As part of the transition plan from ISO/IEC 27001:2013 to ISO/IEC 27001:2022 governed by the transition requirements for ISO/IEC 27001:2022 by IAF (IAF MD 26:2023 – Issue 2) and the Hellenic Accreditation System (ESYD), the following apply:
- A three-year transition period is provided for the adaptation to the requirements of the ISO/IEC 27001:2022, starting from its date of issue, until 31.10.2025.
- The transition period of ISO/IEC 27001:2022 expires on 31.10.2025. All certificates according to ISO/IEC 27001:2013 will be suspended or withdrawn at the end of the transition period.
- The Certification Bodies may conduct initial or recertification audits according to ISO/IEC 27001:2013 until 30.04.2024.
- All certificates issued according to ISO/IEC 27001:2013 during the transition period must take account of the above deadline (whether or not the usual three-year period of validity of the certificate will be completed). Organizations that have in place ISO/IEC 27001:2013 certificate will have the ability to switch to the new ISO/IEC 27001:2022 standard during their annual surveillance audits or recertification audit or separate transition audit, with prior written notification of our Certification Body.
Compared with ISO/IEC 27001:2013, the main changes of ISO/IEC 27001:2022 include, but are not limited to:
- Annex A of ISO/IEC 27001:2022 references the information security controls in ISO/IEC 27002:2022, which includes the information of control title and control.
- Adding a new item 4.2 c) to determine the requirements of the interested parties addressed through an information security management system (ISMS).
- The notes of clause 6.1.3 c) are revised editorially, including deleting the control objectives and using “information security control” to replace “control”.
- The wording of clause 6.1.3 d) is re-organized to remove potential ambiguity.
- Adding a new subclause 6.3 – Planning for changes, which defines that the changes to the ISMS shall be carried out by the organization in a planned manner.
- Using “externally provided process, products or services” to replace “outsourced processes” in clause 8.1 and deleting the term “outsource”.
- Keeping the consistency in the verb used in connection with documented information, for example, using “documented information shall be available as evidence of XXX” in clauses 9.1, 9.2.2, 9.3.3 and 10.2.
- Naming and reordering the subclauses in clause 9.2 – Internal audit and 9.3 – Management review.
- Exchanging the order of the two subclauses in clause 10 – Improvement.
- Updating the edition of the related documents listed in bibliography, such as ISO/IEC 27002 and ISO 31000.
- Some deviations in ISO/IEC 27001:2013 to the high-level structure, identical core text, common terms and core definitions of MSS are revised for consistency with the harmonized structure for MSS, for example, clause 6.2 d).