Secure your company: This is what you should know about the ISO/IEC 27001:2022 standard revision!

We have an existing information security management system (ISMS) certified to the ISO/IEC 27001:2013 standard.

 

1.     What is our deadline for updating our ISMS so that it complies with the new ISO/IEC 27001:2022 standard?

The corresponding audits must be completed and passed by September 2025 at the latest. Please contact your Lead Auditor and plan this step into your schedule in good time, ideally as part of an existing planned audit.

2.     For how long will our current certificate remain valid?

Existing and recently issued ISO/IEC 27001:2013 certificates will remain valid until 31 October 2025 at the latest.

3.     Will the term of our certificate change?

No, even if you have passed a transition audit, the original three-year certificate term will apply. 

4.     What is the earliest date we can be recertified under the new standard?

SQS’s accreditation application will be assessed by the Swiss Accreditation Service (SAS) from 30 April 2023 at the earliest. We assume that the SAS will make its decision on issuing its accreditation to SQS during Q2 2023. Please refer to this website or your Lead Auditor for updates.

5.     If we have to change our ISMS, will SQS perform a normal monitoring audit or a full early recertification audit?

The transition audit can be performed as part of a recertification, a monitoring audit or as a separate planned audit. No additional recertification is required. Your Lead Auditor will be happy to provide further information.

6.     Will this involve additional costs?

If the transition is carried out as part of a regular (or early) recertification, additional costs of at least 4 hours will be incurred; in all other cases it will be at least 8 hours. Your lead auditor will be happy to prepare an offer for you. In any case, the normal costs for issuing a new certificate will also be incurred.

7.     What will happen to our certificate if we recertify under the ISO/IEC 27001:2013 standard until 30 April 2024?

The latest date for recertification under the ISO/IEC 27001:2013 standard is 30 April 2024. The audit must be performed by the end of March 2024. If you then pass the transition audit by September 2025 at the latest, you will receive a new ISO/IEC 27001:2022 certificate. The certificate term remains the same as for the current certificate. Please discuss this with your Lead Auditor and plan this step into your schedule in good time, ideally as part of an existing planned audit. 

8.     What will the auditors check before the actual transition audit?

Create a GAP analysis for the change to the ISMS at your company and submit these results to your Lead Auditor along with your updated Statement of Applicability (SoA) and updated risk management plan before the actual transition audit. The Lead Auditor must read through this information in advance so that they can take the complexity and therefore the duration of the transition audit into consideration in their offer.

9.     What will the auditors check during the transition audit?

They will verify:

  • the change to your ISMS as per your GAP analysis, i.e. in line with the changes to the requirements under Sections 4-10 of ISO 27001:2022, plus
  • evidence of the implementation and efficacy of the new or amended controls in Annex A that have been declared as applicable in your ISMS. 

 

We want to have an ISMS certified by SQS for the first time
 

1.      What is the earliest date we can be certified under ISO/IEC 27001:2022?

Our accreditation application will be assessed by the Swiss Accreditation Service (SAS) from 30 April 2023 at the earliest. We assume that the SAS will make its decision on issuing its accreditation to SQS during Q2 2023. Please refer to this website or your Lead Auditor for updates.

2.      What does the new certificate cost?

The costs will remain similar to those currently in place. Please contact us so that we can create an offer for you.

3.      When will SQS stop performing certifications under ISO/IEC 27001:2013?

The latest date for certification under the ISO/IEC 27001:2013 standard is 30 April 2024. The audit must be performed by the end of March 2024.

4.      How long will an ISO/IEC 27001:2013 certificate remain valid?

Recently issued ISO/IEC 27001:2013 certificates will remain valid until 31 October 2025 at the latest. 

5.      What is our deadline for updating our ISO/IEC 270021:2013-certified ISMS so that it complies with the new ISO/IEC 27001:2022 standard?

The corresponding audits must be completed by September 2025 at the latest. Please contact your Lead Auditor and plan this step into your schedule in good time, ideally as part of an existing planned audit. Please also refer to the answers to questions 1-9. 

6.      What will happen to our certificate if we are certified under ISO/IEC 27001:2013 now, and then under ISO/IEC 27001:2022 following a transition audit?

If you pass the transition audit by September 2025 at the latest, you will receive a new ISO/IEC 27001:2022 certificate. The certificate term remains the same as for the current certificate. Please discuss this with your Lead Auditor and plan this step into your schedule in good time, ideally as part of an existing planned audit. 

Simon Maurer
Simon Maurer
Would you like
(*) are mandatory