Standards Council of Canada

SCC Accreditation Services Bulletin #2022-25 – ISO/IEC 27001:2022 transition and ISO/IEC 27002:2022 publication

2022/12/20

Bulletin number:

2022-25

Affected program:

Management Systems (all programs)

Action required

Take note that the following are published:

ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems — Requirements
IAF MD26:2022 Transition Requirements for ISO/IEC 27001:2022 (PDF)
ISO/IEC 27002:2022 Information Security, cybersecurity and privacy protection – Information security controls (this document also provides guidance on transition requirements for ISO/IEC 27001:2022)

SCC ISMS customers are required to transition to ISO/IEC 27001:2022 according to the requirements listed in MD 26.

Affected customers

All SCC-accredited Information Security Management System Certification Bodies, applicants, assessors and other relevant stakeholders.

Background

ISO/IEC 27001:2022 was published in October 2022 following the preparation of ISO/IEC 27001:2013/AMD1:2022. It updates relevant text in ISO/IEC 27001:2013 according to ISO/IEC 27001:2013/COR 1:2014, ISO/IEC 27001:2013/COR 2:2015 and ISO/IEC 27001:2013/AMD1:2022.

The key changes and their impact are detailed in MD 26:2022 starting on page 5.

New requirements

Document review required

SCC shall conduct the technical document review to confirm whether or not conformity assessment bodies (CABs) are competent for ISO/IEC 27001:2022. SCC will be ready to complete these reviews beginning February 28, 2023. An exception to this timeline may be applied if a CAB is ready to proceed before February 28, 2023. The CAB must communicate in writing with their Account Manager to be considered for an exception. Exception will only be granted if the CAB meets all requirements indicated below.

SCC shall transition all CABs no later than August 31, 2023. The Scope of Accreditation will be revised when the transition process is complete, and CABs must have an updated Scope of Accreditation to begin assessing against ISO/IEC 27001:2022.

SCC shall determine the suitability of the CAB’s transition arrangement and, if applicable, the effectiveness of its implementation through reviewing the following information submitted by the CAB:

the gap analysis of the changes in ISO/IEC 27001:2022;
the transition arrangement and its implementation evidence;
the authorization of the related personnel;
the other relevant information deemed necessary by AB.

Technical Assessment at CAB Head Office

If SCC can obtain sufficient evidence through the CAB technical document review, then a CAB head office assessment is not required. If SCC is not able to verify the effective implementation and conformance with the CAB’s transition arrangement, then an office assessment is required.

CAB’s Arrangements

CABs shall establish their transition arrangement for ISO/IEC 27001:2022 considering the requirements in MD 26: 2022 and SCC’s transition arrangement.

The transition arrangement shall address what the CAB shall do and what the client shall do. The CAB may have several separate documents to address the transition arrangement.

The transition arrangement shall include at least the consideration of the following:

the changes in ISO/IEC 27001 and the gap analysis;
the need to modify the related certification processes, documents and, if applicable, IT systems for managing certification activities;
the relevant personnel are competent for ISO/IEC 27001:2022 and transition process；
the audit team, as a whole, shall have knowledge of all controls contained in ISO/IEC 27002:2022 and their implementation (see ISO/IEC 27006:2015, 7.1.2.1.3 b);
the transition audit programme;
there is a timely communication to the clients on the transition programme, such as the timeline, transition audit approach, and the consequences if the client fails to transition prior to the end of the transition period.

CABs are encouraged to plan and begin required actions at the earliest opportunity.

Deadline

SCC Timescale

SCC is ready to assess to ISO/IEC 27001: 2022 no later than February 28, 2023
All initial assessments by SCC to ISO/IEC 27001:2022 to begin no later than February 28, 2023
SCC has completed all transitions of CABs by August 31, 2023

CABs Timescale

Initial certification by CAB to ISO/IEC 27001: 2022 to begin no later than August 31, 2023
CAB transitions of certified clients completed by August 31, 2025

Questions?

Please contact Abdel Kassou, Manager, Compliance and Assessment Services, at abdel.kassou@scc.ca or +1 613 238 3222 for more information.

Breadcrumbs