March 3, 2023

Last Updated on January 15, 2024

We’re Working Towards Certification to ISO 27001:2013—How Does ISO 27001:2022 Impact Us?

The new ISO 27001:2022 version was just finalized in October 2022. If your org has been pursuing ISO 27001 certification referencing the 2013 version, does that mean you’re hosed?

Thankfully not! But there are considerations to address. To learn first-hand the recommended approach to this issue, a recent episode of The Virtual CISO Podcast features Ryan Mackie and Danny Manimbo, principals at Schellman. Hosting the show is John Verry, Pivot Point Security CISO and Managing Partner.

It’s all in MD 26
The real question behind what ISO 27001 version your information security management system (ISMS) conforms to is will you be done in time to receive a certification referencing the superseded version?

Mandatory Document (MD) 26, a free publication issued by the International Accreditation Forum (IAF) oversight body, specifies the transition process for ISO 27001 certification bodies, aka auditors or registrars. MD 26, recently revised to Issue 2, states that no new certifications can be issued after April 30, 2024.

 

Out with the old

Even if you can get certified to ISO 27001:2013, should you?

“The recommendation is that even if you started with 2013, transition right now before your certification audit so you don’t have to go through a transition audit after you get certified,” advises Ryan. “Regardless of when your Stage 1 or Stage 2 audit will be, start that process now to really get on that 2022 version.”

But ISO 27001:2013 certifications will be valid until October 31, 2025, right? So, what’s the rush to transition?

Schellman is advising clients to accomplish the transition to ISO 27001:2022 by 2024, because of the need to update key ISMS documentation on an annual or more frequent cadence.

Ryan explains: “Some of the updates are so tied to those annual cadence activities—the risk assessment, the internal audits, updating your Statement of Applicability (SOA)… You don’t want to rush that, and you don’t want to have the standard update drive what your cadence is. So, for example, if you’ve done a risk assessment in Q1 2023 based on the ISO 27001:2013 version, wait until 2024 and then do the transition to ISO 27001:2022.”

 

What’s next?

To hear this podcast episode with Danny Manimbo and Ryan Mackie from Schellman all the way through, click here.

Recommended reading: The New ISO 27002:2022—What’s New with the Controls?