IAF’s three-year ISO/IEC 27001 transition ends 31 October 2025, requiring organisations to complete 2022 edition recertification audits or lose accredited coverage.
Executive briefing: The International Accreditation Forum’s Mandatory Document 26 set a three-year transition from ISO/IEC 27001:2013 to the 2022 revision, ending 31 October 2025. Certification bodies must withdraw 2013 certificates on that date, leaving organisations that fail to pass transition audits without accredited coverage for information security management systems.
Transition closure impacts
- Certificate withdrawal. Accredited certification bodies cannot extend ISO/IEC 27001:2013 certificates beyond 31 October 2025; any outstanding surveillance cycles must be completed against the 2022 requirements.
- Control alignment. Organisations have to evidence adoption of the Annex A control restructure—11 control categories and 93 controls—plus governance updates such as threat intelligence, cloud services, and physical security monitoring.
- Audit scheduling pressure. Transition audits must conclude before 31 October 2025, with sufficient time to address nonconformities; delays risk a certification lapse that can cascade into supplier offboarding or contractual non-compliance.
October action items
- Control evidence refresh. Map risk treatments and Statements of Applicability to the 2022 Annex A structure and highlight new controls—such as 5.7 Threat intelligence and 8.9 Configuration management—with operational metrics.
- Coordinate with certification bodies. Lock in audit dates, submit transition documentation, and verify assessor availability for witness or remote sessions before the deadline.
- Stakeholder communications. Prepare customer and regulator notifications describing the transition timeline, new control coverage, and any temporary compensating measures should a minor nonconformity extend closing activities.
Sources