Notice regarding the changes and transition to certification according to the new edition of the standard ISO/IEC 27001:2022 – edition 02-

Note: The International Accreditation Forum (IAF) has published a new edition of the document IAF MD26:2023 Transition Requirements for ISO/IEC 27001:2022 in which the requirements and deadlines for the implementation of the activities of transition to the new edition of the standard ISO/IEC 27001:2022 are given, for both certification and accreditation bodies. Taking into account the changes resulting from the new edition of IAF MD26:2023, StandCert has incorporated them into the Notice regarding the changes and transition to certification according to the new edition of the standard ISO/IEC 27001:2022, edition 02. It is necessary to respect deadlines stated in this edition of the Notice. The previously sent edition of the Notice is not valid anymore.
On October 05, 2022. The International Organization for Standardization (ISO) has published a new edition of the standard ISO/IEC 27001: ISO/IEC 27001:2022. After that, on December 14, 2022, the Institute for Standardization of Serbia has published the Serbian standard SRPS ISO/IEC 27001:2022, Information security, cyber security and privacy protection – Information security management systems – Requirements, in English language, with the information that it has been translated and that it is in the phase “Closed Voting”.

Changes in ISO/IEC 27001:2022 in relation to ISO/IEC 27001:2013

Key changes relate to:
• Name of the standard;
• Harmonization of the text with the new edition of Annex Sl includes the new requirement 6.3 Planning of changes as well as the structure of requirements 9.2 and 9.3 and the sequence of requirements in clause 10;
• Anex A;
• Completion of requests 4.2, 4.4, 5.3, 6.1.3, 6.2, 7.4, 8.1, 9.1.
The following changes have been made to Annex A:
• Controls were grouped into 4 groups instead of the previous 14;
• Reduced number of controls (from 112 to 93);
• New controls are added (11);
• Certain controls have been reformulated;
• Certain controls have been merged (57 controls merged into 24);
• The names of some controls have been changed (23);
• New numbering of certain controls (35).

Transitional period

The International Accreditation Forum (IAF) has published the binding document IAF MD 26:2022 Transition Requirements for ISO/IEC 27001:2022 on 09.08.2022. in which the requirements and deadlines for the implementation of transition activities for both certification and accreditation bodies are defined. On February 15, 2023. IAF has published an updated edition of document IAF MD26:2023.
According to the document IAF MD 26:2023, the period of transition of certified organizations to ISO/IEC 27001:2022 is three years, with the deadline for the transition being 31.10.2025. 

After that date, all certifications issued according to the old edition of the standard will no longer be valid. StandCert d.o.o. will withdraw the certification for all clients who, by 31.10.2025., have not moved to a new edition of the standard.
During the transitional period, certifications issued according to the requirements of the ISO/IEC 27001:2013 standard are equally valid as certifications issued according to the ISO/IEC 27001:2022 standard.

Transition audit

StandCert d.o.o. has performed the necessary activities and is ready to implement the information security management system certification service according to the new edition of the standard ISO/IEC 27001:2022.

Certified organizations will be able to prove the compliance of the information security management system with the new edition of the standard ISO/IEC 27001:2022 as part of surveillance audits, audits for the purpose of renewing certification (recertification) or as a separate audit. When a certified organization conforms its management system to the requirements of ISO/IEC 27001:2022, it should report this to StandCert by email. The application for audit in order to make transition to the new edition of the standard must be submitted in a timely manner in order to ensure that the certification procedure according to the new edition of the standard is completed before the end of the transition period.
If transition audit is performed together with audit for the purpose of renewing the certification, the audit time will be increased by a minimum of 0.5 audit day for the purpose of audit compliance with the new/amended requirements of ISO/IEC 27001:2022. In the event that the transition audit is performed together with the surveillance audit or that the transition audit is carried out as a separate audit, then the time of the transition audit is at least 1 audit day. Activities related to the transition will be regulated by the Annex to the Contract valid for the current three-year certification cycle.

During transition audits, the following must be audited:

• GAP analysis of ISO/IEC 27001:2022 and changes determined by the organization;
• changes made by the organization in its management system;
• update on Statement of Applicability (SoA);
• update of the Risk Management Plan, where applicable;
• implementation and effectiveness of new and/ or modified controls.

Modification of certification documents

After the successful transition to the new edition of the standard ISO/IEC 27001:2022, StandCert will issue a new certificate to the client. The validity of the certification is tied to the currently valid certification cycle and remains unchanged.

Preparation of organizations for the transition to the new edition of the standard ISO/IEC 27001:2022

We recommend that certified organizations, as early as possible, start preparing for the transition and properly plan and implement the necessary changes in their management system. For that, the following steps are recommended:
• familiarization with the content and requirements of the new standard while focusing on the changes implied by the new edition of the standard;
• training relevant personnel in order to understand the requirements and key changes;
• identifying the deficiencies that need to be eliminated in order to meet the new requirements and establishing an implementation plan;
• implementation of changes in the management system in order to meet the requirements of the new edition of the standard.

Initial certifications and recertification

StandCert d.o.o. will carry out the initial certifications and recertifications according to ISO/IEC 27001:2013 until 30.04.2024.
After 30.04.2024. StandCert d.o.o. will be conduct initial certifications and recertifications exclusively according to ISO/IEC 27001:2022.