The clock to transition to the new revision already started.

On October 25, 2022, the first major revision to the popular ISO 27001 standard in almost 10 years was published, triggering the simultaneous withdrawal of the longstanding 2013 revision.

While revisions to these standards are not uncommon, the transition periods that follow these releases vary depending on the extent of the changes to the underlying criteria and organizational circumstances, such as whether a scope is currently certified or at an earlier pre-decision and award issuance stage via a certification body.

Make no mistake – this release meets the eye test for qualifying as a major revision, as the entire structure of the standard has been renewed to the latest Annex SL outline variant known as the Harmonized Structure (HS). Similarly, a consolidation of the previous 114 Annex A controls was implemented alongside the introduction of 11 net new controls. The result is a new look for this standard with a modern control set tackling more current risks (e.g., threat intelligence, IoT, IAM) affecting service organizations operating within public cloud.

To guide this transition or upgrade from the prior 2013 revision to the 2022 revision of the standard, the International Accreditation Forum (IAF) published its instructions in the form of Mandatory Document (MD) 26 approximately 90 days before the release of ISO/IEC 27001:2022. However, once the standard was published, feedback from accreditation bodies (e.g., ANAB, IAS, UKAS) resulted in a revision to IAF MD 26, extending some of these transition timelines.

Let’s get to the brass tax.

1. If your organization is pursuing certification for the first time to ISO 27001, you can continue using ISO/IEC 27001:2013 through April 30, 2024; however, after that date, all certificate decisions for ISO 27001 have to be against ISO/IEC 27001:2022.
   
   Note: This is a decision date for certification, so please consider quality review processes and lead times required by the certification body before your organization schedules its initial certification to the old revision of the standard. It is wise to transition to the new revision (2022) now versus flirting with this hard deadline where your certification body does not have the authority to provide exceptions or extensions.
   
   

2. Likewise, for all currently certified scopes that are due for a recertification audit, that recertification audit must be decided on or before April 30, 2024, as well, if the organization intends to remain on the 2013 revision. Again, please initiate the discussion early with your certification body to ensure there is no risk to the schedule affecting both your live audit and auditor’s reporting timelines if you intend to remain on the 2013 revision. Our advice is to be strongly considering the transition to the 2022 revision for any initial certification or recertification audits scheduled as of January 1, 2024, or later.
   
   

3. And, the last scenario, which would include certified scopes that are not due for recertification in 2024. In this circumstance, the drop-dead date for transitioning to the 2022 revision of ISO 27001 is October 31, 2025, or 3 years following the last day of the month of publication. As of November 1, 2025, all ISO/IEC 27001:2013 certificates will expire.

Similar to recertification and initial certification timelines, it is wise to consider at least a 120-day buffer to this deadline of November 1, 2025, while understanding this date represents the transition period limit for undergoing a transition audit and receiving a positive decision from an accredited certification body before any existing ISO/IEC 27001:2013 certificates are rendered invalid and suspended.

🧠 🧠 🧠 🧠 🧠 

We are all about creating awareness while poking fun. Will your team avoid the office with a 10-foot pole but is the last to leave the happy hour? This newsletter might be for them.