← Back to all briefings
Compliance 6 min read Published Updated Credibility 91/100

ISO/IEC 27001:2013 certificates expire at transition deadline

The three-year transition window to move from ISO/IEC 27001:2013 to ISO/IEC 27001:2022 closes on 31 October 2025 under IAF MD 26, ending recognition of legacy certificates.

Kodi C.

Editor & Research Lead

Reviewed for accuracy by Kodi C.

Compliance pillar illustration for Zeph Tech briefings
Compliance controls, audit, and evidence briefings

The IAF MD 26 transition requirements give teams until to migrate ISO/IEC 27001:2013 certificates to ISO/IEC 27001:2022. After that date, legacy certificates lapse. This guide provides a transition playbook, evidence expectations, and control mapping, with navigation to the pillar hub, the ISO/IEC 27001:2022 transition guide, and related briefs on RBI IT governance and NYDFS cyber readiness.

Key dates and certification impact

DateEventAction
ISO/IEC 27001:2022 publishedTransition window opens; certification bodies adjust accreditation.
Certification issuance cutoffCBs stop issuing new ISO/IEC 27001:2013 certificates.
Transition deadlineAll ISO/IEC 27001:2013 certificates expire; surveillance must reflect 2022 controls.

IAF MD 26 establishes the three-year window; certification bodies must withdraw 2013 certificates after the deadline.

What changes in ISO/IEC 27001:2022

  • Annex A restructure. Controls shrink from 114 to 93, grouped under four themes: organizational, people, physical, and technological, aligned to ISO/IEC 27002:2022.
  • New and revised controls. Notable additions include threat intelligence (5.7), information security for cloud services (5.23), ICT readiness for business continuity (5.30), and secure coding (8.28).
  • Context and planning updates. Clauses 4 and 6 emphasize needs and expectations of interested parties, as well as change management for the ISMS.
  • Performance and improvement. Clause 9 highlights monitoring and measurement alignment to updated objectives; Clause 10 stresses continual improvement tied to risk treatment plans.

Visual — transition pathway

Phased path from gap assessment to recertification.
        [Gap assess] → [Implement controls] → [Internal audit] → [CB transition audit]
         ↑ ↓
         [SoA update] ← [Metrics & evidence] ← [Management review]

Control mapping to accelerate adoption

New/updated controlObjectiveSample evidence
5.7 Threat intelligenceCollect and analyze threat data to adapt defenses.Threat intake SOPs, intelligence feeds list, response playbooks.
5.23 Cloud servicesDefine responsibilities and safeguards for cloud use.Shared-responsibility matrices, CSPM scans, vendor due diligence reports.
5.30 ICT readiness for business continuityEnsure ICT can support continuity objectives.Failover test results, RTO/RPO sign-offs, backup restoration logs.
8.28 Secure codingEmbed secure development practices.SDLC policies, SAST/DAST results, developer training rosters.
8.32 LoggingProtect logs and support investigations.Immutable log configs, retention schedules, SIEM alert tuning records.

Statement of Applicability (SoA) update steps

  1. Map existing 2013 Annex A controls to the 2022 structure using authoritative crosswalks.
  2. Document inclusion/exclusion rationales for each 2022 control with risk references.
  3. Update risk treatment plans to cover new controls and revised objectives.
  4. Obtain management approval of the refreshed SoA and communicate scope changes to auditors and key customers.

Metrics to track transition readiness

  • Control coverage. Percentage of 2022 controls implemented and evidenced; target 100% by August 2025.
  • Audit finding burn-down. Open vs. closed findings from internal and CB pre-assessments.
  • Training completion. Staff completion rates for secure development, threat intelligence, and cloud security modules.
  • BCP test success. Pass rate for failover/restoration tests linked to control 5.30.
  • Supplier alignment. Third-party assessments updated to 2022 controls, especially cloud providers.

Audit preparation checklist

  • Schedule the transition audit no later than Q3 2025 to allow remediation time.
  • Provide CBs with the updated SoA, risk register, and evidence for new controls.
  • Run an internal audit and management review aligned to ISO/IEC 27001:2022 Clause 9, capturing performance metrics.
  • Refresh incident response, BCP, and supplier management procedures to reflect 2022 terminology and expectations.

Communication plan

AudienceMessageChannelTiming
CustomersTransition timeline, expected certificate reissuance date, and any interim assurance letters.Customer portal, trust center.Quarterly until completion.
Regulators and supervisorsNotification of transition plan for regulated services; linkage to sectoral requirements (for example, RBI, NYDFS).Formal correspondence.Upon plan approval and at completion.
Internal teamsControl owners, evidence expectations, and training deadlines.Town halls, intranet, tickets.Monthly.

Risk scenarios to test

  • Cloud service outage. Validate control 5.23 and 5.30 by simulating CSP disruption and executing failover.
  • Secure coding regression. Run pipeline checks that fail insecure builds; confirm change management and logging updates.
  • Threat intelligence integration. Test ingestion of new indicators and confirm downstream alerting and response.

Document bundle for certification bodies

  1. Updated SoA and crosswalk from 2013 to 2022 controls.
  2. Internal audit report and management review minutes referencing 2022 clauses.
  3. Evidence pack for each new control (artifacts listed above).
  4. Supplier assessment updates and contract addenda aligning to new responsibilities.
  5. Transition risk assessment and remediation plan with timelines.

References

Gap assessment matrix

DomainTypical 2013 gap2022 remediationEvidence
Risk managementStatic risk register without change management.Embed change control in Clause 6 planning; update risk reviews quarterly.Risk log with change tickets, management review minutes.
Cloud governanceShared responsibility not explicit.Adopt control 5.23 with CSP responsibility matrices and contractual addenda.Signed matrices, vendor audit results, CSPM dashboards.
Logging and monitoringRetention and tamper protection inconsistent.Apply 8.32 logging control with immutability and retention baselines.SIEM configs, WORM storage settings, log retention policy.
Business continuityIT-specific recovery plans not validated.Implement 5.30 ICT readiness with RTO/RPO tests and dependency mapping.Test reports, dependency inventories, corrective actions.
Secure developmentTraining ad hoc; pipeline controls partial.Align to 8.28 secure coding; enforce SAST/DAST and code review gates.Pipeline screenshots, defect metrics, training logs.

Annex A theme check

  • organizational (37 controls). Update policies, supplier oversight, and project management controls; ensure KPIs and management review inputs reflect 2022 terminology.
  • People (8 controls). Refresh awareness content, onboarding/offboarding processes, and remote work safeguards.
  • Physical (14 controls). Confirm visitor management, equipment security, and resilience controls align to current facility footprints.
  • Technological (34 controls). Strengthen identity, logging, secure development, and data leakage prevention with measurable baselines.

Visual — 12-month workback plan

backward plan from the October 2025 deadline.
        Oct 2025: CB transition audit & certificate reissue
        Aug-Sep 2025: Remediate CB pre-assessment findings
        Jun-Jul 2025: Internal audit + management review
        Apr-May 2025: Implement gaps, finalize SoA
        Jan-Mar 2025: Gap assessment, evidence collection kickoff

Cross-framework alignment

  • SOC 2. Map 2022 controls to Trust Services Criteria to simplify evidence reuse (for example, logging, BCP, change management).
  • NIST CSF 2.0. Align identify-protect-detect-respond-recover activities to updated Annex A themes.
  • Sector regulators. For NYDFS or RBI-supervised entities, show how ISO updates reinforce existing regulatory control expectations.

Evidence retention and ownership

ArtifactOwnerRetention
Internal audit reportsInternal Audit≥3 years or per regulator requirement.
Training recordsHR / Security AwarenessAt least two cycles to evidence continuity.
BCP/DR test logsBusiness ContinuityPer test cycle plus remediation confirmations.
Supplier assessmentsVendor ManagementDuration of contract + one year.
Secure SDLC artifactsEngineeringPer release cycle; retain high-risk findings through closure.

Management review focus areas

  • Effectiveness of new controls (5.7, 5.23, 5.30, 8.28, 8.32) and associated KPIs.
  • Resource allocation for remediation and training through the deadline.
  • Supplier dependencies, particularly cloud and critical SaaS vendors.
  • Residual risks and planned risk treatment before certification body engagement.

Related articles

Curated signals from the same pillar or overlapping topics.

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Third-Party Risk Oversight Playbook

    Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

  • Compliance Operations Control Room

    Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

  • ESG Assurance Operating Guide

    Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.

Coverage intelligence

Published
Coverage pillar
Compliance
Source credibility
91/100 — high confidence
Topics
ISO/IEC 27001:2022 · Information security management system · Annex A controls · Certification transition
Sources cited
2 sources (iaf.nu, iso.org)
Reading time
6 min

References

  1. IAF MD 26:2022 — Transition requirements for ISO/IEC 27001:2022 and ISO/IEC 27002:2022 — International Accreditation Forum
  2. ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems — Requirements — International Organization for Standardization
  • ISO/IEC 27001:2022
  • Information security management system
  • Annex A controls
  • Certification transition
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.