensure adequate funding, etc.

Are your customers or other stakeholders already asking about your transition plans? If you face market pressure to comply with the updated and more secure version of the standard, a separate ISO 27001:2022 certification audit ahead of your recertification cadence might be the best choice—provided you can quickly achieve compliance with the new standard.

Make sure your audit partner has advance notice of your plans so they can schedule additional audit time and resources required. When a transition audit is part of a recertification audit, third-party ISO 27001 auditors are mandated to factor in an additional 0.5 auditor days to validate that you have executed your transition plan effectively. When a transition audit is part of a surveillance audit, an additional 1.0 auditor days will be added on.

 

How do we decide what control changes we need?

ISO 27001:2022’s Annex A outlines a new set of recommended ISMS controls. Organizations can take either of two approaches to identify the changes and updates needed to comply with the new requirements:

  1. Check how well your current risk assessment covers the new Annex A controls. This includes identifying and considering each 2022 control and updating risk treatment plans. Plus, update your SOA to cover all control modifications and additions.
  2. Perform a new risk assessment and identify new or modified Annex A controls that can be leveraged to manage the risk. In this context, make sure that all controls deemed applicable in your new SOA are covered. You’ll also need to modify risk treatment plans to cover any new risks.

When comparing current controls with the Annex A updates, start by considering each control, whether new, modified, consolidated, etc. If your ISMS includes an identical control, that control can be documented as covered/”necessary” in your SOA. If a control is not covered but is also not necessary to manage your risk, note it as “excluded” in the SOA.

If a control in your environment serves roughly the same purpose as an Annex A control but doesn’t align with it exactly, you need to explain that in your SOA also. The SOA must account for all the ISO 27001:2022 Annex A controls.

 

What’s next?

For more guidance on this topic, listen to Episode 128 of The Virtual CISO Podcast with guests Andrew Frost and Leigh Ronczka from CBIZ Pivot Point Security.