ISO/IEC 27001 certification deadline

ISO 27001 certification deadline
ISO 27001 certification deadline

On 25th October 2022, a new updated version of ISO/IEC 27001 was released. The main reasons for this update were to acknowledge the evolution of remote working, to recognise the increasing need for certain types of organisations to acquire “threat intelligence” to thwart cyber-attacks, and to create a simpler structure for the controls in Annex A. The shape of an ISO 27001 audit is changing – ensure you don’t get left behind!

We’ve created a helpful 8-page document detailing all the changes between ISO/IEC 27001:2013 and ISO/IEC 27001:2022 – please click here to request your FREE copy.

 

What does this mean for ISO/IEC 27001 audits?

Organisations applying for a 27001 certificate for the first time

This is straightforward – from 1st May 2024, all initial certification audits are conducted against the new ISO/IEC 27001:2022 Standard.

Organisations with an existing 27001 certificate

This will depend on where you are in the three-year certification cycle:

For organisations who have had two prior surveillance audits – from 1st May 2024, re-certification audits are conducted against the new ISO/IEC 27001:2022 version.

For organisations whose next audit is a surveillance audit, there may be an opportunity to change the cycle for the next audit to be a re-certification audit. This would need to be agreed and approved by your certification body. Alternatively, the existing cycle can be completed providing the expiry date has not passed. All ISO/IEC 27001:2013 certificates will expire on 31st October 2025.

 

Will your organisation be ready?

If not, how will the relationship with your clients be affected if you don’t meet the deadline? The implication of the change is that you will need to demonstrate to your certification body that the changes have been fully considered and integrated into your ISO/IEC 27001 ISMS. Risk assessments, treatment plans, internal audits and management reviews are very likely to be affected. The biggest challenge will be in updating your Statement of Applicability and related documents. The updates should help you to facilitate continual improvement which will be of great benefit to your organisation.

 

What are the main changes to ISO/IEC 27001?

It was an update that the ISO information security community had waited nine years for. Then again, they were used to waiting this long as the update from 2005 to 2013 was a meagre eight years. The wait, however, was worthwhile. In the previous edition, there were 14 categories containing 114 controls. Now there are 93 controls (including 11 new controls) grouped neatly into 4 “themes”:

  1. Organizational controls
  2. People Controls
  3. Physical Controls
  4. Technological Controls

The technical controls – which were previously spread across Annex A – were grouped nicely into one “technological” theme. However, users need to appreciate that the interaction of controls across the four themes is prevalent, and this can make implementation and auditing much more efficient. Although it might be tempting to have a policy and procedure for each control, this approach would miss the opportunity of recognising the dynamic links between processes and general activities. If the themes were reversed, then the “organizational” theme would be a catch-all for any control that is not included in the previous three.

There were subtle changes in some of the clauses, most of which were adding extra clarity. Clause 6.3 Planning of changes was added which brought it more in line with ISO 9001:2015 which uses the same clause number. An agenda item was added to the management review – 9.3.2c changes in the needs and expectations of interested parties.

 

  1. “Why do the Annex A control numbers start at 5 in ISO/IEC 27001?”

The control numbers align with the clause numbers in the ISO/IEC 27002:2022 guidance Standard.

 

  1. “Do we have to use the ISO/IEC 27002:2022 guidance Standard?”

It is not mandatory, but it provides very useful information about the controls in Annex A. 

 

  1. “Does Artificial Intelligence feature in the updated ISO/IEC 27001 Standard?”

ISO/IEC 27002:2022 refers to how AI can be used to monitor systems and improve security.

 

  1. “Is climate change now a part of the ISO/IEC 27001:2022 standard?”

Yes, in Feb 2024 it was added to all ISO Management System Standards that follow the 10-clause structure.

 

  1. “ISO/IEC 27001:2013 now obsolete?”

Yes, officially this version is obsolete, and these old certificates will expire on 31st October 2025.

 

  1. “How do we transition from ISO/IEC 27001:2013 to ISO/IEC 27001:2022, and what should we do first in updating our ISMS?”

It may be useful to discuss the transition with your certification body. The logical first step would be to update the Statement of Applicability; then adjust or add policies and procedures that covered controls in the previous standard; internal audit programmes will need to consider the changes in controls and clauses – e.g. adding clauses 6.3 and 9.3.2c to audit checklists. Climate change must be included in the programme, the time allocated will depend on how big an issue it is for the organisation. Care should be taken if multiple standards are being followed – for instance, clause 10 in ISO/IEC 27001 has two parts to it, whereas there are three parts to clause 10 in ISO 9001, ISO 14001 & ISO 45001

 

  1. “Will our auditors need to go on a new ISO/IEC 27001 training course?”

Existing ISO/IEC 27001:2013 auditors 

In terms of clauses 4 to 10, that will not be necessary, just read through the changes. We’ve created an 8-page document detailing the changes between ISO/IEC 27001:2013 and ISO/IEC 27001:2022 – click here to request your FREE copy

The changes in Annex A are significant and the person responsible for ensuring the ISMS conforms to the Standard will need to ensure that relevant personnel and documents are updated. 

Your organisation (or a supplier) may request that you be trained in the new ISO/IEC 27001:2022 Standard, or you may want to ensure that your personal development and qualifications are up-to-date – in this instance, please view our ISO/IEC 27001:2022 training courses.

