ISMS Transition Process

IAS
IAS
IAF

Clients

News

  • Transition of ISO 27001:2013 to ISO 27001:2022:

    ISO/IEC 27001, or ISO 27001, is the international standard that defines best practices for implementing and managing information security controls within an information security management system (ISMS).  ISO/IEC 27001 is one part of the overarching ISO 27000 family of security standards determined by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The purpose of ISO 27001 is to address how organizations establish, monitor, maintain, and improve their ISMS to keep their data, documents, and other information assets secure. 

    The 2022 version of ISO 227001 was published on 25th October 2022. With this release, ISO 27001:2013 will be withdrawn. Companies certified to the ISO 27001:2013 standard have to transition their certificate to ISO 27001:2022 and there is a 3-year transition period until November 2025. We recommend starting the transition preparations already now. The aim of the ISO 27001:2022 is to help organizations to manage controls more effectively by grouping them into four clear 'themes' – organizational, people, technological and physical. This key change aims to achieve greater clarity, focus and accountability for information security within an organization. Until October 2025 i.e. within the 3 years of the date of publication of ISO 27001:2022, certifications issued against both ISO 27001:2013 and ISO 27001:2022 remain valid but transition need to be completed by 25th October 2025 and beyond October 2025 certifications against the latter standard will not be recognized. TNV have planned our activities to permit the migration of certifications to ISO 27001:2022. The expiry date of all the certifications issued against ISO 27001:2013 during the period of migration must be the final one of the periods of migration – 25th October 2025, consequently the validity of the certificate becomes less than 3 years, leading to increased economic costs to be met by the organizations. In order to discourage the old standards, starting from April 2023 (06 months from the date of publication of the standard ISO 27001:2022) TNV shall carry out new audits against the requirements of the new standard and shall not accept any application for ISO 27001:2022.  

    KEY CHANGES IN ISO 27001:2022:

    The security control changes are quite significant with 11 new, 58 updated and 24 merged. The changing scenarios being addressed in particular are:

    ·      Introduction of digital technologies like Cloud and automation.

    ·      Recent, increased adoption of such technologies.

    ·      Recognizing cybersecurity and privacy risks.

    ·      Reflecting the changing threat landscape, e.g. new types of malware and ransomware;

    ·      Aligning with other best practices, e.g. NIST, COBIT, etc.

    ·      Refreshing the control language and adding additional guidance 

    ·      The main areas impacted by the changes are:

    ·      Leadership.

    ·      Corporate security;

    ·      IT Function;

    ·      Other support functions

    ·      Delivery (for service providers).

     

    Comparative of ISO 27001:2022 & ISO 27001:2013

    ISO 27001:2022

    Clause

    Clause

    ISO 27001:2013

    Scope

    1

    1

    Scope

    Normative references

    2

    2

    Normative references

    Terms and definitions

    3

    3

    Terms and definitions

    Context of the organization

    4

    4

    Context of the organization

    Understanding the organization and its context

    4.1

    4.1

    Understanding the organization and its context

    Understanding the needs and expectations of interested parties

    4.2

    4.2

    Understanding the needs and expectations of interested parties

    Determining the scope of the information security management system

    4.3

    4.3

    Determining the scope of the information security management system

    Information security management system

    4.4

    4.4

    Information security management system

    Leadership

    5

    5

    Leadership

    Leadership and commitment

    5.1

    5.1

    Leadership and commitment

    Policy

    5.2

    5.2

    Policy

    Organizational roles, responsibilities and authorities

    5.3

    5.3

    Organizational roles, responsibilities and authorities

    Planning

    6

    6

    Planning

    Actions to address risks and opportunities

    6.1

    6.1

    Actions to address risks and opportunities

    General

    6.1.1

    6.1.1

    General

    Information security risk assessment

    6.1.2

    6.1.2

    Information security risk assessment

    Information security risk treatment

    6.1.3

    6.1.3

    Information security risk treatment

    Information security objectives and planning to achieve them

    6.2

    6.2

    Information security objectives and planning to achieve them

    Planning of changes

    6.3

    6.3

    Planning of changes

    Support

    7

    7

    Support

    Resources

    7.1

    7.1

    Resources

    Competence

    7.2

    7.2

    Competence

    Awareness

    7.3

    7.3

    Awareness

    Communication

    7.4

    7.4

    Communication

    Documented information

    7.5

    7.5

    Documented information

    General

    7.5.1

    7.5.1

    General

    Creating and updating

    7.5.2

    7.5.2

    Creating and updating

    Control of documented information

    7.5.3

    7.5.3

    Control of documented information

    Operation

    8

    8

    Operation

    Operational planning and control

    8.1

    8.1

    Operational planning and control

    Information security risk assessment

    8.2

    8.2

    Information security risk assessment

    Information security risk treatment

    8.3

    8.3

    Information security risk treatment

    Performance evaluation

    9

    9

    Performance evaluation

    Monitoring, measurement, analysis and evaluation

    9.1

    9.1

    Monitoring, measurement, analysis and evaluation

    Internal audit

    9.2

    9.2

    Internal Audit

    General

    9.2.1

    Internal audit programme

    9.2.2

    Management review

    9.3

     

    Management Review

    General

    9.3.1

     

