ISO/IEC 27001:2022 Transition Deadline — What You Need to Know Before 31 October 2025

May 15, 2025

The cybersecurity landscape continues to evolve at pace—bringing with it new threats, technologies, and regulatory demands. In response, the international standard for Information Security Management Systems (ISMS), ISO/IEC 27001, has undergone a significant update.


If your organisation is currently certified under ISO/IEC 27001:2013, it’s critical to prepare for the transition to ISO/IEC 27001:2022—and soon. As of 31 October 2025, all ISO/IEC 27001:2013 certifications will become invalid.


In this blog, we’ll walk you through the key changes, transition deadlines, risks of non-compliance, and the steps your business needs to take to stay secure—and certified.

What Is ISO/IEC 27001, and What Changed in 2022?

ISO/IEC 27001 is the world’s leading standard for establishing, implementing, and maintaining an ISMS. It enables organisations to manage sensitive information securely ensuring confidentiality, integrity, and availability.


The 2022 revision modernises the standard to reflect today’s cybersecurity realities. Key updates include:


  1. Broader scope: Now explicitly addresses cybersecurity and privacy protection.
  2. Structural refinements: Clauses 4–10 have been clarified for improved planning and integration.


Annex A controls reduced from 114 to 93, now grouped into four domains:


  • A.5: Organisational
  • A.6: People
  • A.7: Physical
  • A.8: Technological


11 new controls introduced, covering areas like threat intelligence, secure coding, data masking, and cloud services.


These changes make the standard more practical, scalable, and relevant for modern businesses.

Why 31 October 2025 Is a Critical Date

The International Accreditation Forum (IAF) has mandated that all ISO/IEC 27001:2013 certifications must transition to the 2022 standard by 31 October 2025. After this:


  • 2013 certificates will no longer be valid.
  • Certification bodies will only issue ISO/IEC 27001:2022 certificates.
  • Organisations still using the 2013 framework will be considered non-compliant.


Delaying the transition not only risks certification loss, but could also impact client trust and legal compliance.

What Are The Risks of Missing the Transition Deadline?

Failing to act on the transition can pose serious risks:


  • Loss of Certification

Without an updated certificate, your organisation may face contract terminations, compliance issues, or exclusion from procurement opportunities.


  • Operational Disruption

Many clients and partners require valid ISO/IEC 27001 certification. A lapsed certificate could stall projects and collaborations.


  • Regulatory Consequences

ISO certification often supports compliance with laws like GDPR or HIPAA. Falling behind could expose you to legal or financial penalties.


  • Reputational Damage

An expired certificate may signal weak governance—undermining stakeholder confidence, especially in sectors like finance, healthcare, and government.

Key Transition Milestones

Milestone Date
ISO/IEC 27001:2022 Published 25 October 2022
Transition Period Begins 31 October 2022
New Certifications Must Use 2022 Standard 1 May 2024
Recommended Completion of Transition Audits 31 July 2025
Final Expiry of 2013 Certificates 31 October 2025

Transition Checklist: Your Six-Step Plan

Phase 1: Understand the Changes

  • Review the 2022 standard thoroughly.
  • Identify internal stakeholders and key decision-makers.


Phase 2: Gap Analysis

  • Map existing controls to the new Annex A structure.
  • Identify additions, updates, or removals.


Phase 3: Update Documentation

  • Revise your Statement of Applicability (SoA).
  • Update risk assessments and policies.
  • Align with updated Clause 6.3 (change planning) and Clause 9.3 (management reviews).


Phase 4: Training and Awareness

  • Conduct training on new control requirements.
  • Run awareness sessions for affected teams.
  • Ensure control owners understand their revised roles.


Phase 5: Internal Audit

  • Audit against the 2022 standard.
  • Resolve nonconformities.
  • Perform a full management review.


Phase 6: Schedule the Transition Audit

  • Engage your certification body early.
  • Submit revised documentation.
  • Complete the audit well before the October 2025 deadline.

Spotlight on New Controls

Some of the most impactful new additions include:


  • 5.7 Threat Intelligence – Stay informed on emerging threats from reliable sources.
  • 5.23 Cloud Security – Manage cloud provider risks with contractual and technical controls.
  • 8.11 Data Masking – Protect sensitive data through masking techniques.
  • 8.28 Secure Coding – Integrate secure development practices to reduce software vulnerabilities.


These reflect real-world concerns that organisations face today and must be addressed in your ISMS.

Frequently Asked Questions

Q: Can We Wait Until 2025 to Start?

Technically yes—but it’s risky. Delaying increases the chances of:


  • Auditor backlogs
  • Resource constraints
  • Poor transition execution
  • Lost certification due to missed deadlines


Best practice: Start at least 12–18 months in advance.

Q: Do We Need a Full Recertification?



Not if you transition before your current certificate expires.


Instead of a full audit, you’ll undergo a transition audit, which reviews changes made to meet 2022 requirements. However, if your 2013 certificate lapses, you’ll need to go through full recertification—a more demanding and expensive process.

Q: How Long Will It Take?


It depends on your organisation’s size and ISMS maturity:


  • SMEs: 3–6 months
  • Large/multi-site organisations: 6–12 months
  • Complex/regulatory sectors: Up to 18 months


The key time-drivers include updating documentation, training, and audit preparation. Starting early ensures fewer disruptions and better outcomes.

Why Compliance Is Worth the Effort

Beyond avoiding risk, transitioning to ISO/IEC 27001:2022 offers tangible benefits:


  • Modernised security posture: Addresses current threats like cloud, AI, and data privacy.
  • Simplified control framework: Easier to implement, manage, and scale.
  • Stronger business credibility: Enhances client trust and competitiveness.
  • Regulatory assurance, demonstrating alignment with global standards and data protection laws.

