ISO/IEC 27001:2022 Transition Deadline — What You Need to Know Before 31 October 2025

May 15, 2025

The cybersecurity landscape continues to evolve at pace—bringing with it new threats, technologies, and regulatory demands. In response, the international standard for Information Security Management Systems (ISMS), ISO/IEC 27001, has undergone a significant update.


If your organisation is currently certified under ISO/IEC 27001:2013, it’s critical to prepare for the transition to ISO/IEC 27001:2022—and soon. As of 31 October 2025, all ISO/IEC 27001:2013 certifications will become invalid.


In this blog, we’ll walk you through the key changes, transition deadlines, risks of non-compliance, and the steps your business needs to take to stay secure—and certified.

What Is ISO/IEC 27001, and What Changed in 2022?

ISO/IEC 27001 is the world’s leading standard for establishing, implementing, and maintaining an ISMS. It enables organisations to manage sensitive information securely ensuring confidentiality, integrity, and availability.


The 2022 revision modernises the standard to reflect today’s cybersecurity realities. Key updates include:


  1. Broader scope: Now explicitly addresses cybersecurity and privacy protection.
  2. Structural refinements: Clauses 4–10 have been clarified for improved planning and integration.


Annex A controls reduced from 114 to 93, now grouped into four domains:


  • A.5: Organisational
  • A.6: People
  • A.7: Physical
  • A.8: Technological


11 new controls introduced, covering areas like threat intelligence, secure coding, data masking, and cloud services.


These changes make the standard more practical, scalable, and relevant for modern businesses.

Why 31 October 2025 Is a Critical Date

The International Accreditation Forum (IAF) has mandated that all ISO/IEC 27001:2013 certifications must transition to the 2022 standard by 31 October 2025. After this:


  • 2013 certificates will no longer be valid.
  • Certification bodies will only issue ISO/IEC 27001:2022 certificates.
  • Organisations still using the 2013 framework will be considered non-compliant.


Delaying the transition not only risks certification loss, but could also impact client trust and legal compliance.

What Are The Risks of Missing the Transition Deadline?

Failing to act on the transition can pose serious risks:


  • Loss of Certification

Without an updated certificate, your organisation may face contract terminations, compliance issues, or exclusion from procurement opportunities.


  • Operational Disruption

Many clients and partners require valid ISO/IEC 27001 certification. A lapsed certificate could stall projects and collaborations.


  • Regulatory Consequences

ISO certification often supports compliance with laws like GDPR or HIPAA. Falling behind could expose you to legal or financial penalties.


  • Reputational Damage

An expired certificate may signal weak governance—undermining stakeholder confidence, especially in sectors like finance, healthcare, and government.

Key Transition Milestones

Milestone Date
ISO/IEC 27001:2022 Published 25 October 2022
Transition Period Begins 31 October 2022
New Certifications Must Use 2022 Standard 1 May 2024
Recommended Completion of Transition Audits 31 July 2025
Final Expiry of 2013 Certificates 31 October 2025

Transition Checklist: Your Six-Step Plan

Phase 1: Understand the Changes

  • Review the 2022 standard thoroughly.
  • Identify internal stakeholders and key decision-makers.


Phase 2: Gap Analysis

  • Map existing controls to the new Annex A structure.
  • Identify additions, updates, or removals.


Phase 3: Update Documentation

  • Revise your Statement of Applicability (SoA).
  • Update risk assessments and policies.
  • Align with updated Clause 6.3 (change planning) and Clause 9.3 (management reviews).


Phase 4: Training and Awareness

  • Conduct training on new control requirements.
  • Run awareness sessions for affected teams.
  • Ensure control owners understand their revised roles.


Phase 5: Internal Audit

  • Audit against the 2022 standard.
  • Resolve nonconformities.
  • Perform a full management review.


Phase 6: Schedule the Transition Audit

  • Engage your certification body early.
  • Submit revised documentation.
  • Complete the audit well before the October 2025 deadline.

Spotlight on New Controls

Some of the most impactful new additions include:


  • 5.7 Threat Intelligence – Stay informed on emerging threats from reliable sources.
  • 5.23 Cloud Security – Manage cloud provider risks with contractual and technical controls.
  • 8.11 Data Masking – Protect sensitive data through masking techniques.
  • 8.28 Secure Coding – Integrate secure development practices to reduce software vulnerabilities.


These reflect real-world concerns that organisations face today and must be addressed in your ISMS.

Frequently Asked Questions

Q: Can We Wait Until 2025 to Start?

Technically yes—but it’s risky. Delaying increases the chances of:


  • Auditor backlogs
  • Resource constraints
  • Poor transition execution
  • Lost certification due to missed deadlines


Best practice: Start at least 12–18 months in advance.

Q: Do We Need a Full Recertification?



Not if you transition before your current certificate expires.


Instead of a full audit, you’ll undergo a transition audit, which reviews changes made to meet 2022 requirements. However, if your 2013 certificate lapses, you’ll need to go through full recertification—a more demanding and expensive process.

Q: How Long Will It Take?


It depends on your organisation’s size and ISMS maturity:


  • SMEs: 3–6 months
  • Large/multi-site organisations: 6–12 months
  • Complex/regulatory sectors: Up to 18 months


The key time-drivers include updating documentation, training, and audit preparation. Starting early ensures fewer disruptions and better outcomes.

