Notice regarding the changes and transition to certification according to the new edition of the standard (SRPS) ISO/IEC 27001:2022

On October 5., 2022. The International Organization for Standardization (ISO) has published a new edition of the ISO/IEC 27001 standard: ISO/IEC 27001:2022. After that, on December 14., 2022. the Institute for Standardization of Serbia published the Serbian standard SRPS ISO/IEC 27001:2022, Information security, cyber security and privacy protection – Information security management systems – Requirements, in English language, with the information that it has been translated and that it is in the phase “10.99 Entered into the work program”.

Changes in (SRPS) ISO/IEC 27001:2022 in relation to SRPS ISO/IEC 27001:2014 (ISO/IEC 27001:2013)

Key changes relate to:

• Name of the standard;
• Harmonization of the text with the new edition of Annex Sl includes the new requirement 6.3 Planning of changes as well as the structure of requirements 9.2 and 9.3 and the sequence of requirements in clause 10;
• Annex A;
• Completion of requests 4.2, 4.4, 5.3, 6.1.3, 6.2, 7.4, 8.1, 9.1.

The following changes have been made to Annex A:

• Controls were grouped into 4 groups instead of the previous 14;
• Reduced number of controls (from 112 to 93);
• Added new controls (11);
• Certain controls have been reformulated;
• Some controls have been merged (57 controls merged into 24);
• The names of individual controls have been changed (23);
• New numbering of certain controls (35);

Transitional period

The International Accreditation Organization (IAF) published the binding document IAF MD 26:2022 Transition Requirements for ISO/IEC 27001:2022 on 09.08.2022. in which the requirements and deadlines for the implementation of transition activities for both certification and accreditation bodies are defined.

According to the document IAF MD 26:2022, the period of transition of certified organizations to (SRPS) ISO/IEC 27001:2022 is three years, with the deadline for the transition being 31.10.2025.

After that date, all certifications issued according to the old edition of the standard will no longer be valid. StandCert d.o.o. will withdraw the certification for all clients who, by 31.10.2025., have not moved to a new edition of the standard.

During the transitional period, certifications issued according to the requirements of the SRPS ISO/IEC 27001:2014 (ISO/IEC 27001:2013) standard are equally valid as certifications issued according to the (SRPS) ISO/IEC 27001:2022 standard.

Transition audit

StandCert d.o.o. has performed the necessary activities and is ready to implement the information security management system certification service according to the new edition of the standard (SRPS) ISO/IEC 27001:2022.

Certified organizations will be able to prove the compliance of the information security management system with the new edition of the standard (SRPS) ISO/IEC 27001:2022 as part of surveillance audits, audits for the purpose of renewing certification (recertification) or through an independent procedure. When a certified organization conforms its management system to the requirements of (SRPS) ISO/IEC 27001:2022, it should report this to StandCert by email. The application for audit in order to make transition to the new edition of the standard must be submitted in a timely manner in order to ensure that the certification procedure according to the new edition of the standard is completed before the end of the transition period.

If transition audit is performed together with surveillance audit or an audit for the purpose of renewing the certification, the audit time will be increased by a minimum of 0.5 auditor day for the purpose of audit compliance with the new/ amended requirements of (SRPS) ISO/IEC 27001:2022. In the event that the transition audit is carried out as an independent procedure, then the time of the transition audit is at least 1 auditor day. Activities related to the transition will be regulated by the Annex to the Contract valid for the current three-year certification cycle.

During transition audits, the following must be checked:

• GAP analysis of ISO/IEC 27001:2022 and changes determined by the organization;
• changes made by the organization in its management system;
• update on Statement of Applicability (SoA);
• update of the Risk Management Plan, where applicable;
• implementation and effectiveness of new and/ or modified controls.

Modification of certification documents

After the successful transition to the new edition of the standard (SRPS) ISO/IEC 27001:2022, StandCert will issue a new certificate to the client. The importance of the certification is tied to the currently valid certification cycle and remains unchanged.

Preparation of organizations for the transition to the new edition of the standard (SRPS) ISO/IEC 27001:2022

We recommend that certified organizations, as early as possible, start preparing for the transition and properly plan and implement the necessary changes in their management system. For that, the following steps are recommended:

• familiarization with the content and requirements of the new standard while focusing on the changes implied by the new edition of the standard;
• training relevant personnel in order to understand the requirements and key changes;
• identifying the deficiencies that need to be eliminated in order to meet the new requirements and establishing an implementation plan;
• implementation of changes in the management system in order to meet the requirements of the new edition of the standard.

Initial certifications

StandCert d.o.o. will carry out the initial certification according to SRPS ISO/IEC 27001:2014 (ISO/IEC 27001:2013) until 31.10.2023.

After 31.10.2023. StandCert d.o.o. will conduct initial certifications exclusively according to (SRPS) ISO/IEC 27001:2022.