This blog is based on an ISO 27001:2022 Transition Webinar, which was delivered at the beginning of 2024 by Wayne Armstrong (Senior Information Security Consultant and Consultant Manager at URM) and Thomas Harrison (Partnership Manager at British Standards Institution or ‘BSI’) with Lisa Dargan (Director at URM) hosting the event. In the webinar, Wayne and Thomas discussed the timeline for transition, how BSI approaches transition assessments and what its assessors expect to see from organisations that are hoping to certify to the latest version of the Standard.
The Timeline for Transitioning to ISO 27001:2022
ISO 27001:2013 certificates will be withdrawn on 31 October 2025 and, after this point, only ISO 27001:2022 certificates will be valid. However, in practice, the deadline for transition is earlier than this for many organisations. From 1 May 2024, all initial and recertification visits must be conducted against ISO 27001:2022, so if you are due to recertify on or after this date, you will need to have completed your transition in time for your recertification visit. Any initial assessments to ISO 27001:2013 must have both stages completed by this date or else they will be assessed against the new version of the standard. At the start of 2024, it was estimated that approximately a quarter of certified organisations had transitioned to ISO 27001:2022, and it is expected that this will reach 75% by the end of the year. As such, it is clear that 2024 will be the main year for transitioning to the new Standard.
BSI’s Approach to Transition Assessments
Transition assessments can either be conducted as a standalone assessment outside of your regular visit cycle, during your annual or biannual assessment visit, or during your recertification visit at the end of your 3-year certification cycle. If you choose to have a standalone assessment before you are due to recertify, this will not affect the expiry date of your certificate. The amount of time your transition assessment takes is dependent on the size of your organisation, but it will be at least a day longer than typical recertification or annual/biannual assessment visits.
The process of conducting a transition assessment is similar to that of an initial ISO 27001 certification assessment, with the assessor first conducting a half-day readiness review, either remotely or as part of an existing visit, in which you will discuss the changes that should have taken place in your transition. The readiness review is in place to ensure the transition assessment goes as smoothly as possible and to help you avoid losing your certification as a result of the transition. It will allow you to identify whether you are on track with your implementation of the changes, how much time will be required for the assessment, and which locations the assessor needs to visit (if you have more than one).
This is then followed by the transition assessment itself, where the assessor will review the evidence for your implementation of ISO 27001:2022.
What BSI Assessors are Expecting to See
Readiness review
In the readiness review, the auditor will have a list of changes that have been made to the Standard, and will ask questions about each of these changes to ensure you have considered and implemented them, and to establish whether these changes are working within your organisation. They will also want to see that the 2013 version is still up and running, as it is very important that while you focus on successfully implementing the changes during the transition period, the existing ISMS is still functioning as it should be.
Following this, the assessor will amend any visit plans if you need more time to meet the new requirements of the Standard, and make sure a date is booked for your transition assessment.
Transition assessment
While the readiness review is about your assessor establishing whether the ISMS exists and is aligned with the new version of the Standard, the transition assessment itself is all about evidencing the implementation within your organisation. It is not sufficient to simply have written new processes and documentation; you will need to be able to demonstrate that the processes have been put into practice. The assessment will focus on providing proof and putting your assessor in a live environment to show them real-world examples of the management system in operation. Transition assessments will primarily center around the management system changes, as it is the ISMS that is being certified, however the assessor will also want to see that the 11 new controls have been considered as part of your risk assessment and that your statement of applicability (SoA) has been updated accordingly.
At the end of this, your auditor will (hopefully) make a recommendation for certification, which is the best possible outcome you can achieve at this stage. The actual certification decision is made later, following some technical and compliance checks, but when a positive recommendation has been made, this is generally a good sign that your certification has been successful. Recommendations can be made after the ISO 27001 audit if there are any areas of nonconformity which need to be resolved with corrective action plans, but the ideal situation would be for the recommendation to be made there and then.
Closing Thoughts
As the withdrawal date for ISO 27001:2013 approaches, it is becoming increasingly important for organisations which are yet to migrate to ISO 27001:2022 to establish a clear timeframe for the completion of both their transition and their transition assessment. By ensuring you have a comprehensive understanding of how long your organisation has left to complete its transition, what’s involved in transition assessments, and what you will be expected to demonstrate to your assessor, you will be well-placed to achieve a seamless and successful transition and avoid any unwelcome surprises during the process.
How URM Can Help
Consultancy
As one of the first UK organisations to certify against ISO 27001:2022, our understanding of the process of ISO 27001 transition assessments is drawn from first-hand experience. Our large team of ISO 27001 consultants can assist you in your preparation for transition by conducting a gap analysis where we will evaluate the conformance of your current ISMS against the requirements of ISO 27001:2022, identifying any areas for remediation both in terms of mandatory management system clauses and Annex A controls. We can also help you transition your risk assessments by using our automated risk assessment tool, Abriska 27001 which is populated with all the new controls, as well as allowing you to take advantage of the new attribute functionality seen in ISO 27002:2022, the sister standard to ISO 27001. Following a risk assessment, URM’s consultants provide implementation support for any required controls, policies and processes and conduct ISO 27001 internal audits ahead of your external transition assessment, providing you with peace of mind that this assessment will be successful.
Training course
Meanwhile, attending our remote 2-day ISO/IEC 27001:2022 Transition Course, led by a practising ISO 27001 consultant, will allow you to not only learn how the Annex A controls and management system clauses have changed, but also how to transition from ISO 27001:2013 to ISO 27001:2022. Once you understand the changes to the Standard, your trainer will explain how to update your risk assessment, SoA, the approaches you can take to transitioning to the new control set, as well as how to use, link and present the new attributes.
If your organisation has received a request for a SOC 2 report and is looking to meet all the necessary requirements, URM can offer you informed guidance and practical support.
URM can help you achieve ISO 27001 certification
URM can provide a range of ISO 27002:2022 transition services including conducting a gap analysis, supporting you with risk assessment and treatment activities as well as delivering a 2-day transition training course.
We are going to explore why the focus on a risk-based approach has helped turn ISO 27001, the International ISM Standard, into such a world-beater.
Blog, produced in collaboration with BSI, discusses the timeline for transition to ISO 27001:2022 and what you can expect from your transition assessment.
URM’s blog, produced in collaboration with BSI, discusses common mistakes we have seen in early ISO 27001:2022 transitions, and how to avoid them.