ISO/IEC 27001 New edition of the Standard: changes and deadline
15 May 2023
Companies must prepare for the transition to ISO/IEC 27001:2022
On the October 25th, 2022 the International Organization for Standardization (ISO) published the third edition of the ISO/IEC 27001 standard.
The ISO/IEC 27001 Standard allows clients to manage all Information Security risks through a Management System eligible for certification, with the aim of safeguarding the confidentiality, integrity and availability of business-related information, and improving related technological, operational, procedural, human, and environmental aspects.
What are the changes?
The main change regards the list and definition of applicable controls that manage information security, contained in the Annex A: some controls have been updated in line with the evolution of technology and risk scenarios and, comparing to the 2013 version of the standard, the controls are now reduced to 93 in 4 groups. Some controls have been revised, while new controls have been added and others regrouped.
Another change is the title: now it contains the terms “cybersecurity” and “privacy protection”, thus extending the scope of the standard.
Timeline and deadlines
The International Accreditation Forum (IAF) has established a time of 3 years from the date of publication of the standard for completing the transition.
Dates to remember:
- From the April 30th, 2024 all new certifications and renewals must be issued exclusively in conformity with the ISO/IEC 27001:2022 standard.
- The last day of validity of certificates issued in conformity with the ISO/IEC 27001:2013 will be October 31st, 2025.
Upon successful completion of the transition audit and after validation by RINA, the certificate will be reissued in conformity with the new version of the standard, keeping the same identification number and the expiration of the current certification cycle will not be changed, unless the transition is verified in the renewal audit.
If the transition activity is not successfully completed by this deadline, the certificate will expire and cannot be recognized. It will therefore be necessary to submit a new application following the procedure provided for the initial certification.
