ISO 27001:2022 vs 2013 – The Final Countdown to Transition

The ISO 27001 transition deadline 2025 is almost here. On 31st October 2025, certification bodies will stop recognising ISO/IEC 27001:2013, and the only valid version will be ISO/IEC 27001:2022.

By now, most organisations should already be in the final stages of transition. If you’ve completed the move, you’re in a good place. If you’re still working through final steps like a management review or a corrective action or two, there’s still time to wrap up.

But if you haven’t started? It’s important to be realistic: a full transition takes time, and with weeks left, the priority is planning your path forward.

Rather than panic, let’s look at what’s different between ISO 27001:2022 vs 2013, why the update matters, and what you should do next.

ISO 27001 2022 vs 2013: What changed?

The update is less of a rewrite and more of a modernisation.

The previous version reflected a world where cloud services were emerging, remote working was rare, and ransomware wasn’t headline news. The new version reflects today’s reality: complex supplier relationships, technical vulnerabilities, and information security incidents that can take down entire information systems if not handled properly.

Here are the key changes:

• Annex A restructured → The bulk of changes in ISO 27001:2022 relate to Annex A. The 114 controls from 2013 are reduced to 93 and reorganised into four themes: organisational controls, people controls, physical controls, and technological controls.
• 11 new controls → Covering modern priorities such as physical security monitoring, information deletion, ICT readiness for business continuity, data leakage prevention, and secure coding.
• Dynamic risk management → ISO 27001:2022 emphasises a proactive approach to managing information security risks, aligning with evolving threats and changing business models.
• Statement of Applicability → Organisations must update their SoA to match the new structure of Annex A controls.
• Context matters → The standard now emphasises considering your organisation’s specific context, including interested parties, special interest groups, and supplier agreements. Clause 4.2 explicitly requires an analysis of how the ISMS addresses interested party requirements.

Why the ISO 27001 update matters

The international standard has always been about maintaining trust, protecting assets, and supporting business continuity management. But the 2013 controls were showing their age.

The new ISO:

• Reflects the reliance on cloud services and externally provided processes.
• Recognises the rise of assets off premises in an era of hybrid work.
• Stresses ICT readiness for business continuity so that when disruptions occur, organisations can continue operating in a planned manner.
• Calls out the importance of supplier services, supplier relationships, and supplier agreements as part of modern risk.
• Strengthens the link between information security objectives and the processes and criteria needed to achieve them.

In short, ISO/IEC 27001:2022 makes sure your information security management system isn’t just compliant—it’s relevant.

Key Annex A updates in detail

Since Annex A is where most of the change sits, it’s worth looking closer.

• New controls: ISO 27001:2022 introduces 11 new controls across areas like physical security monitoring, data leakage prevention, and use of cloud services.
• Themes: Controls are grouped under organisational, people, physical, and technological controls, making them easier to align with other ISO management standards.
• Processes needed: Each control requires organisations to establish criteria, define necessary processes, and implement plans that support continual improvement.
• Integration: The new structure is easier to map against other associated assets and frameworks such as SOC 2, NIST, or other ISO management standards.

The takeaway? Organisations now need to think beyond static controls and focus on embedding security into daily operations—from clear desk policies to change management, from secure areas to communication technology resilience.

Where should you be right now?

With weeks left before the transition deadline, here’s the honest state of play:

• Already transitioned → Your SoA, Annex A mapping, and documented information should now reflect the new requirements. You’re audit-ready.
• In the final steps → Wrap up any outstanding corrective actions, confirm readiness through management review, and work with your certification body to complete the audit in a planned manner.
• Haven’t started → A full transition won’t be possible before 31st October. Your ISO 27001:2013 certification will lapse, and you’ll need to treat this as a new ISO 27001:2022 certification process.

What if you miss the ISO 27001 transition deadline?

If your certificate lapses, here’s what that means:

• Your certification is no longer valid. Auditors, customers, and the International Accreditation Forum (IAF) won’t recognise the 2013 standard.
• New certification required. You’ll need to go through the full audit cycle for ISO 27001:2022.
• Competitive impact. Without a valid certificate, you may lose your competitive advantage in tenders and with risk-conscious customers.

Practical next steps if you’re behind:

1. Start a gap analysis → Map your existing ISMS to the new version, identify processes needed, and flag missing security controls.
2. Engage your certification body → They can provide additional guidance on timing and requirements.
3. Implement plans → Begin updating policies, roles relevant to security, and information systems controls.
4. Communicate clearly → Reassure customers and interested parties by showing progress and timelines.

FAQs on ISO 27001 2022 vs 2013

When is the ISO 27001 transition deadline?
→ 31st October 2025. After this date, only ISO/IEC 27001:2022 is valid.

What are the key ISO 27001 2013 vs 2022 changes?
→ Annex A reorganised into four themes, 11 new controls, stronger links to context, and more focus on business continuity and supplier relationships.

Do we need to start certification from scratch?
→ If you miss the deadline, yes. You’ll need to pursue full ISO/IEC 27001:2022 certification.

What does Clause 4.2 require?
→ An analysis of how your ISMS addresses interested parties and their requirements, ensuring controls are relevant to information security.

How long does the transition take?
→ Typically 3–6 months, depending on the maturity of your management system and the number of corrective actions needed.

Final thoughts: The update is about relevance, not red tape

The move from ISO 27001:2013 to ISO 27001:2022 is more than a tick-box exercise. It’s about aligning your information security management system with the threats, technologies, and processes needed today—not a decade ago.

If you’re already compliant, you’ve proven resilience and strengthened trust. If you’re not, it’s time to start planning for your new certification and make sure your ISMS evolves with the world around it.

With Hicomply, the transition to any new requirements—whether it’s ISO updates or entirely new security standards—doesn’t have to be painful. Automated workflows, smarter policies, and always-on audit readiness mean you stay aligned, without the last-minute scramble.

Need help with your transition plan? Book a Hicomply demo or head to our ISO 27001 Hub for tools and resources to get started.

‍