The official transition deadline from ISO 27001:2013 to ISO 27001:2022 lands on 31 October 2025. Organisations whose current certification was issued against the 2013 version need to complete their transition audit before that date, or their certificate lapses.
Most of our clients are now well into the transition work. A handful have completed it. Some are starting late and will be doing the work under pressure. The technical content of the transition is not particularly demanding; the volume of documentation and SoA updating is, and the surveillance-audit calendar imposes its own timing constraints.
Where the remediation work tends to land in practice: the Statement of Applicability update is the longest-running individual workstream. The Annex A controls have been reorganised (from 114 to 93, into four themed groupings rather than fourteen), and every control needs to be re-assessed for applicability with traceability to the previous SoA. This is not difficult work; it is just tedious work, and most clients underestimate the time it takes.
The new controls introduced in 2022 — A.5.7 Threat intelligence, A.5.23 Information security for use of cloud services, A.5.30 ICT readiness for business continuity, A.7.4 Physical security monitoring, A.8.9 Configuration management, A.8.10 Information deletion, A.8.11 Data masking, A.8.12 Data leakage prevention, A.8.16 Monitoring activities, A.8.23 Web filtering, A.8.28 Secure coding — these warrant individual attention. Most organisations have some practice corresponding to each of these but not all of them are formally documented in a way that survives audit scrutiny.
Our recommendation for clients still in the transition window: prioritise the SoA update and the new-control documentation. Get those into a clean state. The other transition work can follow in the natural rhythm of the surveillance audit calendar.
Our recommendation for clients past the deadline: contact your certification body promptly; some bodies are accepting transition audits scheduled within a defined remediation window. The certificate is technically lapsed in the meantime, which may create supplier-relationship friction even if the practical security posture is unchanged.