The Timeline for Transitioning to ISO 27001:2022

When do you need to transition by and what to expect from your transition assessment.

Wayne Armstrong
|
Senior Information Security Consultant and Consultant Manager at URM
Thomas Harrison
|
Partnership Engagement Manager at BSI
PUBLISHED on
29 Feb
2024

This blog is based on an  ISO 27001:2022 Transition Webinar, which was delivered at the beginning of 2024 by Wayne Armstrong (Senior Information Security Consultant and Consultant Manager at URM) and Thomas Harrison (Partnership Manager at British Standards Institution or ‘BSI’) with Lisa Dargan (Director at URM) hosting the event.  In the webinar, Wayne and Thomas discussed the timeline for transition, how BSI approaches transition assessments and what its assessors expect to see from organisations that are hoping to certify to the latest version of the Standard.

The Timeline for Transitioning to ISO 27001:2022

ISO 27001:2013 certificates will be withdrawn on 31 October 2025 and, after this point, only ISO 27001:2022 certificates will be valid.  However, in practice, the deadline for transition is earlier than this for many organisations.  From 1 May 2024, all initial and recertification visits must be conducted against ISO 27001:2022, so if you are due to recertify on or after this date, you will need to have completed your transition in time for your recertification visit.  Any initial assessments to ISO 27001:2013 must have both stages completed by this date or else they will be assessed against the new version of the standard.  At the start of 2024, it was estimated that approximately a quarter of certified organisations had transitioned to ISO 27001:2022, and it is expected that this will reach 75% by the end of the year.  As such, it is clear that 2024 will be the main year for transitioning to the new Standard.

The Timeline for Transitioning to ISO 27001:2022

BSI’s Approach to Transition Assessments

Transition assessments can either be conducted as a standalone assessment outside of your regular visit cycle, during your annual or biannual assessment visit, or during your recertification visit at the end of your 3-year certification cycle.  If you choose to have a standalone assessment before you are due to recertify, this will not affect the expiry date of your certificate.  The amount of time your transition assessment takes is dependent on the size of your organisation, but it will be at least a day longer than typical recertification or annual/biannual assessment visits.

The process of conducting a transition assessment is similar to that of an initial ISO 27001 certification assessment, with the assessor first conducting a half-day readiness review, either remotely or as part of an existing visit, in which you will discuss the changes that should have taken place in your transition.  The readiness review is in place to ensure the transition assessment goes as smoothly as possible and to help you avoid losing your certification as a result of the transition.  It will allow you to identify whether you are on track with your implementation of the changes, how much time will be required for the assessment, and which locations the assessor needs to visit (if you have more than one).  

This is then followed by the transition assessment itself, where the assessor will review the evidence for your implementation of ISO 27001:2022.

What BSI Assessors are Expecting to See

Readiness review

In the readiness review, the auditor will have a list of changes that have been made to the Standard, and will ask questions about each of these changes to ensure you have considered and implemented them, and to establish whether these changes are working within your organisation. They will also want to see that the 2013 version is still up and running, as it is very important that while you focus on successfully implementing the changes during the transition period, the existing ISMS is still functioning as it should be.

Following this, the assessor will amend any visit plans if you need more time to meet the new requirements of the Standard, and make sure a date is booked for your transition assessment.  

Transition assessment

While the readiness review is about your assessor establishing whether the ISMS exists and is aligned with the new version of the Standard, the transition assessment itself is all about evidencing the implementation within your organisation.  It is not sufficient to simply have written new processes and documentation; you will need to be able to demonstrate that the processes have been put into practice.  The assessment will focus on providing proof and putting your assessor in a live environment to show them real-world examples of the management system in operation.  Transition assessments will primarily center around the management system changes, as it is the ISMS that is being certified, however the assessor will also want to see that the 11 new controls have been considered as part of your risk assessment and that your statement of applicability (SoA) has been updated accordingly.

At the end of this, your auditor will (hopefully) make a recommendation for certification, which is the best possible outcome you can achieve at this stage.  The actual certification decision is made later, following some technical and compliance checks, but when a positive recommendation has been made, this is generally a good sign that your certification has been successful.  Recommendations can be made after the ISO 27001 audit if there are any areas of nonconformity which need to be resolved with corrective action plans, but the ideal situation would be for the recommendation to be made there and then.

Closing Thoughts

As the withdrawal date for ISO 27001:2013 approaches, it is becoming increasingly important for organisations which are yet to migrate to ISO 27001:2022 to establish a clear timeframe for the completion of both their transition and their transition assessment.  By ensuring you have a comprehensive understanding of how long your organisation has left to complete its transition, what’s involved in transition assessments, and what you will be expected to demonstrate to your assessor, you will be well-placed to achieve a seamless and successful transition and avoid any unwelcome surprises during the process.

How URM Can Help

Consultancy

As one of the first UK organisations to certify against ISO 27001:2022, our understanding of the process of ISO 27001 transition assessments is drawn from first-hand experience.  Our large team of ISO 27001 consultants can assist you in your preparation for transition by conducting a gap analysis where we will evaluate the conformance of your current ISMS against the requirements of ISO 27001:2022, identifying any areas for remediation both in terms of mandatory management system clauses and Annex A controls.  We can also help you transition your risk assessments by using our automated risk assessment tool, Abriska 27001 which is populated with all the new controls, as well as allowing you to take advantage of the new attribute functionality seen in ISO 27002:2022, the sister standard to ISO 27001.  Following a risk assessment, URM’s consultants provide implementation support for any required controls, policies and processes and conduct ISO 27001 internal audits ahead of your external transition assessment, providing you with peace of mind that this assessment will be successful.

Training course

Meanwhile, attending our remote 2-day ISO/IEC 27001:2022 Transition Course, led by a practising ISO 27001 consultant, will allow you to not only learn how the Annex A controls and management system clauses have changed, but also how to transition from ISO 27001:2013 to ISO 27001:2022.  Once you understand the changes to the Standard, your trainer will explain how to update your risk assessment, SoA, the approaches you can take to transitioning to the new control set, as well as how to use, link and present the new attributes.

Wayne Armstrong
Senior Information Security Consultant and Consultant Manager at URM
Wayne is a Senior Information Security Consultant and Consultant Manager at URM with over 30 years’ experience in IT, information security and risk management. He has attained and maintained CISSP, CISMP, PCIRM, and CISA qualifications and is a Qualified Security Assessor (QSA) for the Payment Card Industry Data Security Standard (PCI DSS).
Read more
Thomas Harrison
Partnership Engagement Manager at BSI
Tom is a partnership manager at the British Standards Institution (BSI) with over 10 years of experience in helping organisations of all sizes learn the benefits of implementing British and ISO standards.
Read more

Book FREE Consultation

URM is pleased to provide a FREE consultation on Transitioning to ISO 27001:2022 for any UK-based organisation.
Thumbnail of the Blog Illustration
Information Security
Published on
29/2/2024
The Timeline for Transitioning to ISO 27001:2022

URM’s blog, produced in collaboration with BSI, discusses the timeline for transition to ISO 27001:2022 and what you can expect from your transition assessment.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
8/3/2024
Lessons Learnt from Early ISO 27001:2022 Transitions

URM’s blog, produced in collaboration with BSI, discusses common mistakes we have seen in early ISO 27001:2022 transitions, and how to avoid them.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
27/7/2022
How Do You Go About Your ISO 27001 Information Classification?

This blog talks about information classification. So, what exactly do we mean by information classification?

Read more
Very concise webinar giving some interesting thoughts on transition etc. and guidance on preparation for transition.
Webinar 'ISO 27001:2022 – What’s new?'
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.