New ISO/IEC 27001:2022 auditors

Anyone new to ISO 27001:2022 who needs to gain an understanding of the Standard should attend an entry-level ISO/IEC 27001:2022 Foundation course. Those looking to progress to auditor level should attend an ISO/IEC 27001:2022 Internal Auditor course, ISO/IEC 27001:2022 Lead Auditor course or an ISO/IEC 27001:2022 Auditor Conversion course

Need help transitioning to ISO/IEC 27001:2022?

Our ISO experts can advise you on the next steps.

Get in touch

Related Courses

You may also be interested in

Back to Industry and Product News

Stay up to date with industry news, courses and offers

By subscribing, you consent to receive marketing emails from Batalas. Your data will not be forwarded to any third parties, and you can unsubscribe anytime.

By clicking ‘Sign up’ you agree to the Terms and Conditions and Privacy Policy.

portrait happy young freelancer using laptop

More Resources to make your studies go further

With over 60 years experience, our expert team have a wealth of knowledge to share. From auditing tips to FAQ’s, we have a range of resources to support you.

All resources

Let’s level up your career together

Are you a new auditor looking for ISO training advice? Or do you want to build on existing auditing skills to boost your career?


Whatever your need, our experienced and knowledgeable Batalas team can guide you on the right training path to help you reach your professional goals.

Get in touch

Batalas Ltd is a limited company registered in England and Wales. Registered number: 3736166. Registered office: Victoria House, 2 Grove Road, Fareham, PO16 7TE

© 2023 Batalas ltd, All Rights Reserved. Designed by Damteq®

Return

Training Courses

View all ISO 9001 Courses

ISO 9001:2015 Foundation QMS

CQI | IRCA

An entry-level course which teaches an understanding of ISO 9001 QMS.

ISO 9001:2015 Internal Auditor QMS

CQI | IRCA

Discover how to conduct, report and follow up on an internal audit.

ISO 9001:2015 Lead Auditor

CQI | IRCA

Gain the knowledge and skills to manage internal, third-party, and supplier audits.

View all AS 9100 Courses

AS9100:2016 Rev D Introduction

A short online course that provides a basic overview of AS9100:2016 Rev D.

AS9100:2016 Rev D Foundation

CQI | IRCA

Discover the requirements of AS9100 and a Management System.

AS9100:2016 Rev D Internal Auditor

CQI | IRCA

Understand auditor responsibilities and how to conduct an internal audit.

AS9100:2016 Rev D Lead Auditor

CQI | IRCA

For new or existing auditors who wish to conduct internal, external and supplier audits.

View all ISO 13485 Courses

MD-QMS ISO 13485:2016 Foundation

CQI | IRCA

Achieve an understanding of ISO 13485 and a Management System.

ISO 13485:2016 Internal Auditor

CQI | IRCA

Gain the knowledge and skills to conduct internal audits of a management system.

ISO 13485:2016 Lead Auditor

CQI | IRCA

Learn how to lead audits within an organisation or for third parties and suppliers.

View all ISO 27001 Courses

ISO/IEC 27001:2022 Foundation

CQI | IRCA

Perfect for new auditors wanting to learn about ISO 27001 ISMS.

ISO/IEC 27001:2022 Internal Auditor

CQI | IRCA

Conduct internal audits of an Information Security Management System.

ISO/IEC 27001:2022 Lead Auditor

CQI | IRCA

Learn how to manage internal audits, plus third parties and suppliers.

ISO/IEC 27001:2022 Auditor Conversion

CQI | IRCA

Designed for existing lead auditors who want to audit against ISO 27001 ISMS.

View all ISO 14001 Courses

ISO 14001:2015 Foundation

CQI | IRCA

Gain knowledge of an Environmental Management System.

ISO 14001:2015 Internal Auditor

CQI | IRCA

Learn how to carry out an internal audit against ISO 14001.

ISO 14001:2015 Auditor Conversion

CQI | IRCA

Perfect for existing lead auditors who want to learn ISO 14001 to expand their knowledge.

View all ISO 45001 Courses

ISO 45001:2018 Introduction

Gain a basic understanding of ISO 45001 with this short online course.

ISO 45001:2018 Foundation

CQI | IRCA

Beginners course that teaches the requirements of ISO 45001 OHSAS.

ISO 45001:2018 Auditor Conversion

CQI | IRCA

For current lead auditors who wish to increase their knowledge by learning ISO 45001.

View all IMS Training Courses

Integrated Management System (IMS) Internal Auditor

Learn how to conduct an internal audit of your integrated management system.

View all GDPR Training Courses

GDPR Introduction

An interactive 1hr online course that teaches an overview of the GDPR.

GDPR Team Overview

GDPR training for your team at your workplace.

View all Auditor Workshops

ISO 9001:2015 Management Overview

Understand the new responsibilities placed on managers in ISO 9001:2015.

Supplier Auditor Course

Learn how to conduct audits of new and existing suppliers effectively.

ISO 9001:2015 Risk-Based Thinking

Improve your knowledge and skills for effective risk-based thinking.

Audit Skills Workshop

Bring your team together with a fun and energetic team-building session.

View all Learning Styles

Classroom Training

Virtual Training

Online Training

Public Training

In-House Training

View all Courses

Return

Audit Support

We have a wealth of experience working with ISO management systems and can assist auditors who require support.

ISO Management System Assessment 
A review of an outdated or overcomplicated ISO management system
Audit Mentoring
Live audit observation and recommendations for any improvements
Gap Analysis
Identify potential gaps in the effectiveness of a management system
View all Audit Support

Return

View all Resources

Return

About Us

Show more results...

Generic filters
Exact matches only
Search in title
Search in content
Search in excerpt

Alternatively, use our Course Selector to find the perfect course for you:

Find your course