To certified organizations,
To guide the conversion on ISO/IEC 27001:2022 as the certification basis within the information security management system (ISMS) according to the requirement of International Accreditation Forum (IAF), the China National Accreditation Service for Conformity Assessment (CNAS) revised the Instructions for Accrediting the Conversion to Certification Standard of ISO/IEC 27001:2022 (CNAS-EC-066:2022) and Accreditation Scheme for ISMS Certification Bodies (CNAS-SC170:2017) as per the IAF MD26:2023 (2nd version) which is released and revised by IAF on February 15, 2023, and released them on February 21, 2023.
According to the relevant requirements of CNAS and IAF, CQC will carry out the work relevant to the conversion to certification standard of ISO/IEC 27001:2022. The requirements related to the conversion are hereby notified as follows:
1. The conversion of all certificates with reference standards including ISO/IEC 27001:2013 issued to our clients will be completed by October 31, 2025. All certificates issued with reference standard including ISO/IEC 27001:2013 will be invalid from November 1, 2025.
2. According to the conversion requirements of CNAS, for the benefit of our clients, CQC will not accept the application for initial certification and recertification as per the reference standards including ISO/IEC 27001:2013 after April 30, 2024. However, the previous version still applies to the change of certificates and surveillance. The on-site audit and certification decision process of the signed certification contract containing the reference standard of ISO/IEC 27001:2013 must be completed before the corresponding date. Clients need to establish a management system according to the requirements of the new version and apply for recertification if the certification validation fails due to the problems found in the certification decision process.
3. CNAS has just carried out the accreditation according to ISO/IEC 27001:2002, thus the certificates issued before accreditation of the new standard by CQC do not bear the accreditation mark of CNAS. They will be replaced by CQC bearing the accreditation mark of CNAS according to the scope upon approval.
4. The relevant certified organizations may complete the conversion to ISO/IEC 27001:2022 in combination with annual surveillance or recertification audit. The number of on-site auditor per day shall be increased for auditing the conversion of the standard based on that of routine surveillance or recertification audit, and the number of auditor per day for the recertification audit is not less than 0.5 auditor per day. The number of auditor per day for conversion separately or in combination with surveillance audit is not less than 1.0 per day (the specific number of auditors per day needs to be determined according to the review of the actual situation of the program), to determine whether the clients’ management system meets the conversion requirements.
5. For more details of the conversion, please contact the companies of the China Certification & Inspection Group or the System Certification Department of CQC.
Contact information of each company can be found on: https://ccic.e-ciie.com/cn/
Contact persons of CQC: Liu Zhan 010-83886959; Liu Yanlong 010-83886621
China Quality Certification Centre
March 1, 2023