The ISO/IEC 27001:2022 standard was published on October 25, 2022. The International Accreditation Forum (IAF) has announced the transition conditions for the new version in document MD 26.

According to IAF MD 26 document;

Certification bodies are required to complete their accreditation before 1 November 2023 for certification according to the new version within 12 months after the publication of the standard.

Certification Bodies must have completed their clients' transition to ISO/IEC 27001:2022 within 36 months of the standard's publication. Certified bodies are required to complete their transition by the end of October 2025.

12 months after the publication, that is, from 1 November 2023, Certification Bodies cannot conduct initial certification audits or recertification tests according to ISO/IEC 27001:2013/ TS EN ISO/IEC 27001:2017.

Certification Bodies accredited by TÜRKAK in this field must complete the gap analysis detailing how they have implemented the changes brought by ISO/IEC 27001:2022 to ensure the transition progresses on time, and by 31 March 2023 at the latest, complete the following information together with the Accreditation Application (Scope Expansion) to TÜRKAK a must be forwarded;

Difference analysis of changes in ISO/IEC 27001:2022,

Transitional arrangements and evidence of implementation

Appointment records of all relevant personnel (including Competency Assessments).

Internal Audit report to be made for the transition to the new version,

Management Review Meetings report

A plan for transition based on gap analysis, fulfilling the requirements of IAF MD 26,

The method and content of the certification body providing information to its customers about the transition and changes to ISO/IEC 27001:2022 certification,

Training records of audit team members and decision makers,

Considering the limited number of changes brought by ISO/IEC 27001:2022, TÜRKAK will be able to make the transitions of accredited Certification Bodies by performing 1 man/day document review. (For the Certification Bodies whose audit is planned, this process will be advanced in the office audit.)

Certification Bodies that do not complete the transition until October 31, 2023, will end their accreditation for ISO/IEC 27001:2013/ TS EN ISO/IEC 27001:2017 certification activities.

In the first accreditation audits of the Certification Bodies whose transition has been completed, a witness audit will be carried out according to ISO/IEC 27001:2022.

Certification Bodies applying for the first accreditation as of 01.01.2023 will apply according to ISO/IEC 27001:2022.

The accreditation audit of the Certification Bodies that have already applied for accreditation and whose accreditation audits have not been carried out will be carried out in accordance with ISO/IEC 27001:2022.

TIMELINE: