Cybersecurity guide

ISO/IEC 27001:2022 transition playbook

Move every ISO/IEC 27001:2013 certificate to the 2022 revision by pairing IAF MD26 deadlines with Annex A control remapping, registrar engagement, and evidence governance.

As of 1 November 2025, accredited registrars can only recognise ISO/IEC 27001:2022 certificates, putting surveillance and recertification audits at risk for any organisation stuck on 2013 statements of applicability.

Engage Zeph Tech transition support Review the ISO/IEC 27001 deadline briefing

Anchor programme scope to IAF MD26 milestones

IAF Mandatory Document 26 (Issue 1, February 2023) gives accredited ecosystems 36 months from the ISO/IEC 27001:2022 publication to complete transitions. Accreditation bodies had to approve certification body plans by 31 October 2023, certification bodies must finish their own transitions by 31 October 2024, and organisations lose valid 2013 certificates after 31 October 2025.IAF MD26:2023 §§2–3

  • Freeze scope decisions early. Update the ISMS scope statement to reflect hybrid cloud estates, SaaS dependencies, and supply-chain integrations adopted since the 2013 certification cycle. Document scoping rationale, critical interfaces, and any carve-outs for shared responsibility services.
  • Schedule transition audits with registrars. IAF MD26 requires at least one audit day dedicated to transition activities. Align the Stage 1 document review and Stage 2 implementation testing with surveillance or recertification visits to avoid duplicate disruption, and confirm multi-site sampling plans.
  • Update risk assessments. Run ISO/IEC 27005 analyses that capture cloud data residency, SaaS access paths, software supply chain vulnerabilities, and OT/IT convergence. Present updated risk treatment plans to management reviews ahead of the transition audit.

Zeph Tech uses programme dashboards to expose scoping decisions, audit bookings, and management review approvals so executives can track transition readiness in real time.

Remap Annex A with ISO/IEC 27002:2022 control intent

ISO/IEC 27002:2022 consolidates Annex A into four themes—Organisational (37 controls), People (8), Physical (14), and Technological (34)—reducing the catalogue to 93 controls. Eleven controls are new, including A.5.7 Threat intelligence, A.5.23 Information security for use of cloud services, A.5.30 ICT readiness for business continuity, A.7.4 Physical security monitoring, and technological safeguards such as A.8.9 Configuration management, A.8.10 Information deletion, A.8.11 Data masking, A.8.12 Data leakage prevention, A.8.16 Monitoring activities, A.8.23 Web filtering, and A.8.28 Secure coding.ISO/IEC 27002:2022 Clauses 5–8

  • Rewrite the Statement of Applicability (SoA). Map each 2022 control to the refreshed catalogue, identify merged or renamed legacy controls, and justify exclusions with quantitative risk data. Highlight control owners, implementation status, testing frequency, and linked evidence repositories.
  • Align policies and procedures. Update information security policies, secure development standards, and supplier agreements to reflect the four-theme structure. Embed specific obligations—such as cloud shared responsibility matrices for A.5.23 and data destruction SLAs for A.8.10—into operational runbooks.
  • Crosswalk external frameworks. Maintain mappings from Annex A to NIST CSF 2.0, SOC 2, PCI DSS 4.0, and sector mandates such as DORA Article 9. Centralising crosswalks reduces duplicate evidence requests and accelerates third-party assurance cycles.

Our analysts maintain Annex A diff logs so platform, product, and infrastructure teams know exactly which documents, code repositories, and ticket queues must be re-baselined.

Engineer registrar engagement and audit cadence

Certification bodies may only issue ISO/IEC 27001:2013 certificates until 30 April 2024 and must convert remaining clients by the 31 October 2025 deadline. Organisations can transition during scheduled surveillance visits, special transition assessments, or recertification audits, but registrars must document the decision and allocate sufficient time.IAF MD26:2023 §§4–6

  • Refresh contractual commitments. Amend master service agreements with your registrar to include transition timelines, additional audit days, and fee schedules. Confirm whether remote auditing technologies meet IAF MD4 requirements or if on-site presence is mandatory for critical controls.
  • Sequence evidence delivery. Provide updated documentation 30 days before the audit: SoA, risk treatment plan, change management logs, internal audit reports, supplier evaluations, incident records, and management review minutes. Use registrar portals to confirm acceptance and track questions.
  • Plan corrective action turnaround. IAF MD26 expects outstanding nonconformities to close within the normal certification cycle. Assign owners, remediation budgets, and verification checkpoints so follow-up reviews finish before the 31 October 2025 cut-off.

Zeph Tech project managers run integrated calendars covering registrar milestones, business continuity exercises, and sector regulator filings to avoid schedule collisions.

Publish audit-ready evidence packs

The transition audit stresses governance proof that the ISMS absorbed the 2022 revision. Build curated evidence packs for leadership, auditors, and customers to eliminate scramble.

  • Management evidence. Compile signed information security policy updates, risk appetite statements, and management review minutes that document approval of Annex A changes and resources.
  • Operational proof. Export configuration baselines, vulnerability reports, identity governance attestations, secure coding checklists, disaster recovery test results, and supplier monitoring records mapped to the new controls.
  • Customer-facing attestations. Refresh trust portals, SOC 2 bridges, and contract annexes with the updated SoA, highlighting when each Annex A control was revalidated and which compensating measures remain in force.

Zeph Tech’s evidence templates include registrar-friendly indexing, control narratives, and traceability matrices linking every artefact to the applicable Annex A clause.

Run a 27001:2022 transition sprint cadence

Use Zeph Tech’s sprint structure to keep leadership and control owners aligned as the transition clock winds down.

  1. Quarter -12 to -9 months. Confirm scope updates, launch Annex A gap assessments, and negotiate registrar schedules while AB and CB obligations close.IAF MD26:2023 §3
  2. Quarter -8 to -5 months. Execute remediation epics for each new control family, update SoA narratives, and complete internal audits. Capture objective evidence for cloud, secure development, and monitoring controls introduced in ISO/IEC 27002:2022.
  3. Quarter -4 to -1 months. Hold management reviews, deliver evidence packs to registrars, and rehearse audit interviews. Validate that communications, risk registers, and supplier attestations reflect the Nov 1 2025 enforcement date raised in Zeph Tech’s transition briefing.Cybersecurity Governance Briefing — ISO/IEC 27001:2022 transition deadline

We maintain war-room dashboards that track remediation burndown, registrar feedback, and outstanding evidence gaps so the ISMS remains audit-ready well before the final deadline.

Briefings feeding this playbook