Don’t Delay

The ISO/IEC 27001:2022 transition isn’t just a compliance task—it’s a chance to enhance your security framework, modernise processes, and reinforce your organisation’s reputation.


With the 31 October 2025 deadline fast approaching, the time to act is now.


  • Begin planning
  • Assign responsibilities
  • Schedule your transition audit early


If get ahead, you can acheive the new standard upgrade.

At Cybergen Security, we help organisations of all sizes transition smoothly to ISO/IEC 27001:2022. If you're unsure where to begin, we offer:


  • Expert consultancy and audit prep
  • Support with automation platforms such as Vanta
  • In-house or online ISO 27001:2022 training


Get in touch today to safeguard your certification and ensure a compliant, future-ready ISMS.

Safeguard your IS027001 certification and stay compliant.

Let's get protecting your business


Cybergen and Flashpoint graphic: headline

How Cybergen Is Expanding Its Threat Intelligence Capabilities with Flashpoint

December 12, 2025
Cybergen partners with Flashpoint to enhance threat intelligence, giving organisations deeper visibility, proactive defence, and faster response to cyber threats.
Gold fishing hook with chain, in front of a computer screen displaying email icons.

How the Travel Industry Is Fighting Booking Fraud and Phishing

December 12, 2025
The travel industry faces growing pressure from organised fraud groups who target customers, booking platforms and staff. Fraud attempts across travel companies have risen across Europe over the past two years. Attackers target travellers during peak seasons. They target booking systems that run at high volumes.  They target staff who face constant contact with customers. These threats now sit at the centre of industry discussions. This blog supports travel operators, hotel chains, booking firms, transport companies, students and IT professionals who want insight and practical actions that strengthen defence. Booking fraud appears when criminals trick travellers into paying for bookings that do not exist. Phishing appears when criminals send messages that copy trusted brands in order to steal details. A simple example is an email that looks like it came from a well known booking site. The email claims a reservation needs confirmation. The traveller clicks the link. The link leads to a fake login page. Criminals capture details. They use those details to enter real accounts. They take payments. They change reservations. They create loss and stress. The threat matters today because more people book travel online. Attackers know this. Attackers build convincing websites. Attackers create false advertisements. Attackers target call centres. Travel companies store payment data. Travel companies process identity documents. Attackers look for weak links across these systems. The rise in digital tools across airports, hotels and booking firms creates more targets for experienced fraud groups. You need strong awareness to avoid damage.
People walk toward Tower Bridge in London, a modern glass building and the City Hall dome are in the background.

How Public Sector Agencies Are Strengthening Digital Security

December 7, 2025
A full guide on how public sector agencies strengthen digital security through strong controls and modern practices.

Why LegalTech Platforms Must Invest in Strong Cyber Defences

December 3, 2025
LegalTech platforms face rising threats from advanced cyber groups who target legal data, client records and case information. Attackers focus on legal service providers because legal data holds high value. Attackers search for weak access controls, outdated systems and unprotected cloud platforms. Legal firms and technology providers now depend on digital workflows. This increases pressure from attackers who want to steal data or disrupt operations. This blog supports legal professionals, platform developers, students in technology and IT staff who want a clear view of the risks and the steps needed for a strong defence. LegalTech refers to digital tools that support legal work. These include document management platforms, digital case files, client portals, identity verification tools and automated workflow systems. A simple example appears when a solicitor uploads sensitive documents to a cloud platform that tracks case progress. The platform stores data, manages tasks and sends reminders. This workflow simplifies work. It also introduces risk. If attackers enter the platform through weak credentials, they gain access to client evidence, contracts, court papers and identity records. This risk has grown as more legal work shifts online. LegalTech platforms must respond with strong cyber defences to protect trust and service quality.
Cars driving on a multi-lane highway, with digital sensor overlays. Urban setting.

Cybersecurity For Autonomous Driving Systems And Practical Protection For Safer Transport

November 25, 2025
Explore cybersecurity risks in autonomous driving systems and learn practical steps to protect connected vehicles. This detailed guide explains threats, safety measures and expert insights for stronger defence.
Neon beams of light streak across the night sky, originating from power lines. The moon and trees are in the background.

Defending Utility Infrastructure from Nation-State Threats

November 19, 2025
A detailed guide to defending utility infrastructure from nation-state threats. Learn how threats emerge, how attackers operate and how you strengthen protection with practical cybersecurity methods.
Person's hand reaching for a white box on a pharmacy shelf filled with medication boxes.

Cybersecurity for Cold Chain and Medicine Distribution Systems

November 16, 2025
A detailed guide on cybersecurity for cold chain and medicine distribution systems. Learn how attackers target supply routes and how strong protection keeps temperature-controlled products safe.
Blue-toned cityscape at dusk with tall buildings, illuminated by lights and streaks of light trails.

Cybersecurity in Building Management Systems and Smart Sites

By Aaron Bennett November 8, 2025
Learn how to protect your Building Management Systems and smart site infrastructure from cyber threats with expert advice, practical steps, and proven strategies for stronger security.
Global shipping scene with cargo ships, an airplane, port, and connected network over a world map.

Why Logistics Platforms Must Implement Multi-Layer Security

November 3, 2025
Explore why logistics platforms require multi-layer security to defend against modern cyber threats. Learn how multi-layer cybersecurity protects data, supply chains and operations from attacks.