    Management review inputs

    9.3.2

    Management review results

    9.3.3

    Improvement

    10

       10

    Improvement

    Continual improvement

    10.1

    10.1

    Nonconformity and corrective action

    Nonconformity and corrective action

    10.2

    10.2

    Continual improvement

    While some controls appear to have been merged, other controls look new and might require some tweaking of existing implementation:

    ISO 27001:2022

    ISO 27001:2013

    A.5.7 Threat intelligence

    A.6.1.4 Contact with special interest groups

    A.5.16 Identity management

    A.9.2.1 User registration and de-registration

    A.5.23 Information security for use of cloud services

    A.15.x Supplier relationships

    A.5.29 Information security during disruption

    A.17.1.x Information security continuity

    A.5.30 ICT readiness for business continuity

    A.17.1.3 Verify, review and evaluate information security continuity

    A.7.4 Physical security monitoring

    A.9.2.5 Review of user access rights

    A.8.9 Configuration management

    A.14.2.5 Secure system engineering principles

    A.8.10 Information deletion

    A.18.1.3 Protection of records

    A.8.11 Data masking

    A.14.3.1 Protection of test data

    A.8.12 Data leakage prevention

    A.12.6.1 Management of technical vulnerabilities

    A.8.16 Monitoring activities

    A.12.4.x Logging and monitoring

    A.8.23 Web filtering

    A.13.1.2 Security of network services

    A.8.28 Secure coding

    A.14.2.1 Secure development policy

     

    Validity of certifications Issued under existing version i.e. ISO 27001:2013

    ISO 27001:2013 certifications will not be valid after three years from publication of ISO 27001:2022 i.e. 31st October 2025. The expiry date of certifications to ISO 27001:2013 issued during the transition period needs to correspond to the end of the three-year transition period and last date would be 31st October 2025.

    TNV shall issue the certificate under ISO 27001:2022 only after the approval from IAS i.e. Accreditation Board has approved TNV to issue the certificates under new version of ISO 27001:2022. TNV shall conduct an audit of each client against the application for certification of ISO 27001:2022. TNV has taken the consent of the client under the Client Agreement i.e. TNV F 004 and as per the agreement, it is agreed that TNV can conduct transition activities during any of the following:

    ·      Routine surveillance Audit or

    ·      Recertification audit or

    ·      A special audit

     

    Transition Audit and Audit Duration:

    Where transition audits are carried out in conjunction with scheduled surveillance or recertification (i. e. progressive or staged approach), additional time shall be required to ensure that all activities are covered for the existing and new standards. Conformity to the new standards ISO 27001:2022 may be given only after the demonstrated conformance to ISO 27001:2022:

    i)               TNV shall start accepting the transition request by April 2023, TNV Plan Single visit approach in normal case, but in case of special request from the Client; staged process may be adopted. Transition may be carried out either by special audit for the transition or with the surveillance audit. Man-days for the transition may be following:

    a.     In case of Special audit, 1/3rd of the initial audit man-days subject to minimum 1 man-days.

    b.     In case of transition audit planned with Surveillance audit, duration of the surveillance audit shall be increased by 20% of the required man-days subject to minimum .50 man-days.

    c.     In case of transition audit planned with Recertification audit, duration of the surveillance audit shall be increased by 20% of the required man-days subject to minimum .50 man-days.

    ii)             Certificate issued under ISO 27001:2013 shall not be affected and shall remain valid till the validity of certificate issued under old version of the standard i.e. (25th October 2025).

    iii)           TNV shall issue certificate for ISO 27001:2013 with the expiry date on or before 25th October 2025 and this date can be extended to 25th October 2022. if client fails to complete the transition by three years after the publication of ISO 27001:2022, certificate shall expire its validity. This clause shall not affect the surveillance requirement of the TNV. In case transition is not completed during the validity period of the standards, the whole process of certification shall be required (Stage-1 & Stage-2 Audit to be made necessary for certification to be reinstated).

    During the transition, TNV shall include and consider the following:

    ·      All issues that require client action for compliance with the new requirements should be clearly identified and raised as documented findings.

    ·      Only when all identified outstanding issues have been appropriately addressed and the effectiveness of the management system demonstrated, approved auditors can recommend certification to the ISO 27001:2022 standard.

    ·      Records should be available to demonstrate that all prior transition audit findings have been evaluated for corrective action and compliance before any recommendation for approval to ISO 27001:2022 can be made.

    ·      Evaluation of a client’s conformance to the new requirements during the transition phase does not interfere with the client’s on-going conformance to ISO 27001:2022.

    Common Guidelines for transition:

    TNV shall take the following actions fir transition to ISO 27001:2022:

    1.     Identify organizational gaps which need to be addressed to meet new requirements. Client may please refer “GAP Analysis of ISO 27001:2022 Annexure: 01 of this document.

    2.     Develop an implementation plan.

    3.     Provide appropriate training and awareness for all parties that have an impact on the effectiveness of the organization.

    4.     Update the existing Information Security Management system (ISMS) to meet the revised requirements and provide verification of effectiveness.

    5.     Liaison with TNV (your Certification Body) for transition arrangements

    All the clients need to complete the transition before the expiry date of the old ISMS standards i.e. ISO 27001:2013, this means that Management Systems Certificate issued under ISO 27001:2013 standard may be valid till 25th October 2025 only and transition must took place to ISO  27001:2022 before this date.

     

     

-