What is the deadline to transition from ISO 27001:2013 to 27001:2022?

The IAF (International Accreditation Forum) set October 31, 2025, as the deadline for all ISO 27001:2013 certifications to either transition to 2022 or be withdrawn. After that date, certification bodies may no longer issue 2013 certificates, and existing 2013 certificates become invalid when they reach their next surveillance or recertification cycle.

What changed in ISO 27001:2022 compared to 27001:2013?

Three structural changes: Annex A was restructured from 114 controls in 14 domains to 93 controls in 4 themes (Organizational, People, Physical, Technological); 11 new controls were added covering threat intelligence, cloud services, physical security monitoring, secure coding, data leakage prevention, and others; clauses 4-10 received modest updates aligned with the latest ISO Management System Standards harmonization.

How long does the ISO 27001:2022 transition audit take?

The transition audit itself is typically completed during a regular surveillance or recertification visit, adding 1-2 audit days to the normal cycle. Preparation work inside the organization — updating the Statement of Applicability, remapping controls to the new Annex A structure, implementing the 11 new controls — typically takes 3-6 months for a well-run ISMS, longer for organizations with significant control gaps.

What are the 11 new controls in ISO 27001:2022?

A.5.7 Threat intelligence, A.5.23 Information security for use of cloud services, A.5.30 ICT readiness for business continuity, A.7.4 Physical security monitoring, A.8.9 Configuration management, A.8.10 Information deletion, A.8.11 Data masking, A.8.12 Data leakage prevention, A.8.16 Monitoring activities, A.8.23 Web filtering, A.8.28 Secure coding. Each has a specific implementation expectation and evidence requirement.

What happens to our certification if we missed the October 2025 deadline?

Certifications that did not transition by the deadline are withdrawn. Recovery requires a new certification cycle under ISO 27001:2022 — effectively treated as a first-time certification, with Stage 1 and Stage 2 audits. Most organizations in this situation should restart the full engagement rather than attempt a partial catch-up.

Can we keep our 2013 implementation and just map to 2022?

Partially, yes. Most controls from 2013 map directly to 2022 counterparts. The restructuring is primarily organizational — the same underlying protections appear in the new four-theme structure. What cannot be mapped is the 11 genuinely new controls, which require new implementation work. The Statement of Applicability must be rewritten against the 2022 Annex A structure regardless.

ISO 27001: 2013 to 2022 Transition Guide

Updated June 2026 — The IAF October 31, 2025 transition deadline has now passed. Accredited certification bodies will no longer issue 2013-edition certificates and operate under the assumption that clients are on 2022. Any organization still holding a 2013 certificate as of June 2026 has an invalid certificate and must restart with full Stage 1 / Stage 2 audits against 2022 — there is no transition shortcut available anymore. See the “what to do if you missed the deadline” section below for the recovery path. Forward-looking: ISO/IEC 27017 second edition reached FDIS ballot in April 2026, with publication expected later in 2026 — new guidance for serverless and container orchestration is the primary substantive addition. Organizations with cloud workloads holding 27017 should plan for a refresh cycle aligned to whatever surveillance audit follows publication. Our Q2 2026 compliance landscape briefing covers this alongside the other framework updates from the last two quarters, with the June 5 mid-Q2 update including the 27017 timing.

ISO/IEC 27001:2022 replaced the 2013 edition with a restructured Annex A, eleven genuinely new controls, and modernized clauses. The IAF set October 31, 2025, as the cut-off for transition. In practice, most well-run ISMS programs transitioned during a 2024 or early 2025 surveillance audit, and most certification bodies stopped issuing 2013 certificates by mid-2025. As of today, an organization still operating under a 2013 certificate is either past its transition audit (fine) or past the deadline (not fine).

This article covers three audiences: organizations that recently transitioned and want a reference for what actually changed, organizations in the middle of transition work, and organizations that missed the deadline and need to understand the recovery path. For first-time certification under 27001:2022, see ISO 27001:2022 for cloud-native SaaS — a cleaner starting point if you are not carrying 2013-era baggage.

