Governance Briefing — October 31, 2025
The ISO/IEC 27001:2013 to 27001:2022 transition window closes today, requiring certified organizations to complete recertification audits and update ISMS controls to the revised Annex A structure.
Executive briefing: The International Accreditation Forum’s MD 26 sets 31 October 2025 as the final transition deadline for ISO/IEC 27001:2013 certificates. Organizations must have successfully migrated to ISO/IEC 27001:2022, including integrating the revised Annex A control set aligned to ISO/IEC 27002:2022 and demonstrating leadership, planning, and operational updates during recertification audits.
Key governance checkpoints
- Statement of Applicability. Update the SOA to map controls to the four new themes (Organizational, People, Physical, Technological) and justify inclusions or exclusions.
- Risk treatment alignment. Reassess risk registers to account for new controls such as threat intelligence (5.7), ICT readiness for business continuity (5.30), and web filtering (8.23).
- Audit evidence. Ensure internal audit reports, management review minutes, and corrective actions reflect 2022 requirements.
Operational priorities
- Certification scheduling. Confirm certification bodies have issued updated certificates and that scope statements reflect any changes.
- Control implementation. Deploy technical and procedural updates—for example, formalizing data masking standards or cloud services monitoring—to satisfy new Annex A controls.
- Supplier assurance. Collect updated certificates or transition plans from critical vendors to maintain supply-chain assurance.
Enablement moves
- Communicate transition completion to customers and regulators, highlighting key control enhancements.
- Integrate ISO/IEC 27001:2022 controls into GRC tooling and continuous monitoring dashboards.
Sources
Zeph Tech ensures ISO/IEC 27001 transitions land on schedule with updated SOAs, control implementations, and certification body coordination.