ISO/IEC 27001:2022 Transition Deadline — What You Need to Know Before 31 October 2025

May 15, 2025

The cybersecurity landscape continues to evolve at pace—bringing with it new threats, technologies, and regulatory demands. In response, the international standard for Information Security Management Systems (ISMS), ISO/IEC 27001, has undergone a significant update.


If your organisation is currently certified under ISO/IEC 27001:2013, it’s critical to prepare for the transition to ISO/IEC 27001:2022—and soon. As of 31 October 2025, all ISO/IEC 27001:2013 certifications will become invalid.


In this blog, we’ll walk you through the key changes, transition deadlines, risks of non-compliance, and the steps your business needs to take to stay secure—and certified.

What Is ISO/IEC 27001, and What Changed in 2022?

ISO/IEC 27001 is the world’s leading standard for establishing, implementing, and maintaining an ISMS. It enables organisations to manage sensitive information securely ensuring confidentiality, integrity, and availability.


The 2022 revision modernises the standard to reflect today’s cybersecurity realities. Key updates include:


  1. Broader scope: Now explicitly addresses cybersecurity and privacy protection.
  2. Structural refinements: Clauses 4–10 have been clarified for improved planning and integration.


Annex A controls reduced from 114 to 93, now grouped into four domains:


  • A.5: Organisational
  • A.6: People
  • A.7: Physical
  • A.8: Technological


11 new controls introduced, covering areas like threat intelligence, secure coding, data masking, and cloud services.


These changes make the standard more practical, scalable, and relevant for modern businesses.

Why 31 October 2025 Is a Critical Date

The International Accreditation Forum (IAF) has mandated that all ISO/IEC 27001:2013 certifications must transition to the 2022 standard by 31 October 2025. After this:


  • 2013 certificates will no longer be valid.
  • Certification bodies will only issue ISO/IEC 27001:2022 certificates.
  • Organisations still using the 2013 framework will be considered non-compliant.


Delaying the transition not only risks certification loss, but could also impact client trust and legal compliance.

What Are The Risks of Missing the Transition Deadline?

Failing to act on the transition can pose serious risks:


  • Loss of Certification

Without an updated certificate, your organisation may face contract terminations, compliance issues, or exclusion from procurement opportunities.


  • Operational Disruption

Many clients and partners require valid ISO/IEC 27001 certification. A lapsed certificate could stall projects and collaborations.


  • Regulatory Consequences

ISO certification often supports compliance with laws like GDPR or HIPAA. Falling behind could expose you to legal or financial penalties.


  • Reputational Damage

An expired certificate may signal weak governance—undermining stakeholder confidence, especially in sectors like finance, healthcare, and government.

Key Transition Milestones

Milestone Date
ISO/IEC 27001:2022 Published 25 October 2022
Transition Period Begins 31 October 2022
New Certifications Must Use 2022 Standard 1 May 2024
Recommended Completion of Transition Audits 31 July 2025
Final Expiry of 2013 Certificates 31 October 2025

Transition Checklist: Your Six-Step Plan

Phase 1: Understand the Changes

  • Review the 2022 standard thoroughly.
  • Identify internal stakeholders and key decision-makers.


Phase 2: Gap Analysis

  • Map existing controls to the new Annex A structure.
  • Identify additions, updates, or removals.


Phase 3: Update Documentation

  • Revise your Statement of Applicability (SoA).
  • Update risk assessments and policies.
  • Align with updated Clause 6.3 (change planning) and Clause 9.3 (management reviews).


Phase 4: Training and Awareness

  • Conduct training on new control requirements.
  • Run awareness sessions for affected teams.
  • Ensure control owners understand their revised roles.


Phase 5: Internal Audit

  • Audit against the 2022 standard.
  • Resolve nonconformities.
  • Perform a full management review.


Phase 6: Schedule the Transition Audit

  • Engage your certification body early.
  • Submit revised documentation.
  • Complete the audit well before the October 2025 deadline.

Spotlight on New Controls

Some of the most impactful new additions include:


  • 5.7 Threat Intelligence – Stay informed on emerging threats from reliable sources.
  • 5.23 Cloud Security – Manage cloud provider risks with contractual and technical controls.
  • 8.11 Data Masking – Protect sensitive data through masking techniques.
  • 8.28 Secure Coding – Integrate secure development practices to reduce software vulnerabilities.


These reflect real-world concerns that organisations face today and must be addressed in your ISMS.

Frequently Asked Questions

Q: Can We Wait Until 2025 to Start?

Technically yes—but it’s risky. Delaying increases the chances of:


  • Auditor backlogs
  • Resource constraints
  • Poor transition execution
  • Lost certification due to missed deadlines


Best practice: Start at least 12–18 months in advance.

Q: Do We Need a Full Recertification?



Not if you transition before your current certificate expires.


Instead of a full audit, you’ll undergo a transition audit, which reviews changes made to meet 2022 requirements. However, if your 2013 certificate lapses, you’ll need to go through full recertification—a more demanding and expensive process.

Q: How Long Will It Take?


