27001:2022 Transition

Dear Official;

The ISO/IEC 27001:2022 standard was published on October 25, 2022. The International Accreditation Forum (IAF) has announced the transition conditions for the new version in the MD 26 document.

Accordingly, our existing customers must complete their transition by October 24, 2025. After this date, ISO/IEC 27001:2013 certificates will no longer be valid.

As of ASCERT certification, new applications will be received according to the ISO/IEC 27001:2022 standard as of November 1, 2023.

All organizations certified according to the ISO/IEC 27001:2013 standard will be transitioned through the first surveillance or re-certification audits after they adapt their existing information security management systems to the new version.

In case of surveillance inspection of the passage, 1 day will be added to the duration of the surveillance inspection.

If it is to be carried out with a recertification audit, 0.5 days will be added.

If a separate transition audit is requested, the audit will be carried out for a minimum of 1 day.

The transition audit shall not only rely on the document review, especially for reviewing the technological information security controls.

The transition audit shall include, but not be limited to the following:
• The gap analysis of ISO/IEC 27001:2022, as well as the need for changes to the client’s ISMS.
• The updating of the statement of applicability (SoA).
• If applicable, the updating of the risk treatment plan.The implementation and effectiveness of the new or changed information security controls chosen by the clients.

When the certification document is updated because the client successfully completed only the transition audit, the expiration of its current certification cycle will not be changed.

All certifications based on ISO/IEC 27001:2013 shall expire or be withdrawn at the end of the transition period.

Organizations that will switch to ISO 27001:2022 must meet the following conditions:

1. Gap analysis must be carried out by the customer for the transition to ISO 27001:2022 and change requirements must be addressed in the context of Article 6.3 – Planning changes to the Management System
2. It is necessary to ensure that the Declaration of Applicability complies with Article 6.1.3 (d).
3. It is necessary to evaluate how the new or changed controls selected in the applicability declaration and risk treatment plan will be implemented and the effectiveness of the implementation.
4. An internal audit must be carried out in accordance with the requirements of ISO 27001:2022.
5. A Management Review must be carried out in accordance with the requirements of ISO 27001:2022.
6. Risk treatment plans must be reviewed in accordance with ISO 27001:2022 requirements and aligned with Annex-A control criteria.

Depending on the evidence of these requirements, ISO 27001:2022 transition audits will be planned.