If your organization is certified under ISO/IEC 27001:2013, it’s time to prepare for an important transition. The International Accreditation Forum (IAF) has officially announced that ISO/IEC 27001:2013 will be withdrawn on October 31, 2025, and replaced by the updated ISO/IEC 27001:2022 standard.
What Is ISO/IEC 27001?
ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS). It provides a systematic approach to managing sensitive company information, ensuring its confidentiality, integrity, and availability.
The 2013 version has been the benchmark for more than a decade. But as technology, threats, and regulatory landscapes evolve, so must the standards we rely on to protect information.
What’s New in ISO/IEC 27001:2022?
The 2022 revision introduces several important changes:
- Updated Annex A controls: Aligned with ISO/IEC 27002:2022, reducing 114 controls to 93, grouped into four themes: Organizational, People, Physical, and Technological.
- New controls: Includes controls for threat intelligence, cloud services, data masking, secure coding, and more.
- Refined language and clarity: Making the standard easier to interpret and implement.
- Better alignment with modern cyber risk: Addressing new challenges such as remote work, cloud adoption, and sophisticated cyber threats.
Key Dates to Remember
- October 31, 2022: ISO/IEC 27001:2022 published.
- October 31, 2025: Deadline to complete transition from ISO/IEC 27001:2013. After this date, certifications to the 2013 version will no longer be valid.
What You Should Do Now
If you’re currently certified to ISO/IEC 27001:2013, you should already be planning your transition. Here’s a quick roadmap:
- Gap Assessment: Compare your current ISMS against the new 2022 requirements.
- Update Documentation: Revise your policies, risk assessments, and Statement of Applicability.
- Staff Training: Educate your teams on the new controls and processes.
- Internal Audit: Conduct an audit against the new standard.
- Schedule Transition Audit: Book your audit with your certification body before the October 2025 deadline.
Pro tip: Don’t wait until the last minute. Certification bodies will be in high demand closer to the deadline.
Final Thoughts
The transition to ISO/IEC 27001:2022 isn’t just a compliance task—it’s an opportunity to strengthen your information security posture. Embracing the updated standard ensures you’re aligned with current best practices and better prepared for modern threats.
Need help transitioning? EvilEye Security offers expert guidance, gap analysis, and audit support to make your ISO 27001:2022 journey seamless. Contact us to learn more.
