The transition period from ISO/IEC 27001:2013 to ISO/IEC 27001:2022 ended on October 31, 2025. All certifications under the 2013 version have now expired, and organizations must hold the 2022 certification to maintain ISO 27001 compliance.
Transition Timeline (Completed)
| Date | Milestone |
|---|---|
| October 25, 2022 | ISO 27001:2022 published; transition period begins |
| May 1, 2024 | All new certifications issued under 2022 version only |
| July 31, 2025 | Deadline for all transition audits |
| October 31, 2025 | Transition period ends; all 2013 certifications expire |
What Changed in ISO 27001:2022
Annex A Control Restructuring
The most significant change is the restructuring of Annex A controls. The 2013 version had 114 controls in 14 domains. The 2022 version has 93 controls in 4 themes:
- Organizational controls (37 controls)
- People controls (8 controls)
- Physical controls (14 controls)
- Technological controls (34 controls)
New Controls
Eleven entirely new controls were introduced, addressing modern threats:
- Threat intelligence for collection and analysis of threat information
- Information security for cloud services covering cloud-specific security measures
- ICT readiness for business continuity addressing technology recovery planning
- Physical security monitoring for surveillance and detection systems
- Configuration management for secure configuration of systems and networks
- Information deletion for secure disposal of data no longer needed
- Data masking for protection of sensitive data through obfuscation
- Data leakage prevention for controls against unauthorized data exfiltration
- Monitoring activities for anomaly detection and security event monitoring
- Web filtering for blocking access to malicious or unauthorized websites
- Secure coding for software development security practices
If You Missed the Deadline
Organizations that did not transition by October 31, 2025 face several consequences.
The ISO 27001:2013 certificate is no longer valid. Customers and partners requiring ISO 27001 compliance may terminate contracts or require remediation plans. Representations about ISO 27001 certification may become inaccurate. And rather than a simpler transition audit, a complete initial certification audit against 2022 is now necessary.
To regain certification, organizations must undergo a full Stage 1 and Stage 2 certification audit against ISO 27001:2022, which is more extensive and costly than a transition audit would have been.
Recommendations
For organizations holding current 2022 certification, make sure the Statement of Applicability reflects the new Annex A structure, verify all 11 new controls are addressed, update risk assessment methodologies to align with the 2022 framework, and prepare for surveillance audits under the 2022 standard.
For organizations that lost certification, engage an accredited certification body to plan a full initial audit, prioritize the 11 new controls that were not required under the 2013 version, and budget for a Stage 1 documentation review and Stage 2 implementation audit process.