top of page

ISO/IEC 27001:2022

Information Security Management Systems

ISO/IEC 27001 is the international standard recognised globally for managing risks to the security of information that an organisation hold. The standard adopts a process-based approach to a set of policies, procedures, processes and systems that manage information risks, such as cyber-attacks, data theft, unauthorised access or data breach. Information Security management is one the most important component of any organisation as it protects the confidentiality, integrity, and availability of information assets.

Certification to ISO/IEC 27001 Information Security Management Systems Standard demonstrates an organisation’s systems have been independently assessed and the commitment a company put in place in information security best practices and ICT governance.  

The ISO/IEC 27001 standard is not just suitable for large organisations but also small businesses as it enables organisations to align with global best-practice for information security management and preserves the confidentiality, integrity, and availability of information by applying a risk management process.

A woman at the office overlooking the city skyline

Benefits of ISO/IEC 27001 certification to your organization

Benefits of ISO/IEC 27001 certification to your
customers

  • Implement processes and controls that improve your organisation’s ability to identify and manage information security risks.

  • Build confidence and trust with your stakeholders by demonstrating your compliance to information security requirements.

  • Demonstrates robust security practices, thereby more opportunity for new business and improving client relationships/client retention. 

  • Improve productivity as it clearly set out information risk responsibilities across the organisation.

  • Comply with business, legal, contractual and regulatory requirements

  • Minimize the risks involved in cyber security and data breaches

  • Avoid the financial penalties and losses associated with data breaches

  • Improved confidence and assurance. Security.

  • Safeguard of personal and confidential information. 

  • Minimized risk of cyber threats and data breaches.

  • Independent audit demonstrates commitment to Information 

ISO 27001 logo_b.png
ISMS-2021-05.jpg

Transition Arrangement for ISO/IEC 27001:2022

(Latest Update)

ISO/IEC 27001: 2022 — Information security, cybersecurity and privacy protection — Information security management systems — Requirements.

 

IAF MD 26:2023 was issued on 15th February 2023, with immediate application, describing transition requirements for ISO/IEC 27001:2022, which is replacing ISO/IEC 27001:2013.

Background

ISO/IEC Directives Part 1 state that no more than 2 separate amendments shall be published modifying a current International Standard. The development of a third such document shall result in publication of a new edition of the standard. As this is the case for ISO/IEC 27001:2013 with its various amendments and corrigenda, a new version was published as ISO/IEC 27001:2022 in October 2022.

Key Changes and impact

See sections 2.2 and 2.3 of IAF MD 26:2023, available here:

 

 

Key Timescales

ISOCert intends to follow exactly the transition arrangements as outlined in IAF MD 26, clients are advised to refer directly to its provisions, but key timescales are as follows:

 

a) Initial certification and recertification by ISOCert to ISO/IEC 27001:2022 to begin no later than 18 months from the last day of publication month of ISO/IEC 27001:2022 (i.e., 30 April 2024).

 

b) ISOCert to complete the transitions of certified clients by 36 months from the last day of publication month of ISO/IEC 27001:2022 (i.e., 31 October 2025).​​

Important Date to note:

a) 25th October 2022 - ISO/IEC 27001:2022 3rd edition - Release date

b) 31st October 2022 - Transition period begins.

c) 30th April 2024 - All initial (new) certifications should be to the ISO/IEC 27001:2022 edition after this date and all recertification audits are recommended to utilize the ISO/IEC 27001:2022 edition after this date. ISOCert will continue to accept applications for certification and issue new certificates against the ISO/IEC 27001:2013 standard until this date.

d) 31st July 2025 - All transition audits should be conducted by this date.

e) 31st October 2025 - Transition period ends

f) Certificates for ISO/IEC 27001:2013 will no longer be valid after this date.

 

Note: If the client failed to complete the transition audit as per the timeline, all certifications based on ISO/IEC 27001:2013 shall expire or be withdrawn at the end of the transition period.

Preparing for your ISO/IEC 27001:2022 Transition

ISO/IEC Directives Part 1 state that no more than 2 separate amendments shall be published modifying a current International Standard. The development of a third such document shall result in publication of a new edition of the standard. As this is the case for ISO/IEC 27001:2013 with its various amendments and corrigenda, a new version was published as ISO/IEC 27001:2022 in October 2022.

Your ISO/IEC 27001:2022 Transition Audit

All organizations must have a transition audit to confirm the implementation of the revised standard. The transition audit may be conducted in conjunction with an existing audit or may be a stand-alone audit. If the transition audit is conducted in conjunction with an existing surveillance (i.e., transition surveillance) or recertification audit (i.e. transition re-assessment), additional time may be added to the audit duration in order to cover the new requirements/concepts introduced by ISO/IEC 27001:2022. If a standalone audit is carried out for the transition audit, the duration be calculated on an individual organization basis.

Note: Specific audit durations for transition will depend on the actual situation of the organization including the organization’s size and the complexity of the ISMS. As a guide, minimum of 0.5 auditor day for the transition audit when it is carried out in conjunction with a recertification audit. Minimum of 1.0 auditor day for the transition audit when it is carried out in conjunction with a surveillance audit or as a separate audit. ISOCert Client representative will advise you of your specific transition audit duration.

Revised ISO/IEC 27001:2022 Certificates

As with any audit, non-conformances identified during a transition audit will require a corrective action to be submitted and approved. An updated ISO/IEC 27001:2022 certification will be issued following corrective action approval.

 

a) Updated ISO/IEC 27001:2022 certificate issuance and validity will be as follows:

b) Transition surveillance – The organization’s existing ‘Valid Until Date’ will be maintained.

c) Transition re-assessment – A new ‘Valid Until Date’ will be issued for the renewed 3-year period.

d) Stand-alone transition – The organization’s existing ‘Valid Until Date’ will be maintained.

Contact ISOCert

Please contact us at 91054718 or 66590810. You may also email us at saju@isocert.com.sg or jean@isocert.com.sg for more details.

Business Meeting

Integrating ISO/IEC 27001 into your management system

As IMS (Integrated Management System) integrates all of an organization’s systems and processes into one complete framework, it allows an organization to work along with an unified system to achive the common objectives. The Quality, environmental and safety management systems were frequently combined and managed as an IMS. With the rise of the digital economy, data protection and information security become critical components in an organisation. Certified to ISO/IEC 27001:2022 has become an important part of an organisation who wish to demonstrate their commitment to data security.

Organisation which has been certified with ISO 9001, ISO 14001, ISO 22301 or ISO 45001 are encouraged to embark on ISO/IEC 27001 certification since it will be a smooth sailing step. Information security threats are common these days, it is important to build up a defense and minimize the risk.

bottom of page