Contact

What are you looking for?

ISO/IEC 27001 Transition: What You Should Know

May 10, 2024

ISO/IEC 27001:2022 – Information Security, Cybersecurity and Privacy Protection – Information Security Management Systems – has replaced ISO/IEC 27001:2013.

The new standard was published on October 25, 2022. After a three-year transition period, ending October 31, 2025, all ISO/IEC 27001:2013 certifications will expire or should be withdrawn. We will not conduct initial or recertification audits to the old standard after April 30, 2024.

Certificates issued or reissued against ISO/IEC 27001:2013 during the transition period (November 1, 2022, to October 31, 2025) will have October 31, 2025, as their expiration date and not the usual three-year validity. After the transition period, an organization with an expired ISO/IEC 27001:2013 certification will be treated as a new client, subject to a full initial audit.

Transition options

The transition may be conducted in one of three ways: via special audit, routine surveillance or recertification audit.

  • Special audit: a separate audit for clients who would like to complete their transition as a one-off event
  • Routine surveillance: a progressive approach for clients who would like to complete their transition during their scheduled ISO/IEC 27001:2013 surveillance audits
  • Recertification audit: for clients who wish to complete their transition during their scheduled ISO/IEC 27001:2013 recertification audit

What are the main changes to the standard?

ISO/IEC 27001:2022 is not a fully revised edition. Its main changes include, but are not limited to:

  1. Annex A references the information security controls in ISO/IEC 27002:2022, which include information about control title and control
  2. The notes of Clause 6.1.3 c) are revised editorially, including deleting the control objectives and using “information security control” to replace “control”
  3. The wording of Clause 6.1.3 d) is reorganized to remove the potential ambiguity
  4. Throughout the new version, the document refers to itself as “this document” rather than “this standard”
  5. Adding a new item, 4.2 c), to determine the requirements of the interested parties addressed through information security management systems (ISMS)
  6. Adding a new subclause. 6.3-Planning for changes, which defines that the changes to the ISMS shall be carried out by the organization in a planned manner
  7. Keeping the consistency in the verb used in connection with documented information, for example, using “Documented information shall be available as evidence of XXX” in Clauses 9.1, 9.2.2, 9.3.3 and 10.2
  8. Using “externally provided process, products or services” to replace “outsourced processes” in Clause 8.1 and deleting the term “outsource”
  9. Naming and reordering the subclauses in Clause 9.2-Internal audit and 9.3-Management review
  10. Exchanging the order of the two subclauses in Clause 10-Improvement
  11. Updating the edition of the related documents listed in Bibliography, such as ISO/IEC 27002 and ISO 31000
  12. Some deviations in ISO/IEC 27001:2013 to the high-level structure, identical core text, common terms and core definitions of management system standards (MSS) are revised to be consistent with the harmonized structure for MSS, for example, Clause 6.2 d)

Note 1: The first two items come from ISO/IEC 27001:2013/DAmd1 and the third item from ISO/IEC 27001:2013/COR 2:2015. The other changes result from the harmonized structure for MSS.

Note 2: Compared with the old edition, the number of information security controls in ISO/IEC 27002:2022 decreases from 114 controls in 14 clauses to 93 controls in 4 clauses. For the controls in ISO/IEC 27002:2022, 11 controls are new, 24 controls are merged from the existing controls, and 58 controls are updated. Moreover, the control structure is revised, which introduces “attribute” and “purpose” for each control and no longer uses “objective” for a group of controls.

Download our white paper on the key changes.

For further information, please contact:

Paula Costa
Global Technical Product Manager
Information Security Assurance
t: +44 7918 740604

About SGS

We are SGS – the world’s leading testing, inspection and certification company. We are recognized as the global benchmark for sustainability, quality and integrity. Our 99,600 employees operate a network of 2,600 offices and laboratories around the world.

News & Insights

  • SGS Australia

28 Reid Road,

Perth Airport, 6105,

Western Australia,

Australia