The topic "Information security" is becoming increasingly relevant for organizations in the process of digital transformation. Without sufficient security precautions, there is a risk of data loss and data theft by hackers, business interruption due to cyber attacks or data misuse. One of the options for a structured approach is an information security management system (ISMS) according to ISO 27001.
The IAF global network was founded in 1993. It is an association of accreditation bodies, associations, certifiers and organizations associated with conformity assessment activities. The purpose of the IAF is to promote worldwide acceptance of certificates of conformity, eg certificates issued by IAF members.
IAF - International Accreditation Forum has published a new edition of the document IAF MD 26:2023 Transition Requirements for ISO/IEC 27001:2022, in which the requirements and deadlines for the implementation of transition activities to the new edition of the ISO/IEC 27001:2022 standard are given. both for certification and accreditation bodies. Taking into account the changes resulting from the new edition of IAF MD 26:2023, ICS has incorporated them into this "Notice regarding changes and the method of transition to certification according to the new edition of the ISO/IEC 27001:2022 standard".
On October 5, 2022. The International Organization for Standardization (ISO) has published a new edition of the standard: ISO/IEC 27001:2022.
Changes in ISO/IEC 27001:2022 in relation to ISO/IEC 27001:2013 refer to:
- Name of the standard;
- Alignment of the text with the new edition of Annex Sl includes the new requirement 6.3 Planning of changes as well as the structure of requirements 9.2 and 9.3 and the order of requirements in point 10;
- Annex A;
- Supplement to requirements 4.2, 4.4, 5.3, 6.1.3, 6.2, 7.4, 8.1, 9.1.
The following changes were made to Annex A:
- Controls were grouped into 4 groups instead of the previous 14;
- Reduced number of controls (from 112 to 93)
- Added new controls (11);
- Certain controls have been reformulated;
- Merger of individual controls (57 merged into 24);
- The names of individual controls (23) have been changed;
- New numbering of individual controls (35).
ICS has performed all the necessary activities and is ready to implement the information security management system certification service according to the new edition of the ISO/IEC 27001:2022 standard. Certified organizations will be able to prove the compliance of the information security management system with the new edition of the ISO/IEC 27001:2022 standard within the framework of supervisory audits, audits for the purpose of renewing certification (recertification) or through an independent procedure. When a certified organization aligns its management system with the requirements of ISO/IEC 27001:2022, it should report this to ICS via email. The application for audit in order to switch to the new edition of the standard must be submitted in a timely manner to ensure that the certification procedure according to the new edition of the standard is completed before the end of the transition period. If the transition audit is performed together with the audit for the purpose of renewing the certification, the audit time will be increased by a minimum of 0.5 auditor/day for the purposes of checking compliance with the new/amended requirements of ISO/IEC 27001:2022. In the case that the transition audit is performed together with the supervisory audit or that the transition audit is conducted as an independent procedure, then the time of the transition audit is at least 1 auditor day. Activities related to the transition will be regulated by the Annex to the Agreement, which is valid for the ongoing three-year certification cycle.
During the transition audit, ICS auditors must check:
- GAP analysis of ISO/IEC 27001:2022 and changes determined by the organization;
- changes made by the organization in its management system;
- update/updated Statement of Confidentiality (SoA);
- updating the risk management plan, where applicable;
- application and effectiveness of new and/or modified controls.
Modification of certification documents
After the successfully implemented procedure of transition to the new edition of the ISO/IEC 27001:2022 standard, ICS will issue a new certificate to the client. The importance of the certification is tied to the currently valid certification cycle and remains unchanged.
Preparation for the transition to the new edition of the ISO/IEC 27001:2022 standard
We recommend that certified organizations, as early as possible, start preparing for the transition and properly plan and implement the necessary changes in their management system.
To this end, we recommend the following steps:
- familiarization with the content and requirements of the new standard while focusing on the changes implied by the new edition of the standard;
- training relevant personnel in order to understand the requirements and key changes;
- identifying deficiencies that need to be eliminated in order to meet new requirements and establishing an implementation plan;
- implementation of changes in the management system in order to meet the requirements of the new edition of the standard.
Initial certifications and recertifications
ICS will conduct initial certifications and recertifications according to ISO/IEC 27001:2013 until April 30, 2024. years. After 30.04.2024. year, ICS will only conduct initial certifications and recertifications according to ISO/IEC 27001:2022.