Announcement on the Transition of the Information Security Management System Certification Standard
Dear ISMS Certified Organizations, Auditors, and Auditor Trainees,
The International Organization for Standardization (ISO) released ISO/IEC 27001:2022, “Information security, cybersecurity and privacy protection — Information security management systems — Requirements,” in October 2022. On June 30, 2025, the Standardization Administration of China issued GB/T 22080-2025 / ISO/IEC 27001:2022, “Cybersecurity Technology — Information Security Management Systems — Requirements” (hereinafter referred to as the “National Standard”). This standard is identical to ISO/IEC 27001:2022 and will officially come into effect on January 1, 2026.
Compared with ISO/IEC 27001:2022, the National Standard mainly differs in the following two aspects:
-
The title of the National Standard has been adjusted to “Cybersecurity Technology — Information Security Management Systems — Requirements,” rather than a direct translation of the English title of ISO/IEC 27001:2022.
-
Clauses 4.1 and 4.2 of the National Standard incorporate the requirements of ISO/IEC 27001:2022/Amd 1:2024, Amendment 1: Climate action–related changes.
In accordance with the requirements of Announcement No. 30 of 2015 issued by the Certification and Accreditation Administration of the People’s Republic of China (CNCA), “Announcement on the Arrangements for the Transition of Management System Certification Standards,” certification bodies shall, after the issuance and implementation of an identically adopted national standard, reissue or renew certification certificates based on the national standard for certified organizations in conjunction with their most recent audit activities. In order to ensure a smooth transition for certified organizations, our organization hereby makes the following arrangements:
-
Effective January 1, 2026, our organization will begin accepting applications for initial certification and recertification of information security management systems based on GB/T 22080-2025 / ISO/IEC 27001:2022. Upon completion of all certification procedures, certificates based on the National Standard will be issued to organizations that meet the requirements, with a validity period of three years. At the same time, applications based on ISO/IEC 27001:2022 will no longer be accepted, and all certification audit activities based on ISO/IEC 27001:2022 will cease.
-
For certificates currently issued based on ISO/IEC 27001:2022, our organization will, in conjunction with the certified organization’s most recent surveillance audit or recertification audit, reissue certificates based on GB/T 22080-2025 / ISO/IEC 27001:2022 after confirming compliance with the National Standard. Certified organizations are requested to revise their management system documentation as necessary in accordance with the National Standard. When the transition is implemented in conjunction with a surveillance or recertification audit, no additional audit man-days will be added; however, a document review shall be conducted to confirm that the certified organization has identified the differences in accordance with the National Standard and that the management system is effectively implemented.
-
For certified organizations that are unable to complete the transition in conjunction with their most recent audit activities (including surveillance or recertification audits), or that fail to meet the requirements of the National Standard, the certification certificates will be handled in accordance with suspension or withdrawal procedures.
-
Before obtaining a certification certificate based on the National Standard, certified organizations and applicant organizations shall not claim that their information security management systems have been certified to the National Standard, nor shall they use certification certificates or marks in any misleading manner that implies certification to the National Standard.
Beijing Cotecna KaiXin Certification Co., Ltd.
December 26, 2025