Companies that are certified according to the international standard ISO 27001 will have to think about converting their ISMS to the latest version of the standard in 2024. Now that the final version of the German translation will finally be available in January 2024, all German-speaking standard users – and of course everyone else 🙂 – can get to work.
What needs to be considered? Firstly, it is worth taking a look at which standards are actually relevant for the changeover. In the following, we assume that the management system has been certified by an accredited certification body. The IAF (International Accreditation Forum) is the body that defines the relevant rules. The latest version of the IAF document MD 26 (as at January 2024: version dated 15 February 2023 – IAF MD 26:2023, Issue 2) is authoritative for the requirements for conversion. The respective ABs (Accreditation Bodies – in Germany: the DakkS) and the accredited CABs (Conformity Assessment Bodies = the certification bodies) define the steps to be carried out for transitions in accordance with MD 26.
Accordingly, two deadlines are important: From 30 April 2024 – 18 months after publication of the latest standard version ISO/IEC 27001:2022 – initial certifications and recertifications of ISMS by accredited certification bodies are only possible in accordance with the latest standard version ISO/IEC 27001:2022. The second deadline applies to organisations that are already certified and are within the current validity period of their certificate: By 31 October 2025, all certified organisations must have been upgraded to the latest version of the standard by their certification body.
For organisations that are about to be certified for the first time, a decision must be made on which version of the standard to apply. As a rule, from today’s perspective (1st quarter 2024), it should no longer make sense to certify according to the “old” version of the standard. Exceptions could be special regulatory requirements where industry-specific requirements still refer to the previous version of the standard and a changeover in the near future is not to be expected. Such cases should always be examined carefully.
For organisations that are already certified, it is worth contacting their certification body in good time regarding the changeover. Even if there is still some time until October 2025, we expect certification resources to become increasingly scarce as time progresses. In order to meet the deadline, it is therefore advisable to start the changeover as early as possible.
And how much work is involved in converting the ISMS? It is difficult to give a general answer to this question, but the IAF states in the above-mentioned document that “the impact of ISO/IEC 27001:2022 on organisations that have implemented an ISMS need not be significant”.
Do you have further questions about migrating your ISO 27001 ISMS to the latest version of the standard? We will be happy to provide you with a free initial consultation.