ISO/IEC 27001:2022 transition deadline

As of November 1, 2025 all ISO/IEC 27001 certificates must reference the 2022 revision. The International Accreditation Forum (IAF) mandated that certification bodies complete transitions from the 2013 edition by October 31, 2025, leaving no grace period for organizations that rely on legacy statements of applicability. Security leaders must show updated risk assessments, Annex A control mappings, and governance evidence or risk losing accredited status during surveillance and recertification audits.

Governance indicators

• Transition requirement. IAF Mandatory Document 26 specifies that all certificates issued to ISO/IEC 27001:2013 expire after October 31, 2025 and that certification bodies may only issue to ISO/IEC 27001:2022 thereafter.
• Control modernization. The 2022 update reorganizes Annex A into four control families, introduces guidance on cloud services, threat intelligence, and secure coding, and aligns terminology with ISO/IEC 27002:2022.
• Audit pressure. Accredited registrars are scheduling late-2025 surveillance visits to confirm transitions, increasing the operational load on teams that delayed setup.

Mapping controls

• Annex A controls. Refresh statements of applicability to include the new controls (for example, A.5.7 Threat intelligence, A.8.9 Configuration management) and retire superseded references.
• Risk management. Update ISO 27005-aligned risk assessments to capture cloud platform dependencies, SaaS integrations, and software supply-chain risks introduced since the 2013 framework.
• Governance evidence. Maintain board minutes, internal audit reports, and corrective action logs showing the transition completed before surveillance visits.

Monitoring and response focus

• Track control ownership and gap remediation tasks in GRC tooling; escalate overdue updates for Annex A mappings that remain on the 2013 structure.
• Monitor registrar communication portals for audit scheduling changes so business units can prepare artifacts without emergency escalations.

What teams should do

• Run internal readiness assessments using ISO/IEC 27001:2022 checklist tooling to validate documentation quality before auditors arrive.
• Align SOC 2, NIST CSF, and other assurance frameworks with the refreshed Annex A controls to simplify evidence reuse.
• Brief executive sponsors on certification implications—loss of ISO/IEC 27001 accreditation can jeopardize customer contracts and regulatory attestations.

Further reading

• IAF: Transition of ISO/IEC 27001:2022
• ISO: ISO/IEC 27001:2022 overview and scope

This brief steers ISO/IEC 27001 transitions—rebuilding Annex A control libraries, harmonizing evidence across frameworks, and coaching teams through registrar surveillance audits.

Security Architecture Considerations

Security architecture should account for the implications of this development across the technology stack. Defense-in-depth principles recommend implementing multiple layers of controls that address different attack vectors and failure modes. Network segmentation, endpoint protection, identity controls, and application security measures should work together to reduce overall risk exposure.

Threat modeling exercises should incorporate the specific attack patterns and techniques associated with this development. Understanding adversary capabilities and likely attack paths helps focus on defensive investments and ensures controls address realistic threats rather than theoretical risks.

Security Monitoring and Response

If you are affected, implement continuous monitoring mechanisms to detect and respond to security incidents related to this vulnerability or threat. Security operations centers should update detection rules, threat hunting hypotheses, and incident response procedures to address the specific attack patterns and indicators associated with this development. Regular testing of detection and response capabilities ensures readiness to handle related security events.

Post-incident analysis should document lessons learned and drive improvements to preventive and detective controls. Information sharing with industry peers and sector-specific information sharing organizations contributes to collective defense against common threats.

Clause and control mapping from 2013 to 2022

ISO 27001:2022 reorganizes Annex A controls from 14 categories to 4 themes: Organizational, People, Physical, and Technological. If you are affected, complete a gap analysis mapping existing controls to the new structure and identify new controls requiring setup, such as threat intelligence and cloud security.

The 2022 version introduces 11 new controls including data masking, monitoring activities, and configuration management. Assess current capabilities against these requirements and plan remediation activities.

Internal audit and management review updates

Internal audit programs must cover the full scope of ISO 27001:2022 requirements including new controls. Update audit checklists and procedures to reflect the four control themes and 93 Annex A controls. Plan audit coverage to ensure all new requirements are evaluated before transition audit.

Management review agenda items should include assessment of 2022 transition progress, resource adequacy for new control setup, and stakeholder feedback on ISMS changes.

Supplier and third-party management

Control A.5.19 (Information security in supplier relationships) and A.5.20 (Addressing information security within supplier agreements) impose structured requirements for managing third-party risks. Review existing supplier contracts against 2022 requirements and develop remediation plans for gaps.

