The ISO/IEC 27001:2013 standard has expired with the publication of the ISO/IEC 27001:2022 version on October 25, 2022. Our organizations certified under this standard are required to make a transition plan by taking the following into consideration and report this situation to PCA Certification after they have performed the standard transition.

• All clients shall review and revise own systems according to ISO 27001:2022 requirements.
• ISO 27001:2022 transition audits will be conducted after PCA SERTİFİKASYON complete accreditation transition process.

AUDIT;

• Minimum of 0.5 auditor day for the transition audit when it is carried out in conjunction with a recertification audit.
• Minimum of 1.0 auditor day for the transition audit when it is carried out in conjunction with a surveillance audit or as a separate audit.
• The transition audit shall not only rely on the document review, especially for reviewing the technological information security controls.
• If the transition audit is successfully completed, the certification document will be d to reflect compliance with ISO/IEC 27001:2022; however, the expiration date of the current certificate cycle will not be changed”.
• The transition audit shall include, but not be limited to the following:

a.    The gap analysis of ISO/IEC 27001:2022, as well as the need for changes to the client’s ISMS.
b.    The updating of the statement of applicability (SoA).
c.    If applicable, the updating of the risk treatment plan.
d.    The implementation and effectiveness of the new or changed information security controls chosen by the clients.

TIMELINE:

• The ISO 27001:2022 standard has been published on October 25, 2022.
• The transition period covers a period of 3 years.
• ISO 27001:2022 transitions of all certified organizations will be completed by November 01, 2025.
• Applications for ISO 27001:2013 can be received until 31 October 2023.
• After October 31, 2023, no new applications will be accepted for the ISO 27001:2013 version, and no first and re-certification audit will be conducted.
• Only ISO 27001:2022 applications will be accepted after 31 October 2023.
• As of November 01, 2025, all former version documents (ISO 27001:2013) will no longer be valid.