the implementation of new or modified control measures;
the effective functioning of these control measures.
Logically, the auditor therefore assesses all sections from H4 to H10 of the standard that have been amended, all new or amended controls, the internal audit activities and the management review.
What should be included in the gap analysis?
There are no fixed requirements for the content of a gap analysis. It is important that during the transition audit it can be demonstrated that an organization has insight into the changes of ISO 27001:2022 compared to ISO 27001:2017, which actions result from these changes, how these actions are planned, how these actions have been implemented and how the organization has determined whether the changes have been effectively implemented in the management system.
Should a new internal audit be performed after implementation of the changes?
An organization must determine whether the changes from ISO 27001:2022 compared to ISO 27001:2017 have been effectively implemented in the management system. The internal audit process is a means of assessing this effectiveness.
Should a new management review be carried out after implementation of the changes?
An organization must determine whether the changes from ISO 27001:2022 compared to ISO 27001:2017 have been effectively implemented in the management system. The management review process is a means of evaluating effectiveness.
Can the auditor identify nonconformities in a transition audit and what are the consequences for the transition?
It is possible that during the transition audit, the auditor determines that certain requirements are not met. The auditor then writes a nonconformity. If nonconformities are found, you will be given a term to deal with them. When the conditions of ISO 27001:2022 are met, the time has come for you to receive a new certificate! The ISO 27001:2022 certificate will contain the same expiration date as your current certificate.
Until what date can initial audits and recertifications be performed against the old version of ISO 27001?
From November 1, 2023, initial audits and recertifications against ISO 27001:2017 can no longer be performed.
After the transition audit, how long will it take to receive the new certificate?
After the transition audit, the auditor draws up a report. The audit report is reviewed internally, before it is sent to you. When nonconformities have been identified, so-called ‘nonconformity forms’ are prepared for you so that you can fill them in.
After any nonconformities have been resolved to the satisfaction of your auditor, the auditor will nominate you for certification. This nomination goes to a so-called certification committee, which once again independently assesses your file. If the certification committee comes to the same conclusion as the auditor, the file is transferred to the certification decision maker for a final decision. Once this decision has been made, a certificate will be drawn up based on the information from the audit report.
How does the transition work with certification on multiple standards? (e.g. ISO 27001:2022 with NEN 7510:2017)
You can have the transition audit take place in combination with another standard, for example NEN 7510. However, for ISO 27001, the new controls in Annex A of the 2022 version are examined, while for the NEN 7510:2017, the controls from Annex A of the 2017 version are still being considered.
For customers already certified for ISO 27001, we have published the transition process from the current to the new standard in the knowledge base on our website. Also see the news article on the ISO 27001 accreditation.