The objectives of the present document are :
* To provide the certified clients of ISONIKE Ltd with the necessary information on the Transition Arrangements from
ISO/IEC 27001:2013 to ISO/IEC 27001:2022 certification.
* To provide the future clients of ISONIKE Ltd with the necessary information on the Transition Arrangements from
ISO/IEC 27001:2013 to ISO/IEC 27001:2022 certification.
* To provide the certified clients with the necessary steps for moving forward with the Transition of the Certification
2. Contents
• Objectives
• Introduction
• Key Timescales
• Key dates and Deadlines for the Transition
• Transition Audit Approach
• Transition Audit Program
• Transition Process Steps for Certified Clients
• Transition Process Steps for New Clients
2
3. Objectives
The objectives of the present document are :
• To provide the certified clients of ISONIKE Ltd with the necessary information on the Transition Arrangements from
ISO/IEC 27001:2013 to ISO/IEC 27001:2022 certification.
• To provide the future clients of ISONIKE Ltd with the necessary information on the Transition Arrangements from
ISO/IEC 27001:2013 to ISO/IEC 27001:2022 certification.
• To provide the certified clients with the necessary steps for moving forward with the Transition of the Certification
3
4. Introduction
Two new editions of ISO/IEC 27k family of standards were issued by ISO:
• ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information security management
systems — Requirements
• ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection — Information security controls
The new editions have an impact on both the existing and the future ISO/IEC 27001 certificates.
International Accreditation Forum Inc (IAF) Mandatory Document (MD) IAF MD 26:2022 was issued on 9th of August 2022.
This is a normative document defining the Transition Requirements for Accreditation Bodies (AΒs) and Conformance
Assessment Bodies (CABs) providing accredited schemes and accredited certification respectively to ISO/IEC 27001
standard.
4
5. Key Timescales
• According to the regulatory framework set by IAF MD 26:2022, the transition period started with immediate effect from
the publication of the new version of the standard and ends on 31/10/2025.
• By that 31/10/2025, all certified clients to ISO/IEC 27001:2013 are required to have completed their transition to ISO/IEC
27001:2022.
• New certificates to ISO/IEC 27001:2013 standard may be provided within the transition period. ISONIKE had set a
deadline for accepting new applications to ISO/IEC 27001:2013 and that is 31/10/2024. Hence, no new certificates to
ISO/IEC 27001:2013 standard will be provided by ISONIKE for applications received after 31/10/2024
• On 31/10/2025 all ISO/IEC 27001:2013 certificates will either expire or withdrawn.
5
6. Key Dates and Deadlines for the
Transition
Date Description of deadline
31/10/2024 Planned deadline for accepting new applications for registration to ISO/IEC
27001:2013.
31/7/2025 Planned deadline for the transition of all ISO/IEC 27001:2013 certified clients to
ISO/IEC 27001:2022
Importance notice: Certified clients to ISO/IEC 27001:2013 that have not completed
the transition to ISO/IEC 27001:2022 by this date are in risk of having their withdrawn
or expired on 31/10/2025. ISONIKE can not warranty the availability of audit resources
for the timely transition for transitions applications received after 31/7/2025.
31/10/2025 Regulatory deadline for all ISO/IEC 27001:2013 certificates.
Importance notice: All ISO/IEC 27001:2013 certificates will ether expire or withdrawn
during this date.
6
7. Transition Audit Approach
ISO/IEC 27001:2013 certified clients are required to have a transition audit to the ISO/IEC 27001:2022 version of the
standard within the transition period. The transition audit will not only rely on document review – but will require the
reviewing of the technological controls and their application.
The transition audit will require additional time (see following page) and may conducted in conjunction with the surveillance
audit, recertification audit or through a separate audit.
The transition audit will assess the (but not limited to) following:
• the gap analysis of ISO/IEC 27001:2022, as well as the need for changes to the client’s ISMS;
• the updating of the statement of applicability (SoA);
• if applicable, the updating of the risk treatment plan;
• the implementation and effectiveness of the new or changed controls chosen by the clients.
Transition audits may be conducted either with physical visit or remotely if the transition objectives are met. The additional
audit time required for transition is defined to a minimum of 0.5 days – but would depend to the company’s specific
parameters.
