We are starting to see the first effects of the transition. Already for some months, renewals and new certifications can only be done with ISO/IEC 27001:2022. Some surveillance audits are also starting to be used to hook the transition to normal certificate maintenance activities.

So far, nothing special.

The point is that the closer we get to the deadlines, the more critical issues that can be detected will become a problem. If we then add regulatory impacts such as NIS2, Cyber Act, DORA, etc., the landscape becomes even more complex.

Suppose we receive a major NC in a surveillance audit during this period: between follow up audits and annexes, we are around 3 months for the resolution of the non-conformity. If there is a suspension of the certificate (because the follow up went wrong), remediation will take about 5 months in total. That is, we are already at the end of 2024, still in a relatively safe zone, provided we have set up the transition correctly.

If, however, we approach the beginning of the new year without having done anything, then the timeframe becomes increasingly tight until it becomes almost unmanageable in the event of problems (this from the first quarter of 2025).

To this we must add the natural expiry of certificates and the timing for annual surveillance.

In short, a good fit to be considered very carefully.

It is true that the deadline for the transition is 31/10/2025, but it is also true that it is necessary to book the audit, find qualified auditors for the transition, prepare, have the necessary documented information, complete the necessary PDCA cycles, demonstrate the effectiveness of the ISMS, etc.

Main steps of the transition

So, given the above, six months is the right amount of time needed to face a transition with relative peace of mind.

I will try to summarise here the (main) steps needed to cope with the transition:

· Carrying out gap analysis (required by almost all organisations)

· Implementation of differences in requirements (practically there are changes, more or less relevant, in each requirement of the standard)

· Re-engineer risk management to manage new (11) controls and fix others that have been modified and/or integrated (82)

· Updating the SoA

· If you have a certification extension for ISO/IEC 27017, ISO/IEC 27018 and/or ISO/IEC 27701 then you must also manage the impacts of the controls of Annex A of ISO/IEC 27001 with the relevant extensions

· Update the ISMS documentation

· Training staff

· Implement the ISMS as defined

· Gathering evidence of the effectiveness of the ISMS

· Reschedule and complete internal audits

· Do the management review

A list of extraordinary activities that currently add up to the ordinary activities of the ISMS.

What actually happens?

I list the main problems encountered in the field (as an auditor) to date:

· Lack of knowledge of the new features introduced in ISO/IEC 27001 (not least AMD 1 for climate change), with significant impacts on the ISMS. For example, the 2 ‘errors’ in the original ISO/IEC 27001 were not seen and handled by everyone. It sounds trivial but they are. They should have no impact if you know the standard and the management systems.

· Absence of a plan, based on a gap analysis, to manage the activities necessary to ensure effectiveness and conformity of the system (during and after the transition), including the link to the requirements managing change in ISO/IEC 27001 (see requirements 6.3, 8.1, etc.).

· New controls not included or applied/excluded by default, without justification or realistic analysis.

· Controls not re-evaluated using the attributes of ISO/IEC 27002 and therefore not in line with the ‘views’ associated with policies, contracts, regulations, etc.

· Weak training of ISMS managers and internal auditors (who often do not ‘see’ the NCs that will later be identified during audits by the organisation)

· Underestimation of the time needed to complete the transition and overestimation of the skills required

· Poor evidence of demonstration of effectiveness due to underestimating the time and effort required to demonstrate the effectiveness of ISMS processes and controls.

· ….

Rexilience for you

From the outset we say that it is a tactical project (if not a strategic one for some certification-bound realities) that cannot be invented or managed by people without in-depth expertise and experience. Not only on the standard but also with respect to certification processes.

Our customers completed the transition on time and with clear costs/activities. Nothing was left to chance. This is due to the fact that the consulting team has 20 years of expertise on these issues.

Let’s avoid the ‘cousins’ (everybody’s cheap expert) and those who invent themselves as consultants for the occasion given the moment. Or at least let’s deal with those who know, before accepting the lowest offer or, even worse, that of the consultant who deals with something else entirely and who invents ‘super-cyber-specialist-advisor-auditor-certified-senior consultant’ for the occasion.

We are available, even if only for a proactive discussion.

Fabrizio Cirilli

Senior Partner – Rexilience Srl