ISO 27001 change process: 2013 to 2022
If certified ISMS is changed from being compliant with ISO 27001 2013, to be compliant with the new ISO 27001 2022, is it still (in theory) actually going to be compliant with both versions? also 2013 version? and suitable being audited against old version too? My point is, that could give flexibility for the change process, and it could be started straight away.
Assign topic to the user
In theory, an ISMS compliant with ISO 27001:2022 is still compliant with ISO 27001:2013. The 2022 version, when compared to the 2013 version, did not significantly change any requirements from clauses 4 to 10, and controls from Annex A, besides the new 11 controls added, were only reorganized.
Considering that, this ISMS compliant with ISO 27001:2022 can be audited against ISO 27001:2013, but this does not make much practical sense. If you already made a full transition, you can be audited against ISO 27001:2022. In case your transition is partial by the time of a surveillance audit, you need to align that with your certification body, so the audit plan can consider this.
Please note that organizations have a three-year period (i.e., until October 31, 2025) to make the transition to ISO 27001:2022, so you can start your transition right now, but have plenty of time to make the transition.
For further information, see:
- ISO 27001 2013 vs. 2022 revision – What has changed? https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/
We have documents which currently align to the old ISO 27001:2013 strutcture and reference the old annex numbers. For the 2022 update will we need to align our documentation with the new groupings i.e. the 4 groups rather than the 14 annex areas or can we simply update documentation to include any new controls but within existing policies.
For example, we have controls about physical security and monitoring in our physical security policy which previously sat under annex 11. Can we incproprate any new physical security controls into our existing documentation or do we need ot change the structure so that all physical security controls sit under the new annex 7
ISO 27001 does not prescribe how to format documentation, so organizations are free to format them as best fit their needs.
Considering that, there is no need to change the structure of your documentation. You only need to make sure references to specific controls are updated accordingly (e.g., a reference to control A.11.1.1 Physical security perimeter should be updated to A.7.1 Physical security perimeters). Regarding new controls, you can incorporate them into our existing documentation as it is.
For further information, see:
- Risk assessment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
- Detailed explanation of 11 new security controls in ISO 27001:2022 https://advisera.com/27001academy/explanation-of-11-new-iso-27001-2022-controls/
Comment as guest or Sign in
Dec 13, 2022