October 2025: ISO/IEC 27001:2013 certificates expire as transition window closes

The International Accreditation Forum’s Mandatory Document 26 set a three-year transition from ISO/IEC 27001:2013 to the 2022 revision, ending 31 October 2025. Certification bodies must withdraw 2013 certificates on that date, leaving teams that fail to pass transition audits without accredited coverage for information security management systems.

Transition closure impacts

• Certificate withdrawal. Accredited certification bodies cannot extend ISO/IEC 27001:2013 certificates beyond 31 October 2025; any outstanding surveillance cycles must be completed against the 2022 requirements.
• Control alignment. Teams have to evidence adoption of the Annex A control restructure—11 control categories and 93 controls—plus governance updates such as threat intelligence, cloud services, and physical security monitoring.
• Audit scheduling pressure. Transition audits must conclude before 31 October 2025, with sufficient time to address nonconformities; delays risk a certification lapse that can cascade into supplier offboarding or contractual non-compliance.

October action items

• Control evidence refresh. Map risk treatments and Statements of Applicability to the 2022 Annex A structure and highlight new controls—such as 5.7 Threat intelligence and 8.9 Configuration management—with operational metrics.
• Coordinate with certification bodies. Lock in audit dates, submit transition documentation, and verify assessor availability for witness or remote sessions before the deadline.
• Stakeholder communications. Prepare customer and regulator notifications describing the transition timeline, new control coverage, and any temporary compensating measures should a minor nonconformity extend closing activities.

References

• IAF MD 26: Transition Requirements for ISO/IEC 27001:2022
• ISO — Transition planning guidance for ISO/IEC 27001:2022

Security Architecture Considerations

Security architecture should account for the implications of this development across the technology stack. Defense-in-depth principles recommend implementing multiple layers of controls that address different attack vectors and failure modes. Network segmentation, endpoint protection, identity controls, and application security measures should work together to reduce overall risk exposure.

Threat modeling exercises should incorporate the specific attack patterns and techniques associated with this development. Understanding adversary capabilities and likely attack paths helps focus on defensive investments and ensures controls address realistic threats rather than theoretical risks.

Security Monitoring and Response

If you are affected, implement continuous monitoring mechanisms to detect and respond to security incidents related to this vulnerability or threat. Security operations centers should update detection rules, threat hunting hypotheses, and incident response procedures to address the specific attack patterns and indicators associated with this development. Regular testing of detection and response capabilities ensures readiness to handle related security events.

Post-incident analysis should document lessons learned and drive improvements to preventive and detective controls. Information sharing with industry peers and sector-specific information sharing organizations contributes to collective defense against common threats.

Resource Planning and Execution

Resource planning should account for the specific requirements of this development, including staffing needs, technology investments, and external support that may be required. Early identification of resource requirements helps ensure timely execution and avoids delays that may create compliance or operational risks.

Budget allocation should reflect the priority and urgency of setup activities, with appropriate contingencies for unexpected challenges or scope changes. Regular monitoring of resource use helps identify potential issues before they impact timelines or outcomes.

Vendor selection and management processes should address the specific requirements of any external support needed, including evaluation criteria, contract terms, and performance expectations. Effective vendor relationships can significantly accelerate setup timelines and improve outcomes.

Knowledge transfer and documentation should ensure that setup expertise is retained within the organization for ongoing maintenance and future reference. This includes capturing lessons learned, decision rationale, and operational procedures that support sustainable adoption.

Transition audit requirements and certification body coordination

Certification bodies require transition audits to verify ISO 27001:2022 compliance before issuing updated certificates. Schedule transition audits well ahead of the October 2025 deadline to allow remediation time if gaps are identified. Some certification bodies may have limited auditor availability as the deadline approaches.

Organizations undergoing surveillance audits before October 2025 should plan to complete transition during those audits rather than scheduling separate assessments. This approach reduces audit burden and costs.

Documentation and policy updates

ISO 27001:2022 introduces new mandatory documented information requirements and changes to policy structures. Review the Information Security Management System (ISMS) documentation against 2022 requirements. Update the Statement of Applicability to reflect the reorganized Annex A control structure and justify exclusions using the new control numbering.

Risk assessment methodology must align with ISO 27005:2022 updates. Ensure risk treatment plans reference current control identifiers and document risk acceptance decisions appropriately.

