March 2, 2023

Last Updated on January 15, 2024

When Will Auditors Be Ready to Certify ISO 27001:2022 Compliance?

After considerable buildup, the new ISO 27001:2022 cybersecurity standard was released in late October 2022. Since then, everyone in the ISO 27001 ecosystem, from the accreditation bodies to the auditors to the entities seeking audits, has been making changes to align with the new release. So, when can orgs expect auditors to be ready to audit them?

To share all the latest info on ISO 27001:2022 certification, a recent episode of The Virtual CISO Podcast features Ryan Mackie and Danny Manimbo, principals at Schellman. John Verry, Pivot Point Security CISO and Managing Partner, hosts the show.

Conformance requirements for certification bodies
Before they can conduct audits, auditors (aka registrars or certification bodies) must update their ISO 27001 accreditations to the new 2022 release with their accreditation bodies. Mandatory Document (MD) 26, a free publication issued by the International Accreditation Forum (IAF) oversight body, defines the transition procedures that ISO 27001 certification bodies must conform to before they can issue ISO 27001:2022 certificates.

Note: MD 26 was updated to Issue 2 in mid-February 2023. As of now, the IAF has yet to publish the update online.

According to MD 26, Issue 2, accreditation bodies have six months from the October 2022 release of ISO 27001:2022 (i.e., April 30, 2023) to get ready to assess certification bodies like Schellman against the new standard. Schellman’s two accreditation bodies, ANAB in the US and UKAS in the UK, both announced in January 2023 that they were ready to process assessment applications.

In parallel with accreditation bodies’ readiness process, certification bodies have one year from the October 2022 publication date to complete their transition to an ISO 27001:2022 audit format. Schellman expects to have its accreditation updated for ISO 27001:2022 by March 31, 2023.

 

What is changing for auditors with ISO 27001:2022

Danny observes that most auditors will look to achieve accreditation against ISO 27001:2022 well before the October 31, 2023 deadline. There are a number of specific activities that all certification bodies have to demonstrate as part of their application process. The effort involved is significant.

“From a standards perspective, a lot of the management system is going to be the same between 2013 and 2022,” Danny notes. “So, it’s the approach and the control set [that are changing]. Obviously, you need to get your team trained up on understanding that new control set, how to test it and whatnot.”

Given the large number of companies that want to demonstrate ASAP that they comply with the new 2022 version of ISO 27001, most certification bodies are looking to get set to audit them ASAP also.

 

What’s next?

To listen to this podcast episode with Ryan Mackie and Danny Manimbo from Schellman, click here.

How will the recent update to the ISO 27001 control set impact your cybersecurity program? The New ISO 27002:2022—What Does It Mean for Your ISO 27001 ISMS?