Transition to ISO/IEC 27001:2022 - updated
As anticipated, the International Accreditation Forum has published updated guidance on the transition arrangements for certification of organisations against ISO/IEC 27001:2022, the new third edition of the standard released in October. There are several possibilities under various circumstances (as I understand it*) ...
1) Organisations that are already certified to ISO/IEC 27001:2013 (or to equivalent national translations of that old 2013 edition of the standard) have about three years to move to the new 2022 edition. Meanwhile, surveillance audits can use either edition of the standard, whichever the organisation chooses to use.
2) Organisations currently preparing to be certified prior to June 2023 can choose either edition:
- If you intend to use the new 2022 edition (which I heartily recommend), you need to find a certification body that is accredited for the 2022 edition, with auditors suitably trained on the standard's updated requirements (e.g. clearer guidance about the Annex A controls being discretionary, and the need for ISMS changes to be planned). All accredited certification bodies should be fully up to speed with the new 2022 edition before June.
- If you intend to use the old 2013 edition, any accredited certification body should be suitable ... but your certification will need to be updated to the new 2022 edition at some point during the following three years: the full recertification due at three years can only be to the new 2022 edition. Updating your ISMS involves finding and correcting all references to the Annex A controls (which were completedly reorganised), being able to demonstrate that ISMS changes are being 'planned', and other minor tweaks - all fairly straightforward and probably insignificant compared to the routine changes in your information risks and security controls since you were certified.
- If you intend to use the old 2013 edition but with the new 2022 edition's Annex A information security controls, or indeed some other reference suite of information security controls, or a purely custom control set, any accredited certification body should be competent to audit and certify your organisation ... but beware those with poorly-trained jobsworth auditors who insist that the Annex A controls are necessary even if your management deems them unnecessary to mitigate the organisation's information risks (which they are perfectly entitled to do provided they follow the risk management process specified in their compliant ISMS).
3) From June 2023 onwards, no further old 2013 edition certifications are possible, in other words all organisations must use the new 2022 edition.
* For more information, please study the IAF guidance and if necessary contact your certification body or the IAF - not me, sorry. We can help you with templates for all the mandatory and many discretionary ISO/IEC 27001:2022 documents, plus a suite of information security policies aligned with and extending both Annex A versions.