ISO/IEC 27001:2022 standard was published on 25.10.2022. Detailed information about the transition can be found in the document ‘IAF MD 26:2023 Transition Conditions for ISO 27001:2022. The new standard has been expanded to include more cybersecurity and privacy issues related to the digital transformation of business practices.
Unlike the 2013 version, which is the old version of the standard, it is seen that new security controls have been added and some items have been combined. We announce to all our customers and other interested parties that the personnel involved in the Information Security Management System activities of our company and our related documentation will be completed as soon as possible by ensuring compliance with this revision.
Newly Added Annex A Controls to ISO 27001:2022 Standard
5.7 | Threat Intelligence |
5.23 | Information Security for Use of Cloud Services |
5.30 | Preparation of Information Technologies for Business Continuity |
7.4 | Monitoring of Physical Security |
8.9 | Configuration Management |
8.10 | Deletion of Information |
8.11 | Data Masking |
8.12 | Data Loss (Leak) Prevention |
8.16 | Monitoring Activities |
8.23 | Web Filtering |
8.28 | Secure Coding |
Overview of Revision Changes for ISO 27001:2022
- Compared to the old version, the number of controls decreased from 114 controls in 14 items to 93 controls in 4 items.
- There are 11 new items, 24 combined items and 58 updated items.
- There are editorial changes in the standard.
- Controls for cyber security and privacy risks are detailed.
- In accordance with common terminology used in the context of digital security, five attributes are presented
- Control Type
- Information Security features
- Cyber security concepts
- Operational Capabilities
- Security domains
Transition Schedule to ISO 27001:2022
- The ISO 27001:2022 standard was published on October 25, 2022.
- The transition period covers a period of 3 years.
- ISO 27001:2022 transitions of all certified organizations will be completed until 01 November 2025
- Applications for ISO 27001:2013 can be received until 31 October 2023.
- After October 31, 2023, no new applications will be accepted for the ISO 27001:2013 version and no first and re-certification audit will be conducted.
- After 31 October 2023, only ISO 27001:2022 applications will be received.
- If the transition is made during the surveillance audit, 1 day to the duration of the surveillance audit; 0.5 day fort he re-certification audit will be added.
- As of 01 November 2025, all old version documents (ISO 27001:2013) will no longer be valid
Our Recommendations to Certified Organizations for Compliance with the ISO 27001:2022 Standard Amendment;
- Receiving ISO 27001:2022 trainings,
- Updating management systems documentation in line with new standard requirements,
- Preparation and implementation of essential action plans for changes within the organization.
With the completion of their preparations, the transition inspection must be completed with a special transition inspection or in the nearest inspection period.