New version of ISO/IEC 27001:2022

CYBER & INFORMATION SECURITY: In October 2022, ISO/IEC 27001 was revised. After the end of the conversion phase, each certification must be based exclusively on the new revision ISO/IEC 27001:2022 - all existing ISO/IEC 27001:2013 certificates will then lose their validity.

In the IAF document IAF MD 26 dated February 15, 2023 "International Accreditation Forum" (IAF) specified a three-year transition period and some transitional precautions. This means that after the end of the conversion phase, any certification according to ISO 27001 may only be based on the new edition and all certificates according to the old edition will become invalid - regardless of the information on the expiration date in the certificate.

On January 1st, 2023, the German Accreditation Body (DAkkS) published conversion instructions for accreditations in the area of ISO/IEC 27001:2022

Every audit for initial certification and recertification that starts from May 1st, 2024 must be carried out according to the new version ISO/IEC 27001:2022. The starting point is the first day of the on-site audit (stage 1 audit). All certification decisions to transition an existing ISO/IEC 27001:2013 certification must be completed by October 31, 2025 at the latest. Otherwise, a new full initial certification must be carried out.

Conversion audits must include an additional on-site audit period. This additional duration is a single event and applies exclusively to the conversion audit.

The following measures are recommended for an organization that operates an ISMS based on ISO/IEC 27001:2013:

  • Identify organizational gaps that need to be addressed to meet new requirements.
  • Creation of a conversion plan.
  • Appropriate training and awareness raising for all parties influencing the effectiveness of the organization.
  • Adaptation of the existing ISMS to meet the changed requirements and to provide evidence of effectiveness.

For all additional questions, the TUV NORD team is at your disposal!