Notification of certification bodies for management system certification on the Plan for the transition to a new edition of the standard SRPS ISO/IEC 27001:2022NoticesCurrent events
On 25.10.2022 a new edition of the standard was published ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements.
On 14.12.2022 Serbian standard SRPS ISO/IEC 27001:2022, Information security, cyber security and privacy protection – Information security management systems – Requirements, was published in 2011, with the information that it has been translated and is in the ‘’10.99 Entered into the work program’’ phase. Information regarding the relevant Serbian standard can be found on the website of the Institute for Standardization of Serbia.
When considering the activities required for the certification body to transition to certification according to ISO/IEC 27001:2022, the requirements of the mandatory document IAF MD26, Transition Requirements for ISO/IEC 27001:2022 (from 09.08.2022) shall be taken into account.
Taking into account the IAF MD26, which defined the requirements and deadlines for the implementation of transition activities for both certification bodies and accreditation bodies, the Accreditation Body of Serbia determined the deadlines for the following activities
|Getting to know the changes in the new edition of the SRPS ISO/IEC 27001:2022 standard and GAP analysis||31.12.2022|
|Training of ATS employees involved in ISMS certification body accreditation procedures, assessors, and experts||31.12.2022|
|Harmonization of management system documents||15.01.2023|
|Notification of certification bodies on readiness for assessment according to SRPS ISO/IEC 27001:2022||31.01.2023|
|The informational seminar is intended for certification bodies with a special focus on the most important changes introduced by the new edition of the standard||01.03.2023|
|Start the assessment according to the new edition of the standard||01.04.2023|
The deadline for switching to accreditation according to SRPS ISO/IEC 27001:2022*
*In case the certification body does not switch to accreditation according to SRPS ISO/IEC 27001:2022 by the end of the transition period (31.10.2023), ATS shall reduce part of the scope of accreditation, or cancel accreditation if the CB is accredited only for those conformity assessment tasks.
|Deadline until which* accreditation is valid according to SRPS ISO/IEC 27001:2014 (statement of both versions of the standard in the scope of accreditation) *Only in case the transition to SRPS ISO/IEC 27001:2022 was made by 31.10.2023.||31.10.2025|
The deadline for the delivery of own transition plans* to the new edition of the SRPS ISO/IEC 27001:2022 standard with information on the possibility of obtaining a certificate from the client
*In addition to the own transitional plan, which contains information regarding the timelines, documented information related to the conducted GAP analysis, the method, and content of providing information to the clients of the certification body about changes and the method of transition to certification according to ISO/IEC 27001:2022 and the activities carried out are also submitted. In order to train auditors and decision-makers for the new standard
|The deadline by which the certification body shall provide clients with initial certification according to SRPS ISO/IEC 27001:2022||31.10.2023|
|The deadline by which initial certifications can be carried SRPS ISO/IEC 27001:2014||31.10.2023|
|The deadline by which clients shall be certified according to SRPS ISO/IEC 27001:2022||31.10.2025|
Accredited certification bodies for management system certification will be enabled to prove conformity with the new edition of the standard through assessment for the purpose of extending the scope of accreditation, which can be implemented together with the implementation of regular surveillance assessment or through an independent procedure.
Assessment for the purpose of transition to the new version of the SRPS ISO/IEC 27001:2022 standard shall be carried out using an on-site assessment technique, including (where enabled by the certification body) ISMS certification. In case that it is not possible to provide a certificate with the client, the same will be planned during the next assessment. It is estimated that for the transition assessment, it is necessary to plan a minimum of half a man-day for each member of the assessment team.
The assessment shall cover all the requirements of mandatory documents, including IAF MD26.
ATS shall no longer accept new applications for accreditation according to ISO/IEC 27001:2013, i.e. SRPS ISO/IEC 27001:2014.