ISO/IEC 27001 is the world’s best-known standard for information security management systems (ISMS) and their requirements.

ISO/IEC 27001:2022 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. The standard also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in this document are generic and are intended to be applicable to all organizations, regardless of type, size or nature.

Following the publication of ISO/IEC 27001:2022, this policy has been produced to update Certification Bodies and stakeholders on the AAA assessment process and overall timelines for assessment against the requirements of the revised certification standard.

IAF published an updated transition instruction (IAF MD 26, Issue 2.0). This will require Accreditation Bodies to be ready to conduct assessments within 6 months following publication of the revision, and that Accreditation Bodies shall complete the transition of all Certification Bodies within 12 months following the publication date.

To enable the transition to progress in a timely manner, Certification Bodies are requested to complete a documented gap analysis detailing how they have implemented the changes introduced by ISO/IEC 27001:2022 and forward it to AAA by no later than 31 March 2023. The submitted information shall include:

• the gap analysis of the changes in ISO/IEC 27001:2022
• the transition arrangements and evidence of implementation
• evidence of the authorization of related personnel

The Certification Bodies arrangements in the transition policy shall include the following:

1) CAB shall establish its transition arrangement for ISO/IEC 27001:2022 considering the requirements of this document and the transition arrangement of the related AB. 

2) The transition arrangement shall address what the CAB shall do and what the client shall do. The CAB may have several separate documents to address the transition arrangement. 

3) The transition arrangement shall include at least the consideration of the following: 

• the changes in ISO/IEC 27001 and the gap analysis;

• the need to modify the related certification processes, documents and, if applicable, IT systems for managing certification activities; 

• the relevant personnel are competent for ISO/IEC 27001:2022 and transition process； 

• the audit team, as a whole, shall have knowledge of all controls contained in ISO/IEC 27002:2022 and their implementation (see ISO/IEC 27006:2015, 7.1.2.1.3 b)); 

• the transition audit program; 

• there is a timely communication to the clients on the transition program, such as the timeline, transition audit approach, and the consequences if the client fails to transition prior to the end of the transition period. 

4) CABs are encouraged to plan and commence required actions at the earliest opportunity.