ISO 27001 Information Security: Common Mistakes During the Transition Process

The transition to the ISO 27001:2022 version became mandatory at the end of 2025. The most common gaps seen in the field in information security management system certification, and a compliance roadmap.

10 June 2026
ISO 27001 Information Security: Common Mistakes During the Transition Process

The ISO 27001 Information Security Management System has now become a procurement requirement for most sectors, chiefly finance, technology, telecommunications and healthcare. The new version updated in 2022 radically changed the structure of Annex A and imposed a transition obligation on existing certificate holders by 31 October 2025. This article covers the key differences between ISO 27001:2022 and 2013, the documentation mistakes most frequently encountered in the field, and practical recommendations for a smooth transition.

Changes Introduced with ISO 27001:2022

While the 2022 version largely preserves the main body of the standard (Clauses 4-10), it significantly streamlined the Annex A control set both structurally and in terms of content.

Topic 2013 Version 2022 Version
Total number of controls 114 controls 93 controls
Annex A section structure 14 sections (A.5 – A.18) 4 main themes (Organisational, People, Physical, Technological)
Newly added controls 11 new controls
Control attributes None 5-dimensional attribute tagging

The 11 Newly Added Controls

The 2022 version added new controls responding to current risks in the cyber-threat landscape:

  1. A.5.7 Threat intelligence: Systematic tracking of current cyber threats.

  2. A.5.23 Information security for the use of cloud services: Contractual relationship with cloud providers.

  3. A.5.30 ICT readiness for business continuity: Business continuity plans specific to information systems.

  4. A.7.4 Physical security monitoring: Continuous and automated physical security surveillance.

  5. A.8.9 Configuration management: Keeping system and application configurations under control.

  6. A.8.10 Information deletion: Secure disposal of data at the end of its lifecycle.

  7. A.8.11 Data masking: Masking practices when accessing sensitive data.

  8. A.8.12 Data leakage prevention: Technical and administrative DLP measures.

  9. A.8.16 Monitoring activities: Detection of anomalous behaviour.

  10. A.8.23 Web filtering: Blocking access to malicious websites.

  11. A.8.28 Secure coding: Security principles in the development process.

Transition Timeline

The official transition timeline for organisations certified to ISO 27001:2013 is as follows:

  • 31 October 2022: The new version was published.
  • 30 April 2024: It became mandatory for new certification applications to be made under the 2022 version.
  • 31 October 2025: All existing 2013 certificates became invalid; if the transition was not completed by this date, recertification is required.

The transition is not merely updating documentation; the risk assessment methodology, the Statement of Applicability and the internal audit programme must be redesigned from the ground up.

7 Mistakes Frequently Encountered in the Field

In our independent audit experience, there are certain critical gaps that recur in ISO 27001 certification and transition processes. Most of these stem not from misreading the standard text but from failing to bring the implementation down to the field.

1. Preparing the Statement of Applicability (SoA) Superficially

The SoA is the document containing the implementation decision and rationale for each Annex A control. A common mistake is preparing a single-line "applicable / not applicable" matrix. The correct approach is to write, with justification, the risk assessment on which each control was selected, the procedures by which the implementation is carried out, and the current state.

2. Inconsistency in the Risk Assessment Methodology

If, in the risk assessment, the likelihood and impact levels are interpreted differently by different people for each asset, the same threat produces a different risk score for different assets. Assessments made without a standardised score matrix and reference definitions are flagged as inconsistencies in internal and external audits.

3. Contractual Gaps for Cloud Services

The new A.5.23 control requires that data ownership, data residency, access rights, log sharing and end-of-contract data disposal be explicitly addressed in contracts made with cloud service providers. The standard contracts of large providers such as AWS, Azure and Google Cloud often cover these clauses; however, gaps are frequently seen in agreements made with small SaaS providers.

4. Standard Verification of Internal Audit

The internal audit programme ensures that all Annex A controls are tested by sampling within a specific schedule. A common mistake is for the internal audit only to check the document and not to question the evidence of implementation in the field. For example, despite the existence of a data leakage prevention policy, not testing whether the DLP rule is actually active in the production environment.

5. Management Review Remaining a Formality

The top-management review (Clause 9.3) is a mandatory mechanism in which the effectiveness of the information security management system is assessed at board level. A common mistake is for this meeting to be held merely as a formality, with the decisions taken not turned into concrete action.

6. Record Gaps in Incident Management

Information security incidents must be recorded, root-cause analysis must be carried out, and corrective actions must be made traceable. The statement "we have not experienced a serious incident" is not accepted in an audit; every level of incident (for example, failed access attempts, user account lockouts) is expected to be entered into the record system.

7. Keeping Staff Awareness Training One-off

Under A.6.3, all staff must be given information security awareness training annually. A common mistake is for the training to be given only to new hires or for the annual repetition to be skipped. In addition, failing to measure the effectiveness of the training (for example, phishing simulations) is another gap.

The 6 Steps of the Transition Process

  1. Gap analysis: In the transition from 2013 to 2022, it is determined on a topic basis which new controls are missing from the current system.

  2. Updating the risk assessment: The threat and asset combinations to which the 11 new controls relate are added to the risk matrix.

  3. Updating the Statement of Applicability: A new SoA is prepared for the 93 controls; the implementation decision and rationale are justified.

  4. Reviewing policies and procedures: Policy and procedure updates are made for new topics such as cloud services, threat intelligence, DLP and data masking.

  5. Internal audit and management review: The updated system is tested through internal audit, and gaps are linked to an action plan.

  6. External verification: A transition audit is carried out by the certification body; a system found compliant moves to a 2022 version certificate.

Frequently Asked Questions

  1. Is an ISO 27001:2013 certificate valid after 31 October 2025?

    No. As of this date, all certificates arising from the 2013 version are invalid. Organisations for which ISO 27001 is required in customer, supplier and regulatory demands must, if they have not transitioned, begin the recertification process.

  2. How long does the transition audit take?

    Depending on company size and the maturity of the current system, it is completed within 1-3 months. Gap analysis takes 2-3 weeks, document and risk updates 3-4 weeks, and internal audit and management review 1-2 weeks. The external audit depends on the certification body's schedule.

  3. Is an ISO 27001:2022 certificate sufficient for KVKK compliance?

    It is not sufficient on its own, but it provides a strong foundation. KVKK (the Turkish data protection law) contains obligations specific to personal data (such as the disclosure text, explicit consent management and VERBİS notification). ISO 27001 largely meets the obligations of KVKK Article 12 in terms of technical and administrative information security measures.

  4. How is ISO 27001 implemented for a cloud-based SaaS company?

    In cloud-based companies, controls such as A.5.23 (cloud service security) and A.8.9 (configuration management) are particularly critical. In addition, the topics A.8.28 (secure coding) and A.8.25 (secure development lifecycle) should be implemented in the field for development processes. It is generally implemented together with the ISO 27017 (cloud security) and ISO 27018 (personal data in the cloud) standards.

  5. Is a mock audit before certification useful?

    It is useful. A "pre-audit" carried out before official certification reveals implementation gaps that the internal audit may have missed. Especially for organisations transitioning to 2022 for the first time, a mock audit conducted with an independent eye reduces the number of surprise findings in the external audit to nearly zero.

More articles

All articles