The three things that actually changed

The 2022 edition made three substantive changes and a number of editorial ones. The substantive ones matter for transition planning.

1. Annex A restructured

ISO 27001:2013 had 114 controls organized into 14 domains (A.5 Information security policies through A.18 Compliance). ISO 27001:2022 has 93 controls organized into 4 themes:

A.5 Organizational — 37 controls
A.6 People — 8 controls
A.7 Physical — 14 controls
A.8 Technological — 34 controls

The restructuring is primarily organizational. Most 2013 controls map directly to 2022 counterparts — the same underlying protection appears in the new four-theme structure. The net reduction from 114 to 93 is partly consolidation (similar controls merged) and partly reorganization. The underlying security baseline is comparable.

What this means practically: your Statement of Applicability has to be rewritten against the new Annex A structure. Controls you marked applicable in 2013 get remapped to 2022 identifiers. Controls you excluded in 2013 need justification against the new 2022 control definitions. This is mechanical work but time-consuming — typically 2–4 weeks of cross-functional review.

2. Eleven genuinely new controls

The 2022 edition adds controls that did not exist in 2013:

A.5.7 Threat intelligence — organization’s process for identifying relevant threats and using the intelligence
A.5.23 Information security for use of cloud services — governance of cloud service acquisition, use, and exit
A.5.30 ICT readiness for business continuity — resilience and continuity planning specifically for ICT systems
A.7.4 Physical security monitoring — monitoring of physical premises (beyond traditional access control)
A.8.9 Configuration management — treated as a distinct control area (previously distributed across other controls)
A.8.10 Information deletion — explicit controls for deleting information no longer required
A.8.11 Data masking — data masking and anonymization techniques for protection
A.8.12 Data leakage prevention — DLP controls covering exfiltration prevention
A.8.16 Monitoring activities — logging and monitoring consolidated and expanded
A.8.23 Web filtering — URL-based filtering on user endpoints
A.8.28 Secure coding — secure coding standards, SAST/DAST processes

Each requires a specific implementation and evidence artifact. Some are already in place in mature programs — most SaaS companies already have DLP and secure coding practices — but they need to be documented and tied to the 2022 control reference.

The three that most commonly trip transitioning organizations:

A.5.7 Threat intelligence — many organizations do not have a formalized threat intelligence process
A.5.30 ICT readiness for business continuity — often covered by general BCP but not specifically ICT-focused
A.7.4 Physical security monitoring — easy for organizations with managed facilities, harder for remote-first or hybrid organizations that do not own the physical premises

3. Clauses 4–10 modernized

The ISMS clauses themselves received lighter-touch updates aligned with the ISO Harmonized Structure (formerly Annex SL), which standardizes management system structure across ISO frameworks. The changes are mostly clarifications — the intent of each clause is essentially preserved.

Two substantive edits worth noting:

Clause 4.4 Information security management system now explicitly references processes and their interactions
Clause 6.3 Planning of changes is new — requires the organization to plan changes to the ISMS

Neither typically requires significant work for a well-run ISMS; they represent formalization of practices most organizations already had informally.

The transition audit in practice

For organizations that transitioned during the 2023–2025 window, the audit was usually structured as a combined transition-and-surveillance audit:

Documentation review (1–2 days). The auditor reviews the updated Statement of Applicability, the documentation for the 11 new controls, and any Policies or procedures that were restructured.

Surveillance of ongoing operations (existing scope). The surveillance component covers the controls that were already in scope, as before.

Transition audit (focused). The auditor specifically tests the 11 new controls — are they implemented, is there evidence, do they integrate with the rest of the ISMS. This is where transition audits most commonly surface findings. New controls that were documented but not operationally embedded get flagged.

