3 May 2023

Seven steps to ISO 27001:2022


What's ISO 27001

ISO 27001 is an international standard for Information Security Management System (ISMS) developed by the International Organization for Standardization (ISO). It provides a framework for the implementation, maintenance, and continuous improvement of an organization's information security management system.

The standard requires organizations to identify and assess the risks associated with their information assets, and to develop and implement controls to mitigate those risks. It also requires that organizations have a documented Information Security Policy and that they establish an Information Security Management System (ISMS) to ensure that the policy is followed and maintained.

ISO 27001 is applicable to all types of organizations, regardless of their size, nature of business, or industry sector. It is particularly relevant to organizations that handle sensitive information such as personal data, financial information, and intellectual property. Compliance with ISO 27001 demonstrates an organization's commitment to information security and provides assurance to customers, partners, and stakeholders that their information is protected.

The certification process for ISO 27001 involves an assessment of the organization's ISMS by an accredited certification body. The assessment includes a review of the organization's Information Security Policy, the scope of the ISMS, the risk assessment and treatment methodology, and the effectiveness of the controls implemented. The certification process also includes a series of audits to ensure that the ISMS is being maintained and improved.

The benefits of ISO 27001 certification include:

  • Improved Information Security: The standard provides a framework for the development and implementation of an effective ISMS, which can help to reduce the risk of information security breaches and improve the protection of sensitive information.
  • Increased Customer Confidence: ISO 27001 certification demonstrates an organization's commitment to information security, which can help to build trust with customers, partners, and stakeholders.
  • Compliance with Regulations: ISO 27001 is recognized by many regulatory bodies as an appropriate framework for the management of information security, which can help organizations to comply with regulatory requirements.
  • Competitive Advantage: ISO 27001 certification can provide a competitive advantage by demonstrating a commitment to information security and giving customers confidence in the organization's ability to protect their information.
  • Improved Efficiency: The implementation of an ISMS can help to improve the efficiency of an organization's information security processes, reducing the risk of security incidents and minimizing the impact of any incidents that do occur.

In summary, ISO 27001 provides a framework for the development, implementation, and continuous improvement of an organization's Information Security Management System. Certification to ISO 27001 demonstrates an organization's commitment to information security and can provide a range of benefits, including improved information security, increased customer confidence, compliance with regulations, competitive advantage, and improved efficiency.

The revised standard ISO 27001:2022 was published on 25 October 2022 and includes a number of technical corrections and a fully revised Annex A with control measures. The updated standard is subject to a three-year transition period, meaning certified organisations must have switched over by 1 November 2025.

A path towards ISO 27001

Below you can read about the seven steps required to carry out the transition audit:

When can you switch to ISO 27001:2022?

At recertification

Here, contrary to previous reports, an additional half-day of audit time is charged. This follows an update to a notice from the International Accreditation Forum.

In the case of the annual follow-up or control audit

Kiwa will schedule and charge an extra day for this, as well as the cost of a new certificate.

If you wish to make the switch, we request that you make this known as soon as possible (preferably four months prior to the audit). Kiwa will then make a so-called Confirmation Change Order (BWO), after which our planning department will make additional arrangements with you.

iso 27001 transition period deadlines.png

What does the transition period look like?

When a standard is revised, a transition period is set. A transition period of three years is observed. Within this period, all certificate holders must comply with ISO 27001:2022. In short :

  • From 1 March 2023, Kiwa can perform audits according to ISO 27001:2022;
  • The transition period for ISO 27001:2022 ends on 1 November 2025;
  • Until 1 May 2024, Kiwa may perform initial audits and recertifications against ISO 27001:2017, hereafter these types of audits will be performed against ISO 27001:2022;
  • Follow-up or surveillance audits may be conducted against ISO 27001:2017 until 1 November 2025.