Establish or improve supplier security assessment processes aligned with the new control requirements for monitoring, incident notification, and access management.

Technology and cloud security controls

New technological controls address modern security challenges including cloud services, data masking, and secure development. Assess current setups against controls A.8.11 (Data masking), A.8.23 (Web filtering), A.8.25 (Secure development life cycle), and A.8.26 (Application security requirements).

Cloud service usage should be evaluated against A.5.23 (Information security for use of cloud services) with appropriate contractual and technical controls documented.

Business continuity and incident management

Review business continuity and incident management procedures against ISO 27001:2022 requirements. Control A.5.29 (Information security during disruption) requires maintaining security during adverse conditions. Update business continuity plans to address cyber incident scenarios explicitly.

Incident management procedures should align with the new control structure and integrate with organizational response capabilities. Test incident response plans through exercises before transition audit.

Risk management process alignment

ISO 27001:2022 requires risk assessment processes that identify threats and vulnerabilities to information assets and evaluate residual risk after controls. Update risk assessment templates to reflect current threat environment and organizational changes. Document risk treatment decisions with clear acceptance rationale.

Integrate information security risk management with enterprise risk management where applicable. Ensure risk reporting provides meaningful insights for management decision-making.

Certification body communication

Maintain open communication with certification body throughout transition. Discuss transition audit scheduling, evidence requirements, and any concerns about readiness. Request clarification on assessment approach for new 2022 requirements where needed.

Post-transition monitoring

After successful transition, establish ongoing monitoring to ensure sustained compliance with ISO 27001:2022. Track control effectiveness, incident trends, and management system performance. Use surveillance audit findings to drive continuous improvement.

Successful transition shows organizational commitment to information security excellence and maintains certification validity for customer and regulatory purposes.

Maintain documentation of transition activities for future reference and lessons learned.

Transition Requirements

ISO/IEC 27001:2022 transition deadline requires certified organizations to complete updates from 2013 version. Certification bodies must conduct transition assessments validating compliance with updated requirements. New Annex A control structure aligns with ISO 27002:2022 reorganization.

Control Changes

Updated standard consolidates and reorganizes controls into four themes: organizational, people, physical, and technological. New controls address cloud security, threat intelligence, and data masking. Control attribute taxonomy provides implementation guidance.

Implementation Approach

Gap analysis identifies control updates required for transition. Documentation updates reflect new control structure and attributes. Internal audit programs validate compliance with updated requirements before certification assessment.

Similar analysis

Additional analysis covering similar themes.

Cybersecurity · Credibility 91/100 · October 31, 2025

October 2025: ISO/IEC 27001:2013 certificates expire as transition window closes

The three-year IAF transition for ISO/IEC 27001:2022 ends on 31 October 2025, forcing all teams certified to the 2013 edition to complete recertification audits or lose accredited status.

Cybersecurity · Credibility 86/100 · July 6, 2025

Cybersecurity — ISO/IEC 27001

ISO 27001:2013 certificates expire July 31, 2025. If you have not transitioned to the 2022 edition yet, you are cutting it close. Certification bodies will not recognize the old standard anymore—time to finalize your gap…

Cybersecurity · Credibility 100/100 · May 12, 2025

Cyber Resilience — Post-quantum cryptography

Post-quantum cryptography is no longer theoretical—it is time to start planning your migration. NIST has finalized CRYSTALS-Kyber and CRYSTALS-Dilithium as the primary PQC algorithms. Federal agencies already have…

Cybersecurity · Credibility 90/100 · October 22, 2024

Zero Trust Network Access Platform Comparison — October 22, 2024

Zero trust is not a product, but if you are evaluating platforms that enable zero trust architecture, here's what to look for: continuous verification, least-privilege access, micro-segmentation, and strong identity…

Cybersecurity · Credibility 90/100 · October 18, 2024

Cyber Resilience — NIS2 Directive

Post-NIS2 transposition deadline, enforcement varies by member state. Some countries are actively supervising, others are still finalizing implementation details. Map your NIS2 obligations to actual national law…

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Network Security Fundamentals Explained Practically

  A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

• Complete Beginner Cybersecurity Guide for Home Users

  A practical cybersecurity guide designed for non-technical home users. Covers threat awareness, home network security, password management, multi-factor authentication, device…

• Cybersecurity Operations Playbook

  Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

Further reading

1. ISO/IEC 27001:2022 — iso.org
2. ISO 27001 Transition — iso.org
3. ISO/IEC 27002:2022 — iso.org