Why Compliance Is Worth the Effort

Beyond avoiding risk, transitioning to ISO/IEC 27001:2022 offers tangible benefits:


  • Modernised security posture: Addresses current threats like cloud, AI, and data privacy.
  • Simplified control framework: Easier to implement, manage, and scale.
  • Stronger business credibility: Enhances client trust and competitiveness.
  • Regulatory assurance, demonstrating alignment with global standards and data protection laws.

Don’t Delay

The ISO/IEC 27001:2022 transition isn’t just a compliance task—it’s a chance to enhance your security framework, modernise processes, and reinforce your organisation’s reputation.


With the 31 October 2025 deadline fast approaching, the time to act is now.


  • Begin planning
  • Assign responsibilities
  • Schedule your transition audit early


If get ahead, you can acheive the new standard upgrade.

At Cybergen Security, we help organisations of all sizes transition smoothly to ISO/IEC 27001:2022. If you're unsure where to begin, we offer:


  • Expert consultancy and audit prep
  • Support with automation platforms such as Vanta
  • In-house or online ISO 27001:2022 training


Get in touch today to safeguard your certification and ensure a compliant, future-ready ISMS.

Safeguard your IS027001 certification and stay compliant.

Let's get protecting your business


Neon AI letters with a glowing purple orbit on a dark tech-style background

Shadow AI Is Already Inside Your Organisation: Here's How to Regain Control

June 3, 2026
Discover how Shadow AI is creating hidden security, compliance and data risks. Learn how to regain visibility, govern AI usage and reduce exposure.
Two professionals in a tech office with a laptop showing code and a digital globe display

Why Traditional Threat Intelligence Is No Longer Enough: The Evolution of Intelligence-Led Cybersecurity

May 19, 2026
Traditional threat intelligence is no longer enough. Discover how intelligence-led cybersecurity helps organisations predict, prioritise, and prevent cyber threats before they escalate.
Technician in a data center using a tablet beside server racks and digital displays

Network Security in 2026: What CISOs Should Prioritise

May 15, 2026
Discover the top network security priorities for CISOs in 2026, from modern firewalling and exposure management to Zero Trust, SASE, AI security, and cyber resilience.
CREST and Pen Test logos on a blue cybersecurity-themed background

Why CREST Penetration Testing Matters More Than Ever in 2026

May 12, 2026
Discover why CREST penetration testing is essential for identifying exploitable vulnerabilities, reducing cyber risk, and strengthening your organisation’s security posture.

From ChatGPT to Copilot: How Employees Are Creating Hidden AI Security Risks

May 11, 2026
Artificial intelligence is no longer emerging technology. It is already embedded inside the modern workplace. Across the UK, employees are using AI applications such as ChatGPT, Microsoft Copilot, Claude, Gemini, Perplexity, and countless specialist tools to improve productivity, save time, analyse information, draft reports, automate repetitive work, and accelerate decision-making. For many organisations, this represents an enormous opportunity. Teams can work faster, employees can automate administrative tasks, knowledge workers can produce content in minutes instead of hours, and businesses can gain competitive advantage through operational efficiency. However, there is another side to this story that many leadership teams, CISOs, and compliance professionals are only beginning to understand. Your employees are already using AI. The real question is whether you know how they are using it. Because while artificial intelligence is driving productivity, it is also creating a hidden security risk inside organisations, often without malicious intent, and frequently without employees even realising they are exposing sensitive information. The uncomfortable truth is that many businesses have already lost visibility and control. Employees are uploading confidential documents into public AI systems, sharing commercially sensitive information in prompts, exposing HR and financial data, pasting source code into third party models, and unknowingly bypassing existing data governance processes. In many cases, security teams simply do not see it happening. And if you cannot see it, you cannot control it. In 2026, secure AI adoption is rapidly becoming one of the most important priorities for cybersecurity leaders. The challenge is no longer whether employees should use AI. The challenge is how organisations can enable AI safely, securely, and compliantly without slowing innovation.
Hands typing on a laptop with a glowing AI interface on screen

Seeing the Unseen: How to Gain Visibility and Control Over AI Usage in Your Organisation

April 28, 2026
Uncontrolled AI usage is creating hidden risks across organisations. Learn how to gain visibility, manage exposure, and take control of AI usage before it becomes a security or compliance issue.
Abstract digital globe with blue data streams and binary code racing through a tunnel-like network background

The New Insider Threat: When Data Moves Faster Than Security Can See

April 23, 2026
Insider threats are evolving as data moves faster than security controls. Learn how organisations can regain visibility and protect sensitive information.
Laptop with cyber data protection graphics, shield icons, and a hand touching a glowing security interface

From Data Protection to Data Control: Why Traditional Security Models Are Failing

April 20, 2026
Traditional data protection is no longer enough. Discover why organisations must shift to data control to manage modern cyber risk.
A person in a suit works at a desk with multiple monitors displaying complex data, charts, and a glowing digital lock.

The Data Security Crisis: How AI, Shadow AI and Insider Risk Are Creating Invisible Breach Paths

April 11, 2026
AI is creating new, invisible data security risks. Learn how shadow AI, insider behaviour, and identity threats are exposing organisations, and how to defend against them.