Cybersecurity Briefing — July 6, 2025
With the ISO/IEC 27001:2022 transition window closing on October 31, 2025, July marks the final 100 days for organisations to complete gap remediation and certification upgrades.
Executive briefing: The International Accreditation Forum’s Mandatory Document 26 sets October 31, 2025 as the hard deadline for organisations certified under ISO/IEC 27001:2013 to transition to the 2022 version. Certification bodies will no longer issue surveillance or recertification audits against the 2013 controls after that date. Enterprises need to demonstrate Annex A control alignment with the expanded 93 controls, governance updates under Clauses 4–10, and risk treatment plans reflecting modern threats such as cloud services and threat intelligence.
Security checkpoints
- Gap closure. Complete remediation evidence for new controls including A.5.7 Threat intelligence, A.5.23 Information security for use of cloud services, and A.8.9 Configuration management.
- Risk methodology. Update risk assessment criteria to incorporate scenario-based analysis and link results to Statement of Applicability revisions.
- Certification planning. Confirm audit dates with certification bodies, ensuring transition assessments conclude before late August to allow corrective action verification.
Operational priorities
- Policy refresh. Publish revised information security policies, supplier agreements, and continuity plans mapped to the 2022 control language.
- Awareness campaigns. Launch targeted training for asset owners and engineering teams on control implementations, including secure configuration and monitoring enhancements.
- Evidence management. Centralise artefacts such as risk registers, vulnerability metrics, and supplier assessments in an audit portal to streamline transition audits.
Sources
Zeph Tech accelerates ISO/IEC 27001:2022 transitions by sequencing control remediation, updating governance artefacts, and preparing audit-ready evidence before the October cutoff.