It depends on your organisation’s size and ISMS maturity:


  • SMEs: 3–6 months
  • Large/multi-site organisations: 6–12 months
  • Complex/regulatory sectors: Up to 18 months


The key time-drivers include updating documentation, training, and audit preparation. Starting early ensures fewer disruptions and better outcomes.

Why Compliance Is Worth the Effort

Beyond avoiding risk, transitioning to ISO/IEC 27001:2022 offers tangible benefits:


  • Modernised security posture: Addresses current threats like cloud, AI, and data privacy.
  • Simplified control framework: Easier to implement, manage, and scale.
  • Stronger business credibility: Enhances client trust and competitiveness.
  • Regulatory assurance, demonstrating alignment with global standards and data protection laws.

Don’t Delay

The ISO/IEC 27001:2022 transition isn’t just a compliance task—it’s a chance to enhance your security framework, modernise processes, and reinforce your organisation’s reputation.


With the 31 October 2025 deadline fast approaching, the time to act is now.


  • Begin planning
  • Assign responsibilities
  • Schedule your transition audit early


If get ahead, you can acheive the new standard upgrade.

At Cybergen Security, we help organisations of all sizes transition smoothly to ISO/IEC 27001:2022. If you're unsure where to begin, we offer:


  • Expert consultancy and audit prep
  • Support with automation platforms such as Vanta
  • In-house or online ISO 27001:2022 training


Get in touch today to safeguard your certification and ensure a compliant, future-ready ISMS.

Safeguard your IS027001 certification and stay compliant.

Let's get protecting your business


University of Glasgow quad with lush green lawn, stone buildings, and a tall tower under a partly cloudy sky.

Why Educational Institutions Are Prime Targets for Cyberattacks

October 17, 2025
Explore why schools, colleges and universities attract cyberattacks. Learn the key threats, vulnerabilities and how to strengthen your defences with actionable steps.
Woman in a server room checks equipment, surrounded by rows of blinking servers and cables.

Zero Trust Architecture: The Future of Cyber Defence in Tech Companies

October 15, 2025
Learn how Zero Trust Architecture is reshaping cyber defence for technology companies. Understand its principles, risks of ignoring it, and practical steps to protect your organisation.

Cybersecurity for Electronic Health Records: Challenges and Solutions

October 14, 2025
Electronic Health Records, or EHRs, have transformed healthcare. They allow medical professionals to store, share and access patient data in seconds. This convenience has improved treatment accuracy, reduced paperwork, and increased collaboration across healthcare systems. Yet it has also created a new battlefield for cybercriminals. Healthcare data is now one of the most targeted assets worldwide. Recent years have seen a sharp rise in cyberattacks on hospitals and clinics. Threat actors understand the high value of health data. A single patient record can sell for hundreds of pounds on illegal markets. These records contain names, dates of birth, addresses, medical histories, insurance details, and even payment information. Unlike financial data, health data does not expire. Once stolen, it can be misused indefinitely. This blog is written for healthcare professionals, IT teams, security officers, and decision-makers responsible for data protection. The aim is to help you understand the risks, strengthen defences, and build confidence in safeguarding digital health systems. EHR cybersecurity is about more than technology. It is about trust. Patients rely on healthcare providers to protect their most private information. A single data breach can damage that trust permanently.
Two engineers in hard hats monitor data on multiple computer screens.

Protecting Pipeline SCADA Systems from Cyber Intrusions

October 13, 2025
Learn how to protect pipeline SCADA systems from cyber intrusions. Explore real-world case studies, technical defences, and expert strategies to secure your operational technology.
Industrial factory interior with machinery, assembly lines, and carts.

Why Ransomware is a Growing Threat in Manufacturing Plants

October 12, 2025
Learn why ransomware is a rising threat to manufacturing plants. Explore real-world examples, data-driven insights, and expert guidance to strengthen your cybersecurity defences and protect production operations.
Cargo plane being loaded with crates by a worker on the tarmac at sunset.

The Role of Cybersecurity in Airport Infrastructure Management

October 7, 2025
Learn how cybersecurity supports airport infrastructure management, protects passenger data, and secures aviation systems from digital threats. Discover best practices, frameworks, and Cybergen Security solutions for stronger airport resilience.
Big Ben clock tower bathed in warm sunlight, part of the Houses of Parliament, London.

Government Systems and the Threat of Cyber Warfare

October 4, 2025
Learn how government systems face the growing threat of cyber warfare, what attacks target national infrastructure, and how Cybergen helps build resilience through advanced cybersecurity.
Man and woman in business attire reviewing documents at a table; light streams through a window.

Law Firms and Cybersecurity: Safeguarding Confidential Data

October 4, 2025
Learn how law firms can strengthen cybersecurity to protect sensitive client data, prevent breaches, and meet UK compliance standards with Cybergen’s expert guidance.
Black man in a white coat in a pharmacy, looking down at shelves of medicines.

Protecting Pharma Research from Cyber Espionage

October 2, 2025
Protect pharmaceutical research from cyber espionage. Learn about current threats, risks, real-world breaches, and practical security steps. Expert advice from Cybergen Security.