Report issuance. The certification body issues an updated certificate referencing ISO/IEC 27001:2022 and the new Annex A. The certificate expiration aligns with the existing three-year cycle — the transition does not reset the cycle.

Transition audits typically produced 1–5 findings per engagement. Findings related to the 11 new controls accounted for the large majority.

Common transition mistakes we saw

Three patterns showed up repeatedly in transition engagements:

Treating the SoA remap as mechanical. The control remapping is mostly mechanical, but each changed entry is an opportunity to review whether the 2013 implementation actually held up. Organizations that used the remap as a genuine review found overdue weaknesses; organizations that did it purely mechanically missed those weaknesses.

Implementing the new controls as documentation without operations. A.5.7 Threat intelligence with a policy document and no actual threat intelligence feed is a paper control. Auditors recognized this pattern and produced findings. The 11 new controls need to be operationally real before the transition audit.

Delaying transition to the last surveillance cycle. Organizations that delayed transition audit to 2025 under the assumption the deadline would slip found themselves with tight windows. Some did not make it and fell into the post-deadline recovery category.

If you missed the October 2025 deadline

For organizations still holding a 2013 certificate in May 2026, the formal position is:

The 2013 certificate is no longer recognized.
The certification body will not conduct a transition audit outside the formal window.
Recovery requires a new first certification against ISO 27001:2022 — Stage 1 and Stage 2 audits, full documentation review, full operational verification.

The practical recovery path:

Step 1. Acknowledge the gap. Communicate with major customers that the certificate lapsed and recertification is underway. Failure to disclose creates reputational risk that is worse than the lapse itself.

Step 2. Engage a certification body for new certification. Some certification bodies have programs that reuse 2013-era evidence for efficiency, but the audit structure is a new first certification — Stage 1, operating period, Stage 2.

Step 3. Close the gap on the 11 new controls. Organizations that did not transition likely did not implement the new controls either. This is usually the 3–6 month remediation block that dominates the recovery timeline.

Step 4. Reconstitute the Statement of Applicability against 2022 Annex A. Rewrite the SoA from scratch; do not try to port the 2013 version.

Step 5. Operate the ISMS for the minimum operating period required by the certification body (typically 3 months minimum) before the Stage 2 audit.

Total recovery timeline: typically 6–12 months from engagement to new certificate. The cost is higher than a transition would have been but lower than a first-time certification from zero, because most of the ISMS infrastructure already exists.

What customers and procurement expect

For organizations with certificates that transitioned on time, nothing changed in customer-facing terms. The certificate references ISO 27001:2022 instead of 27001:2013, the certification body’s registry reflects the update, and customers verify against the updated certificate.

For organizations that lapsed, customer procurement teams increasingly check certificate status through the certification body’s public registry. A lapsed certificate is often caught within one review cycle. Being proactive about the gap — disclosing, outlining the recovery plan, providing interim evidence of ISMS operations — preserves customer trust better than silently hoping the gap goes unnoticed.

Pairing with SOC 2

For organizations running ISO 27001 alongside SOC 2, the 2022 transition did not significantly affect the SOC 2 program. SOC 2 Trust Services Criteria are independent of the ISO 27001 Annex A structure, and the underlying controls that serve both frameworks remain applicable.

The one adjustment: the cross-framework control mapping should be rewritten against 2022 Annex A. Evidence pipelines remain the same; the mapping documentation updates. See SOC 2 vs ISO 27001: which first, when to do both for cross-framework operational guidance.

When to engage

For organizations already past the transition audit, outside advisory is typically not needed for the 2022 edition itself — the transition was the engagement. Ongoing ISO 27001:2022 work falls into normal ISMS operations.

For organizations still in transition (whether inside the formal window or recovering post-deadline), outside advisory helps most with the 11 new controls implementation and with the SoA remap. Our ISO 27001 practice handles both transition work and post-deadline recovery engagements.

ISO 27001:2022 transition: what changed from 2013, and what to do if you missed the October 2025 deadline