EAS Policy on Transition

 

EAS Policy on Transition to ISO 27001:2022

ISO 27001:2022 Information Security Management System is published by ISO (International Organization for standardization).
As per the IAF (International Accreditation Forum) and JAS-ANZ (Joint Accreditation of Australia and New Zealand), the transition time for the update is before November 2025. All existing certified clients of EAS can migrate to the ISO 27001:2022 at any time during this period.

EAS will continue to issue certifications during the transition period for ISO 27001:2013 for which the validity date shall not be later than the end of the November 2025. However, organizations are recommended to change over to the latest version at least 6 months prior to the validity date November 2025. If any certifications to ISO 27001:2013 will be removed from EAS and the JAS-ANZ register at the end of the transition period.

However, the exception will be if any government or regulatory authority provides advice to JAS-ANZ that it continues to solely require organizations to hold ISO 27001:2013 certifications. In such case, the expiry date of such certificates may be issued in accordance with the routine three-year certification cycle.

Organizations applying for fresh ISMS certification can apply directly for the latest version viz ISO 27001:2022

TRANSITION PROCESS

Application

Existing certified clients of EAS need to inform EAS on their decision to continue the existing version or to migrate to the latest version. New application is available here

Transition through routine Assessments

EAS will include sufficient time under scheduled surveillance / re-certification visits to ensure that client has effectively implemented the requirements of the latest version of ISMS

Audit Duration

In case transition audit is conducted along with the surveillance or re-certification audit, the audit duration may increase by a minimum of one man-day.

Additional Visits

EAS will not plan additional visits to monitor the transition except when:

  • Requested by the client to conduct the audit other than the planned surveillance audit.
  • If the transition period is about to be over and no action has been taken by the organization during the surveillance audits.

Note: All additional visits required will be chargeable by the certification body.

Expectations at assessment

EAS assessments will cover the following:

1. Transition strategy

  • Establish, document and maintain your organizations system in line with the new standards ISO 27001:2022
  • Implementation of system as per the new standard ISO 27001:2022
  • Sufficient training provided to the employees in the new standard requirements.
  • Minimum One internal audit and Management review completed after the implementation.

2. Audit Process

  • Audit will cover the requirements of latest version ISO 27001:2022
  • Auditing documented information in line with your process and performance.
  • Correlation between your internal audit, corrective actions and audit recommendations
  • Extent of Coverage of your Interested parties requirements.
  • Verification of management review and its effectiveness.