← Back to all briefings

Cybersecurity · Credibility 84/100 · · 2 min read

Cybersecurity Governance Briefing — ISO/IEC 27001:2022 transition deadline

The ISO/IEC 27001:2013 transition window closes, making the 2022 edition mandatory for certification bodies and forcing regulated enterprises to prove their information security management systems align with the updated controls framework.

Executive briefing: As of November 1, 2025 all ISO/IEC 27001 certificates must reference the 2022 revision. The International Accreditation Forum (IAF) mandated that certification bodies complete transitions from the 2013 edition by October 31, 2025, leaving no grace period for organizations that rely on legacy statements of applicability. Security leaders must demonstrate updated risk assessments, Annex A control mappings, and governance evidence or risk losing accredited status during surveillance and recertification audits.

Key governance signals

  • Transition requirement. IAF Mandatory Document 26 specifies that all certificates issued to ISO/IEC 27001:2013 expire after October 31, 2025 and that certification bodies may only issue to ISO/IEC 27001:2022 thereafter.
  • Control modernisation. The 2022 update reorganises Annex A into four control families, introduces guidance on cloud services, threat intelligence, and secure coding, and aligns terminology with ISO/IEC 27002:2022.
  • Audit pressure. Accredited registrars are scheduling late-2025 surveillance visits to confirm transitions, increasing the operational load on teams that delayed implementation.

Control alignment

  • Annex A controls. Refresh statements of applicability to include the new controls (e.g., A.5.7 Threat intelligence, A.8.9 Configuration management) and retire superseded references.
  • Risk management. Update ISO 27005-aligned risk assessments to capture cloud platform dependencies, SaaS integrations, and software supply-chain risks introduced since the 2013 framework.
  • Governance evidence. Maintain board minutes, internal audit reports, and corrective action logs showing the transition completed before surveillance visits.

Detection and response priorities

  • Track control ownership and gap remediation tasks in GRC tooling; escalate overdue updates for Annex A mappings that remain on the 2013 structure.
  • Monitor registrar communication portals for audit scheduling changes so business units can prepare artifacts without emergency escalations.

Enablement moves

  • Run internal readiness assessments using ISO/IEC 27001:2022 checklist tooling to validate documentation quality before auditors arrive.
  • Align SOC 2, NIST CSF, and other assurance frameworks with the refreshed Annex A controls to streamline evidence reuse.
  • Brief executive sponsors on certification implications—loss of ISO/IEC 27001 accreditation can jeopardize customer contracts and regulatory attestations.

Sources

Zeph Tech steers ISO/IEC 27001 transitions—rebuilding Annex A control libraries, harmonizing evidence across frameworks, and coaching teams through registrar surveillance audits.

  • ISO/IEC 27001
  • Information security management
  • Annex A controls
  • Certification
Back to curated briefings