Staff awareness and competence verification

The 2022 revision emphasizes competence requirements for personnel performing ISMS roles. Document competency criteria, training programs, and evidence of capability for key security positions. Awareness training should cover new controls and organizational changes implemented during transition.

Internal auditor training should address the 2022 standard's structure and new audit techniques appropriate for evaluating organizational, people, physical, and technological controls.

Integration with other management systems

ISO 27001:2022 follows the harmonized high-level structure used across ISO management system standards. Organizations with integrated management systems (quality, environment, health and safety) should use this alignment to consolidate documentation and audit activities. Transition provides an opportunity to improve management system integration efficiency.

Post-transition continuous improvement

ISO 27001:2022 emphasizes continual improvement of the ISMS. Establish metrics tracking security performance, incident trends, and control effectiveness. Use management review outputs to drive improvement initiatives and resource allocation.

Benchmark against industry peers and incorporate lessons learned from security incidents and near-misses into improvement planning. Document improvements and their outcomes to show management system maturity to auditors and teams.

Stakeholder communication and change management

Communicate ISMS changes to affected teams including employees, suppliers, and customers. Update customer-facing security documentation and certifications. Prepare responses for customer security questionnaires that reflect the updated certification scope.

Resource planning and budget considerations

Transition projects require investment in gap remediation, documentation updates, training, and certification body fees. Budget for internal effort including risk assessment updates, policy revisions, and evidence collection. External consulting support may accelerate transition for organizations with limited internal expertise.

Certification scope considerations

Review ISMS scope definition during transition. Changes to organizational structure, technology, or business processes may warrant scope adjustments. Ensure scope statement accurately reflects the information security management system boundaries and applicability of controls.

Regular surveillance audits following transition will verify continued compliance and identify improvement opportunities.

Certificate Expiration

ISO/IEC 27001:2013 certificates cease validity after transition deadline. Organizations must complete transition to 2022 version to maintain certification. Transition audits validate compliance with updated requirements.

Transition Planning

Gap analysis identifies control updates required for 2022 compliance. Documentation updates reflect new control structure and attributes. Staff training addresses changed requirements and implementation approaches.

Business Continuity

Contract requirements referencing ISO 27001 certification require maintained compliance. Customer assurance depends on current certification status. Procurement processes verify vendor certification validity.

Audit Preparation

Internal audit validates readiness for transition assessment. Evidence collection demonstrates control implementation effectiveness. Management review addresses identified improvement opportunities.

Related articles

Curated signals from the same pillar or overlapping topics.

Cybersecurity · Credibility 86/100 · July 6, 2025

Cybersecurity — ISO/IEC 27001

ISO 27001:2013 certificates expire July 31, 2025. If you have not transitioned to the 2022 edition yet, you are cutting it close. Certification bodies will not recognize the old standard anymore—time to finalize your gap…

Cybersecurity · Credibility 91/100 · October 23, 2025

ISO/IEC 27001:2022 transition deadline

The ISO/IEC 27001:2013 transition window closes, making the 2022 edition mandatory for certification bodies and forcing regulated enterprises to prove their information security management systems align with the updated…

Cybersecurity · Credibility 100/100 · May 12, 2025

Cyber Resilience — Post-quantum cryptography

Post-quantum cryptography is no longer theoretical—it is time to start planning your migration. NIST has finalized CRYSTALS-Kyber and CRYSTALS-Dilithium as the primary PQC algorithms. Federal agencies already have…

Cybersecurity · Credibility 90/100 · October 22, 2024

Zero Trust Network Access Platform Comparison — October 22, 2024

Zero trust is not a product, but if you are evaluating platforms that enable zero trust architecture, here's what to look for: continuous verification, least-privilege access, micro-segmentation, and strong identity…

Cybersecurity · Credibility 90/100 · October 18, 2024

Cyber Resilience — NIS2 Directive

Post-NIS2 transposition deadline, enforcement varies by member state. Some countries are actively supervising, others are still finalizing implementation details. Map your NIS2 obligations to actual national law…

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Network Security Fundamentals Explained Practically

  A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

• Complete Beginner Cybersecurity Guide for Home Users

  A practical cybersecurity guide designed for non-technical home users. Covers threat awareness, home network security, password management, multi-factor authentication, device…

• Cybersecurity Operations Playbook

  Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

References

1. ISO/IEC 27001:2022 — iso.org
2. IAF Transition Requirements — iaf.nu
3. ISO/IEC 27002:2022 — iso.org