ISO 27001 2022 is here, which means it’s time to start thinking about starting the transition process. While the deadline is set at December 2025, it’s never too early to start!
If this is all news to you, check out our previous three episodes, where we reviewed all the major changes to ISO 27001, including clause updates and the 11 completely new controls added.
Join Mel this week as she explains what you need to know before embarking on your ISO 27001 transition journey, in addition to a summary of our transition programme.
[00:44] Businesses have until October 2025 to transition to the updated version of ISO 27001:2022 – but don’t wait until the last minute! Certification Bodies get really booked up in the last year, and you could risk losing your certification and paying for another Stage 1 and 2 Assessment.
[01:30] We recommend that you start thinking about your transition in 2023 so you have everything in place to start the process in 2024.
[02:28] As a recap – the major changes to ISO 27001:2022 are: 56 controls have been merged into 24 newly titled controls, the addition of 11 completely new controls and controls are now categorised into just 4 groups instead of the 14 from the previous version.
[03:00] ISO 27001:2022 Guide to the changes available – Simply fill out the form available at the end of the show notes to grab a copy!
[04:25] Over the next few episodes, Mel will talk through the process of planning, implementing and preparation for the Certification Body transition visit.
[05:51] All steps of the transition process are laid out in our Transition Programme, which includes: an awareness video, a transition action plan, Implementation of changes, Internal auditing of the changes and some optional support during the Certification Body visit.
[08:45] The Planning Phase: We recommend trying to combine your transition visit with your next Surveillance visit – you can have a chat with your CB to see if that’s possible. This may not be possible if your Surveillance is coming up very soon, as you need time to implement the changes needed. Those that have it in say 6 or more months’ time would be in a good position to make the request.
[09:30] Certification Bodies are recommending an extra half day for transition – some may require a desktop review ahead of the actual visit. Combining this visit with your Surveillance is a good way to reduce costs.
[10:30] When planning out your timescales for transition, don’t forget to inform Leadership and key personnel involved in the running of the Management System about the expected changes to come – and plan in time for them to help with the implementation.
[11:10] Understanding the changes: We gave a high-level overview of the 11 new controls in our last episode. We will also have 11 Coffee Break Training courses covering the controls in more detail, available from March 31st 2023 on the isologyhub.
[12:11] Offer: We’re including a free copy of ISO 27001:2022 for those that sign up to our Transition Programme before April 1st 2023.
[12:34] You may get asked for a copy of the Standard at your transition visit – as having a copy can come under ‘other’ legal requirements.
[13:10] Discovery Phase: We have a transition checklist which can help you identify where the gaps are in terms of compliance with the new controls. You may already have some of it in place!
Grab a copy of our ISO 27001:2022 Guide to the changes here:
Keep an eye out for next weeks episode where we dive into how to Implement the changes…
We’d love to hear your views and comments about the ISO Show, here’s how:
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List