Last Updated on February 23, 2024
ISO 27001:2022—When Should My Org Make the Transition?
All orgs currently certified to ISO 27001:2013 must recertify to ISO 27001:2022 by October 31, 2025. Those planning one more certification to ISO 27001:2013 need to complete that audit by April 30, 2024. What do these deadlines mean for the timing of your upcoming ISO 27001 external audit?
Registrars are ready
Many ISO 27001 registrars (aka auditors or certification bodies) are ready now to conduct certification audits, as their October 2023 accreditation deadline draws nearer. So, companies that are ready now can begin their ISO 27001:2022 audit process immediately
Or, if you’ve been preparing to be audited against ISO 27001:2013, you have about a year to complete your audit, then another 18 months to get ready for ISO 27001:2022.
For details on ISO 27001:2022 timescales, see the International Accreditation Forum’s “mandatory document” MD 26:2023. (Be sure to get Issue 2.)
Is sooner better?
If you know you need to make the transition from a “2013” ISMS to a “2022-compliant” system, when is the best time to have your audit? That depends on your current certification cadence.
To minimize costs, many orgs will want to wait until the time of their next surveillance or recertification audit to move to ISO 27001:2022 certification. Others might prefer to “skip ahead” so that they can announce their updated compliance and security leadership to clients and others as a competitive differentiator.
If no other factors take precedence, Pivot Point Security consultants often recommend to customers waiting until 2024 to get recertified, to give auditors time to get comfortable with the new guidance. In the early going, it’s possible that there could be some “surprising” interpretations that could lead to an unexpected nonconformity. Conversely, some auditors might be more lenient as they’re first learning and interpreting the new guidance. Moving early isn’t necessarily riskier, just less predictable.
How much time do you need for the transition? If you’re scheduled for a surveillance or recertification audit in summer or early fall 2023 (that is, in about four to six months), it might be a scramble to make all your ISO 27001:2022 changes in that short timeframe. But if your next audit is in about nine months, you probably have enough time to make the move.
What about waiting?
If you want to wait, when is the latest you can transition to ISO 27001:2022? According to MD 26:2023, you’ll need to complete your transition audit by October 31, 2025, three years after the release of the new version in October 2022.
Does it matter if that’s a surveillance or recertification audit? Probably not much for most orgs. If it’s a surveillance audit, the auditor is required to add one-half day to the audit to review your “transition plan.” Versus a full day to review the transition plan for a recertification audit.
What’s a transition plan? This newly required documentation describes what steps you took to transition your ISMS to the new guidance. The auditor will also probably also review how you’ve handled the 11 new controls in Annex A, as well as your Statement of Applicability (SOA) and risk assessment.