ISO 27001:2022 – Transition process

In this article we describe the planned process for the transition from ISO 27001:2017 to ISO 27001:2022. We try to inform you as well as possible about how we deal with offering, planning and conducting audits, issuing certificates and the costs. 

Follow the ISO 27001:2022 transition training

Would you rather be talked through the changes in ISO 27001:2022? An ISO 27001 auditor will explain everything about the changes in this training.

Version 2017 or 2022? 

As of February 1, 2023, we offer new customers proposals for ISO 27001:2022 certification processes. 

Customers who have already received a proposal for ISO 27001:2017 are basically audited against that version of the standard. However, an initial ISO 27001:2017 audit may no longer be performed after 1 May 2024. This means that if you wish to start a certification process after 1 May 2024, you must have set up your management system based on ISO 27001:2022. This also applies to recertifications, these can no longer be performed against the old version of the standard after this date.

Transition audit ISO 27001:2022

If your organization already is certified for ISO 27001:2017, a transition audit must take place to the new version of the standard. Preferably, this transition audit is scheduled as a separate audit, so that both you and the auditor can fully focus on the changes in the management system. 

The following steps must be planned and carried out for the transition audit: 

• When you are ready (or know when you will be ready) for the audit to take place, please contact us at: planning@brandcompliance.com, +31 (0) 73 220 20 30. Your audit will then be scheduled by a Brand Compliance Customer and Project Coordinator. 
• You will receive an audit plan with the subjects that will be discussed at least during the transition audit. 
• The separate transition audit takes 6 hours, for which the agenda below will be used.
  • Opening meeting;
  • Explanation from you on the transition to the new standard;
  • Audit on the changes in the ISMS (gap between ISO 27001:2017 and ISO 27001:2022);
  • Audit on the updated Statement of Applicability;
  • Audit on the update of the risk treatment plan;
  • Audit on the implementation and effectiveness of the new or changed controls chosen by you. You must determine this by means of an internal audit and management review in relation to the new standard;
  • Closing meeting.
• Our auditor prepares an audit report. 
• You will receive the report after it has been internally reviewed. 
• If nonconformities are found, you will be given a term to deal with them. 

When the conditions of ISO 27001:2022 are met, the time has come for you to receive a new certificate! The ISO 27001:2022 certificate will contain the same expiration date as your current certificate. 

Transition activities 

For the above activities, at least one day of work will be delivered; this includes: 

• The audit (6 hours); 
• Drafting the report (2 hours); 

After the audit day, the following activities will be carried out for you:

• The administrative handling of the audit; 
• The certification process; 
• Drawing up, registering and issuing the new certificate. 

If nonconformities are found during the audit, Brand Compliance may need more time in total to complete the transition process. 

Transition period ISO 27001:2022

The transition period has an end date of October 31, 2025. If the requirements of the new ISO 27001:2022 are not met at the end of this period, the current certificate will be revoked. 

Additional information 

Any further questions regarding the transition process? View the FAQ or our news article about accreditation. You can also contact Brand Compliance at info@brandcompliance.com on telephone number +31 (0)73 220 2000.