Conversion to the latest version of the standard

Companies that are certified according to the international standard ISO 27001 will have to think about converting their ISMS to the latest version of the standard in 2024. Now that the final version of the German translation will finally be available in January 2024, all German-speaking standard users – and of course everyone else 🙂 – can get to work.

What needs to be considered? Firstly, it is worth taking a look at which standards are actually relevant for the changeover. In the following, we assume that the management system has been certified by an accredited certification body. The IAF (International Accreditation Forum) is the body that defines the relevant rules. The latest version of the IAF document MD 26 (as at January 2024: version dated 15 February 2023 – IAF MD 26:2023, Issue 2) is authoritative for the requirements for conversion. The respective ABs (Accreditation Bodies – in Germany: the DakkS) and the accredited CABs (Conformity Assessment Bodies = the certification bodies) define the steps to be carried out for transitions in accordance with MD 26.

Two deadlines must be observed

Accordingly, two deadlines are important: From 30 April 2024 – 18 months after publication of the latest standard version ISO/IEC 27001:2022 – initial certifications and recertifications of ISMS by accredited certification bodies are only possible in accordance with the latest standard version ISO/IEC 27001:2022. The second deadline applies to organisations that are already certified and are within the current validity period of their certificate: By 31 October 2025, all certified organisations must have been upgraded to the latest version of the standard by their certification body.

For organisations that are about to be certified for the first time, a decision must be made on which version of the standard to apply. As a rule, from today’s perspective (1st quarter 2024), it should no longer make sense to certify according to the “old” version of the standard. Exceptions could be special regulatory requirements where industry-specific requirements still refer to the previous version of the standard and a changeover in the near future is not to be expected. Such cases should always be examined carefully.

Switch to the new ISO 27001 standard at an early stage

For organisations that are already certified, it is worth contacting their certification body in good time regarding the changeover. Even if there is still some time until October 2025, we expect certification resources to become increasingly scarce as time progresses. In order to meet the deadline, it is therefore advisable to start the changeover as early as possible.

And how much work is involved in converting the ISMS? It is difficult to give a general answer to this question, but the IAF states in the above-mentioned document that “the impact of ISO/IEC 27001:2022 on organisations that have implemented an ISMS need not be significant”.

Do you have further questions about migrating your ISO 27001 ISMS to the latest version of the standard? We will be happy to provide you with a free initial consultation.


Share post

More articles

What exactly is examined during ISO 27001 certification? There are many myths surrounding this question. Many believe that “IT security” is audited. Others think that compliance is put through its paces – in terms of...
Risk precautions are supposedly just as unwelcome as health precautions. But they are just as important! Various studies prove: Attacks on IT systems and applications are increasing significantly. The consequences are financially devastating. At the...
Although the new year is already a few days old, annual kick-off events are still in full swing everywhere. So we too have been thinking about what to expect in terms of information and IT...