ISO/IEC 27001:2022 was published on 25th October 2022 and over the next three years it will replace the existing standard I.S EN ISO/IEC 27001:2017.
After Friday 31st October 2025 all I.S. EN ISO/IEC 27001:2017 certificates will expire, and certification formally withdrawn. Your organisation will be required to update its ISMS in-line with the revised requirements and successfully complete the transition to ISO/IEC 27001:2022.
NSAI will conduct a Transition Audit before this deadline to determine if your ISMS meets the requirements of ISO/IEC 27001:2022, including revisions to Annex A. Upon successful completion, NSAI will issue you with an ISO/IEC 27001:2022 certificate.
The transition audit can take place during
a) your annual surveillance audit;
b) your end of cycle 3-year reassessment audit;
c) as a standalone transition audit.
If the transition is done during your annual surveillance audit or as a standalone audit, the International Accreditation Forum [IAF MD 26:2022] has determined that a minimum of half day audit in addition to your normal audit schedule will be required to complete the transition to the new version. The additional time will be determined on an organisation specific basis.
Your NSAI auditor will discuss and schedule your transition audit within the required timeframe. It is best practice to complete the transition no later than 3 months prior to 31st October 2025 to allow for post audit certification requirements (closure of any nonconformities, technical review, and certification decision) and for any unforeseen eventualities.
After 31st October 2023, all initial certifications must be to ISO/IEC 27001:2022, it will no longer be possible to obtain certification to I.S EN ISO/IEC 27001:2017.
Your NSAI Auditor will contact you to discuss the transition requirements and timeframe