Careful! Not all options are created equal here.

Great – at this point, we have determined the timeline for when we need to complete the transition of our certified Information Security Management System (ISMS) to the new 2022 revision. But what exactly do we need to communicate to transition or upgrade our certificate?

First, let’s recall our source material for this topic, which is IAF MD 26. This will serve as our reference file in case there are further transition topics we need to investigate.

Luckily, this counter is fake and you have more time to transition to ISO/IEC 27001:2022 as of this writing.

Next, how long are these transition audits?

It depends, but not all options are as cost-effective as their alternatives per the below:

  • Option #1: Conduct the transition audit at the same time as your recertification audit. This option will be the most cost-effective, as your certification body auditor is only required to add ½ day to its audit plan. Likewise, you are knocking out this one-time transition audit in parallel with a required annual audit, limiting the time you need your staff to step away from their day jobs to address external audit inquiries.

  • Option #2: Conduct the transition audit at the same time as your surveillance audit. You may not be due for a recertification audit, or the timing of your recertification audit in 2025 would put you right up against the hard deadline of October 31, 2025, to transition. If this is your scenario, you should still consider bundling your transition with a regularly scheduled annual audit (i.e., surveillance), but IAF MD 26 requires a full 1.0 day to be planned as supplemental time by the certification body auditor. This option is not as cost-effective, but you at least benefit from completing the transition at the same time as a related external audit by your certification body.

  • Option #3: Schedule an out-of-cycle transition audit separate from the recurring annual audit of your ISMS by the certification body. This option is the costliest in terms of both budget and resources, as you are requesting your external auditor and your internal staff to be available for an ad hoc audit sometime throughout the year for a second time. IAF MD 26 requires the certification body to plan for a full 1.0 day for this transition audit; however, since this activity is not bundled with an annual audit, your certification body may have to charge additional fees compared to Option #2 due to the separate report it will have to generate vs. a few extra explanatory notes as a supplemental section in the annual report.

Do yourself a favor and plan ahead for this transition audit by engaging early and as a co-collaborator with your certification body on a plan to transition from ISO/IEC 27001:2013 to ISO/IEC 27001:2022.

This engagement does not necessarily mean your organization should transition early, but at least will force all parties to define a schedule to get this activity completed (and, hopefully, while leveraging Option #1 or Option #2, as both are feasible with preparation).

🧠 🧠 🧠 🧠 🧠 

We are all about creating awareness while poking fun. Will your team avoid the office with a 10-foot pole but is the last to leave the happy hour? This newsletter might be for them.


or to participate.