ISO Certification Bodies Prepare for Transition to ISO 27001:2022

ISO Certification Bodies are preparing their staff and processes for the transition to ISO 27001:2022, with most offering a three-year transition period.

If you are certified to ISO 27001:2013, you should begin planning your transition to the new standard.

What is the Transition Period for ISO 27001:2022?

Your current ISO 27001:2013 certificate will remain valid, however you will need to make the transition to the new 2022 version of the standard within the transition period which ends around October 2025, depending on your certification provider.

You may also wish to plan your transition audit to take place two-to-three months before your certificate expiry and/or the deadline to allow time to resolve any non-conformities or other issues that may occur.  

If your customers, or other stakeholders, are asking you about ISO 27001:2022, this may also speed up your timeline for transition.  You should contact your certification body to plan a realistic date.

When will Certification Bodies be Offering ISO 27001:2022 Certification?

Before certification bodies can offer an ISO 27001:2022 scheme they need to ensure their auditors, technical and back-office staff are competent to work with the new revision of the standard.  This usually involves some formal training which takes some time.

In addition, there may be other requirements that the accreditation body requires them to meet.

This takes time and many certification bodies are not expecting to issueISO 27001:2022 certificates until 2023.

However, surveillance audits to the ISO 27001:2013 version will go ahead as normal in the mean time. 

What Happens if I Don’t Transition my ISO 27001 Certificate?

If you do not make the transition to the new revision of the standard, your certificate will expire and you will be required to remove any claims of being ISO 27001 certified.

While a very small number of organisations may choose this time to allow their certification to lapse, the vast majority will evolve their information security management system (ISMS) and benefit from new controls to mitigate risks.

If your certificate does lapse, you will be required to complete a full sage 1 and stage 2 audit princess again in order to regain certification.

How Many Audit Days Are Needed for ISO 27001:2022?

We do not expect the 2022 revision of the standard to require any additional audit days.

However, ISO 27006:2015, the standard used by certification bodies to calculate audit days, has not yet been revised and this may change in the future. 

The transition audit will usually be completed as part of a recertification audit, or as an additional interim audit. 

How to start the ISO 27001:2022 Transition Process

Impartial certification bodies will not be able to provide assistance to help you implement the requirements of ISO 27001:2022, is this could affect the integrity of their assessment and certificate.

However can put you in touch with proven ISO Consultants who can help.

ISO Consultants may take a variety of approaches depending on the support you require, however gap analysis, internal audits and documentation help are all common services.

Get ISO 27001:2022 Certification Support

We are NOT a certification body, however we can support you through the certification process by collating comparable costs and managing any issues.

To find out more, please contact us.