Editor’s Note: The original blog post was released on October 27, 2022; however, IAF MD 26:2023 (Issue 2) was revised and published on February 15, 2023. The new IAF MD 26:2023 replaces the original normative reference IAF MD 26:2022 (Issue 1) released on August 9, 2022. Republication of this blog post now describes current guidance in alignment with Issue 2.
The new revision of ISO 27001 is finally here.
For a group like Coalfire Certification that lives and breathes these standards daily, it has been an exciting few months monitoring the progress of this publication and its review through the various ISO working groups.
Following the February 2022 release of a major revision to ISO 27002 – the guidance supporting the implementation of ISO 27001 Annex A controls – a similar revision mirroring the updates to this control set was expected to be adopted within ISO 27001.
Overview of Structural Changes
The new standard referenced as “ISO/IEC 27001:2022” has now been published, bringing new information security domains into focus while upending the traditional structure of technical controls appended to this management system standard. The update adopts the control titles and descriptions from sections 5-8 of the latest ISO 27002 publication and replaces the previous 14 control domains.
The new International Standard replaces control domains by consolidating these sections into four control themes: organizational, people, physical, and technological. The previous 114 Annex A controls have been reduced to 93 controls, mirroring the implementation guidance of ISO 27002. The 93 controls comprise 11 new controls, 24 merged controls from the historic annex, and 58 controls where descriptions have been updated – sometimes by only a few words to make intent clearer to the reader.
In addition to the updated annex listing of technical controls, there were also revisions to otherwise familiar clauses and footnotes that serve as the requirements for establishing, implementing, maintaining, and improving the Information Security Management System (ISMS). For example, the footnotes supporting clause 6.1.3(c) have been revised to delete references to “control objectives” and to utilize more specific “information security control” descriptors.
Authoritative Reference for Transitions
While these changes will have greater effect than previous corrections of the ISO 27001 standard, the International Accreditation Forum (IAF) – the oversight body for accredited conformity assessment activities involving management system standards published by ISO – considers ISO/IEC 27001:2022 to be less than a fully revised edition. As a result, there are longer transition timelines for organizations that are already certified or that are actively pursuing certification to the 2013 revision of ISO 27001.
The requirements for transitioning to the new revision of ISO 27001 are detailed within a normative reference published by the IAF under Mandatory Document (MD) 26:2023. All certification bodies that are accredited to issue certificates against ISO 27001 are required to conform to the transition procedures detailed within IAF MD 26.
Frequently Asked Questions (FAQ):
Below, our experts at Coalfire Certification break down these requirements to answer common questions that we anticipate will be top of mind for currently certified organizations as well as organizations seeking certification to ISO 27001 within the next few years.
Q1: Is ISO/IEC 27001:2022, Annex A still considered to be required (i.e., normative)?
A1: Yes. Similar to the 2013 revision, clause 6.1.3 references Annex A as a comprehensive list of information security controls used to treat information security risks. The section divider for Annex A also maintains a “normative” label within the new publication to ensure these items comprise the implementation of the ISMS.
The new information security controls within Annex A allow organizations to accomplish the same risk treatment goals as before. Organizations determine information security risks and then compare necessary information security controls needed to mitigate risks to information security controls within Annex A.
Q2: Does the new revision of ISO 27001 impact the Statement of Applicability (SoA)?
A2: Yes. The new information security controls need to be reviewed by the organization and compared to existing controls based on the context of the control environment. This comparison may lead to updates to risk treatment plans where appropriate, and changes to the SoA to account for new controls as well as updated and consolidated controls. In transitioning to the new standard, certification bodies, such as Coalfire Certification, are required to evaluate the implementation and effectiveness of the new or changed controls chosen by the organization in addition to the newly reviewed SoA.
Q3: Do certified organizations need to immediately transition to the new standard revision?
A3: No. Per IAF MD 26, certified organizations will need to transition to the new revision within 36 months from the last day of the publication month of ISO/IEC 27001:2022. Since the publication was released on October 25, 2022, all currently certified organizations have until October 31, 2025 to transition to the new revision. Certified organizations beginning a recertification audit cycle after April 30, 2024 will need to transition to the 2022 revision of ISO/IEC 27001 during the recertification audit.
Q4: Will initial certification customers be immediately audited against the new standard revision?
A4: No. New certification applicants may continue to be audited against the 2013 revision of ISO 27001 for a period of up to 18 months from the last day of the publication month. Since the publication was released on October 25, 2022, initial certification applicants may continue to be audited against the 2013 revision until April 30, 2024. These organizations would need to be transitioned to the new 2022 revision no later than October 31, 2025, regardless of the date of original registration.
Q5: Is a separate audit required to transition existing ISO 27001 certificates to the new revision?
A5: No. Certification bodies may conduct the one-time transition audit either in conjunction with the surveillance audit or recertification audit, or through a separate audit. While the transition audit may not consist solely of document review (i.e., requires live interaction with auditees), transition audits may be performed remotely if all transition audit objectives can still be met by the certification body.
Q6: Will there be any additional audit time needed to perform the transition audit?
A6: Yes. Certification bodies are required to plan for an additional 0.5 auditor day to confirm the execution of a transition plan when the transition audit is carried out in conjunction with a recertification audit. A minimum of 1.0 auditor day is required if the transition audit is carried out in conjunction with a surveillance audit or as a separate, ad hoc audit (i.e., special audit).
Q7: What are the objectives of a transition audit performed by a certification body?
A7: IAF MD 26 outlines the following minimum objectives for certification bodies:
- Gap assessment of the organization’s system against the 2022 revision of ISO 27001
- Review of the updated SoA, inclusive of the new set of 93 controls
- Review of risk treatments plans, especially in areas where these plans were designed around Annex A controls being utilized to mitigate identified risks
- Assessment of the implementation and effectiveness of newly adopted controls
Q8: Does transitioning to the 2022 revision impact the expiration date on existing ISO 27001 certificates?
A8: No. When the certificate award is updated due to positive audit conclusion and decision resulting from a transition audit, the expiration of the current certification cycle will not be changed. This handling applies in both cases whether the transition audit is to be performed during the annual audit or as a separate, ad hoc audit (i.e., special audit).
Q9: What happens to active ISO 27001 certificates after the end of the transition period?
A9: As of October 31, 2025, all remaining ISO 27001 certificates issued under revision 2013 will be withdrawn and considered to be expired regardless of the expiration date listed on the certificate.
Q10: When does Coalfire Certification anticipate being ready to perform transition audits against the 2022 revision of ISO 27001?
A10: Coalfire Certification plans to begin its first transition audits in Q3 2023. The certification body obtains access to normative references such as ISO/IEC 27001:2022 and IAF MD 26 at the same time as the general public. With any new scheme, there is necessary time required to prepare for the effective execution of these assessments while upskilling our certification body staff to meet required competencies dictated as part of the accreditation of the certification body.