7
8. Transition Audit Programme
Clients certified to ISO/IEC 27001:2013 by ISONIKE may either:
1. Request an extra (separate) audit for the transition – at any time within the certification cycle;
2. Request to have their transition audit planned with their next Surveillance visit
3. Request to have their transition audit planned with their next ReCertification visit (subject to this ReCertification visit is
not after 31/7/2025)
According to regulatory framework set by IAF MD 26:2022, there shall be additional audit time planned for cases (1) and
(2) above. This additional time would need to be determined depending on the company’s specific parameters (size,
complexity etc) - with a minimum of 0.5 audit day.
Note: The exact additional audit time, the method of the audit (onsite or remotely) as well as the relevant costs are
determined, reviewed and advised to the client upon receipt of the “Application for Transition to ISO/IEC 27001:2022” (see
next paragraphs).These are confirmed with the clients upon receipt of their Application for Transition.
ISONIKE has their Transition of Accreditation to ISO/IEC 27001:2022 completed and confirmed by ESYD. Hence,
ISONIKE can provide ISO/IEC 27001:2022 accredited certificates to applicants upon their request with immediate effect
– should this is required by the client.
8
9. Transition Process Steps for Certified
Clients (1 of 3)
The steps of the transition process are summarized as following :
• Certified Clients are required to plan, amend and prepare their ISMS to ISO/IEC 27001:2022 requirements.
• Certified Clients are invited to complete and submit at their earliest convenience an “Application for Transition to
ISO/IEC 27001:2022” to ISONIKE. On this application the need to denote their preference as to when they would like
the Transition Audit to take place (i.e. separate visit, next surveillance visit, recertification visit).
• In order to allow sufficient time for the planning of the Transition Audit, the “Application for Transition to ISO/IEC
27001:2022” should be received by ISONIKE at a minimum of 90 days in advance of the indented (by the client) date of
the audit.
• Upon receipt of the “Application for Transition to ISO/IEC 27001:2022”, ISONIKE will conduct an application review with
evaluating the applicable parameters and the situational factors. Based on this review, ISONIKE will determine the
additional audit time, the method of the audit (onsite or remotely) as well as the relevant costs. These will be advised to
clients.
9
10. Transition Process Steps for Certified
Clients (2 of 3)
• The Transition Audit will be planned and conducted in two phases :
o Phase 1: Document Review
• ISONIKE will send an “ISO/IEC 27001:2022 Transition Check List” to client for completion. The client will need to
complete the check list with the required information and return it to ISONIKE together with the supporting
documented information.
• ISONIKE will then conduct the review of the documented information. The result will be communicated to the
client for further actions (if required).
o Phase 2: Review of Technological Controls.
• ISONIKE will liaise with the client, plan and conduct the review of the technological controls. This will be done
onsite or remotely depending on the method chosen (see previous paragraph).
• Note: The Transition Audit will be planed and conducted in conjunction with the surveillance audit, recertification audit or
through a separate audit.
10
11. Transition Process Steps for Certified
Clients (3 of 3)
• Following successful conduct of the transition audit, and should no pending remain, ISONIKE will proceed with an
independent review of the file and will take the certification decision of the issuance of ISO/IEC 27001:2022 certificate to
the client.
• Given that the process is completed within the transition period, the new ISO/IEC 27001:2022 certificate will follow the 3
years certification cycle of the original ISO/IEC 27001:2013 certificate.
11
12. Transition Process Steps for New Clients
New Clients have the option to apply for certification to ISO/IEC 27001:2013 or to ISO/IEC 27001:2022 until 31/10/2024.
Thereafter, all new applications shall be to ISO/IEC 27001:2022 only.
• Applications for certification to ISO/IEC 27001:2013 will be accepted if received until 31/10/2024. – provided that
arrangements and certification audits are planned & conducted promptly.
• All new certificates to ISO/IEC 27001:2013 will expire on 31/10/2025. This expiry date will appear on the certificate as
this is the date that the validity of the ISO/IEC 27001:2013 version of the standard expires.
• Certified clients to ISO/IEC 27001:2013 will then need to make the transition to ISO/IEC 27001:2022 as this is described
in transition process steps of the previous pages of the present document.
• Once the transition process is completed, ISONIKE will replace the ISO/IEC 27001:2013 certificate with an ISO/IEC
27001:2022 certificate which will follow the 3 years certification cycle of the original ISO/IEC 27001:2013 certificate
12
13. Disclaimer
ISONIKE reserves the right to amend the present arrangements should IAF or the AB (ESYD) requests for amended or
additional transition arrangements.
For any additional information or clarification please do not hesitate to contact ISONIKE HQ or discuss with any
ISONIKE assessor.
13